Public Interest Technology Group

Um padrão que não pretende ser universal é possível?

Sat, 13 Jun 2026 08:00:00 +0000

A violência de gênero facilitada pela tecnologia (VGFT) não costuma ser parte constituinte do design técnico. Não é algo considerado até que ela aconteça, então há a tentativa de “corrigir”, como se fosse um bug ou um patch de segurança. As tecnologias seriam muito diferentes se os processos de design perguntassem desde o início: como essa tecnologia pode ser usada de forma abusiva dentro de um relacionamento? E se um agressor tiver acesso físico ao dispositivo? Como o design afeta as pessoas em contextos de desigualdade estrutural? Entre outras questões colocadas em segundo plano ao projetar produtos tecnológicos “com impacto global” e “para uso generalizado”.

No caso dos protocolos técnicos da internet, projetados para as pessoas que operam as redes e desenvolvem tecnologias para “os usuários finais”, é ainda mais comum que esses tipos de questões sejam omitidas das discussões, ou que sejam abordadas, mas rapidamente deixadas de lado para facilitar a leitura e o entendimento dos grupos e cenários onde os protocolos devem ter impacto, ou seja, na indústria de tecnologia da internet. Neste texto, analisamos de forma geral o grupo de trabalho DULT (Detecting Unwanted Location Trackers, em português: Detecção de Rastreadores de Localização Indesejados) da IETF (Internet Engineering Task Force), que está desenvolvendo uma série de documentos para responder a um tipo de VGFT, como o rastreamento de localização usando dispositivos Bluetooth.

Há pouco mais de dois anos, o DULT está elaborando uma modelagem de ameaças para dispositivos de rastreamento que funcionam em redes de localização colaborativas (como Find My da Apple ou Find Hub do Google). Essas redes permitem que milhares de dispositivos atuem como nós que detectam sinais Bluetooth de tags (etiquetas eletrônicas) próximas e relatam sua localização a um servidor central. Eles podem fazer isso passivamente, comprometendo a privacidade de pessoas usuárias e sendo executados sem o seu consentimento expresso.

Para entender melhor o funcionamento dessas redes, o diagrama de rede Find My pode ser visto aqui. Ele foi extraído do artigo Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System:

Fonte: positive-security/find-you

Essa modelagem de ameaças servirá de base para o desenvolvimento do protocolo DULT, para detectar rastreadores de localização indesejados, de forma interoperável entre diferentes tipos de dispositivos e aplicativos. No entanto, como aponta o documento Intimate Partner Violence Digital Considerations (IPVC) do grupo de trabalho sobre considerações de Direitos Humanos nos protocolos (hrpc-RG), são raramente pensados cenários específicos de violência dentro de relacionamentos afetivos na modelagem de ameaças dos protocolos técnicos. E, embora o do DULT descreva alguns desses cenários, não os integra plenamente em sua arquitetura conceitual.

A esse respeito, é importante mencionar que esta tecnologia colaborativa de rastreamento de localização foi projetada para encontrar objetos perdidos através de um ecossistema conectado com Bluetooth, permitindo melhorar a experiência das pessoas usuárias e expandindo a infraestrutura de rastreamento. Mas, ao serem relatados casos de rastreamento abusivo, foram criados alertas, sons e outras medidas de proteção, dentre as quais nunca se pensou em um cenário onde uma pessoa que agride a parceira ou o parceiro (não necessariamente uma agressão nos termos em que o documento entende) pudesse ter acesso físico aos dispositivos ou que pudesse coagir, compartilhar contas e desativar alertas nos dispositivos. Ainda é necessário pensar e projetar um sistema levando em conta essa realidade. A pergunta é: isso deveria ser um padrão?

Uma única resposta para realidades muito diferentes

Neste momento, a modelagem de ameaças do DULT está na sua fase final de redação. A partir deste documento, será possível prosseguir com outros dois, de caráter mais técnico: um com recomendações para fabricantes de dispositivos de rastreamento, para poderem implementar a funcionalidade de detecção de rastreamento indesejado, e outro que define o protocolo com o qual os dispositivos reportam as tags que visualizaram, de forma que seja possível localizá-las.

Enquanto os ajustes finais são discutidos, e como parte de um trabalho coletivo de análise do DULT, criamos um grupo focal com 12 pessoas de diferentes linhas de ajuda feministas e projetos que trabalham com VGFT na América Latina. A ideia é conhecer melhor o contexto enfrentado pelas pessoas que recorrem a este apoio feminista na região, e se as tecnologias de rastreamento, como as mencionadas, representam uma ameaça nos cenários que veem no dia a dia.

Na modelagem do DULT, esconder uma tag na mochila ou no carro é uma das principais ameaças. No entanto, para as linhas de ajuda com as quais conversamos, esta não é uma preocupação central, já que o rastreamento e monitoramento, uma forma de violência muito comum e difundida na região, ocorre principalmente por meio do uso de contas compartilhadas, da função de localização em tempo real pelo celular, do histórico das contas do Google (as mais utilizadas, assim como os dispositivos Android) e de aplicativos de controle parental, entre outras. Geralmente, a violência ocorre aproveitando os serviços já integrados ao telefone e as contas associadas a ele, e não por meio do uso de tags ou outro hardware adicional.

Também foi dito que os AirTags não são tão comuns, já que o uso de ecossistemas Apple está concentrado em setores de classe média e alta. Segundo os dados de fevereiro de 2026 da Statcounter, o iOS representa pouco mais de 20% do mercado na América Latina. Por outro lado, o mercado de tags ainda não é popular, mas existe certa preocupação entre as pessoas que fazem acompanhamento em casos de VGFT, pois em lojas on-line é possível encontrar dispositivos de rastreamento a preços acessíveis e compatíveis com Android. Portanto, existe um risco futuro de que o alcance e a popularidade desses dispositivos cresçam rapidamente e o seu uso se normalize entre parcelas mais amplas da população.

Outra reflexão que surgiu neste espaço foi que, em contextos onde o desaparecimento forçado e a violência extrema são uma realidade, a geolocalização, mais do que um risco, também pode ser entendida como uma ferramenta de apoio e cuidado para a busca. Estas tecnologias estão em realidades onde a segurança física dos círculos familiares das pessoas desaparecidas, como de ativistas, está em risco. Um documento como a modelagem de ameaças do DULT não contempla o rumo que esta tecnologia pode tomar em contextos de violência estrutural, como na América Latina.

A incidência de um documento

Como pessoas que trabalham com o suporte técnico no acompanhamento de mulheres e pessoas LBTQIA+ que sofrem VGFT, valorizamos muito o fato de existir um esforço como o DULT, e que este comece por uma modelagem de ameaças baseada na descrição narrativa de situações e cenários que não são apenas “casos de uso” técnicos, mas que oferecem “informações realistas sobre as limitações enfrentadas pelas pessoas que são objeto de rastreamento por meio de tags de localização” (traduzido do inglês em draft_04). Da mesma forma, reconhecemos que neste documento há uma tentativa de considerar diferentes situações, explicitando o alcance limitado e mutável do que é descrito. A este respeito, nos parece importante refletir sobre o documento que, esperamos, será publicado em breve como RFC e possa servir de base para continuar desenvolvendo as documentações técnicas, além do processo e as decisões que levam ao que é publicado por consenso no grupo de trabalho no IETF.

Pelo tom que esta modelagem de ameaças deve adotar para ser compreensível por fabricantes e desenvolvedores, e pelo foco limitado ao protocolo técnico, tal como definido pelo grupo de trabalho, os cinco cenários descritos abordam o papel do agressor como quem: adiciona um dispositivo, tenta evitar a detecção, aproveita limitações técnicas e não precisa acessar as contas pessoais do seu alvo. No entanto, em contextos de VGFT, é importante considerar que a pessoa agressora pode: ter acesso físico contínuo ao dispositivo, coagir, compartilhar contas legitimamente, ser a proprietária legal do dispositivo e das contas, controlar economicamente a vítima, entre outras situações.

Como mencionado no documento IPVC, esses fatores mudam radicalmente a modelagem de ameaças, devido à relação de poder que se estabelece entre quem agride e a pessoa agredida, mas também dentro de um círculo social mais amplo. Por isso, a VGFT não pode ser entendida (nem atendida) considerando apenas fatores técnicos, mas requer uma compreensão sobre fatores sociais, estruturais e contextuais.

Por outro lado, a modelagem de ameaças do DULT propõe uma matriz de ameaças com diferentes níveis de impacto, probabilidade e consequências possíveis. No entanto, como descrevemos acima, a probabilidade e o risco não são universais. Por exemplo, a ameaça de implantação de múltiplas tags (Deploying Multiple Tags) aparece com probabilidade alta, mas na maior parte da América Latina essa probabilidade é média e baixa, devido aos custos e à implantação desigual de redes; a ameaça de redes heterogêneas (Heterogeneous Tag Networks) depende muito do mercado regional de iOS e Android. Esta é uma realidade que dá margem ao próprio desenvolvimento do trabalho do DULT e que não pode ser tomada como um parâmetro universal; a desativação de alertas (Disabling Target Tag Detection) é considerada menos provável, mas, segundo nossa experiência com VGFT, sabemos que o acesso físico a dispositivos por parceires e ex-parceires em um relacionamento é extremamente comum.

A matriz assume condições técnicas do Norte Global e não aborda desigualdades socioeconômicas, práticas culturais nem dinâmicas de poder próprias de outras regiões, como a América Latina. E, sobre isso, queremos chamar a atenção para uma discussão que ocorreu na reunião interina de 4 de dezembro de 2025, sobre o nível de especialização de quem contribuiu para o desenvolvimento deste documento, a importância de fazê-lo chegar a quem trabalha com VGFT e as prioridades que uma documentação do IETF deve ter. Só para dar um exemplo: nesta discussão, disseram que as pessoas que trabalham na modelagem de ameaças são especialistas em VGFT, mas não se reconheceu que essa expertise é baseada no contexto dos Estados Unidos da América.

Priorizar a eficiência em detrimento da equidade

Muitas perguntas estão agora em discussão e serão abordadas no desenvolvimento dos documentos técnicos. Como grupo de trabalho hacktransfeminista, nos interessa entender como se espera administrar a decisão (como fabricantes e pessoas usuárias) de desativar a participação do seu dispositivo como nó na rede. Isso porque a modelagem de ameaças DULT assume a existência da rede colaborativa como condição dada. No entanto, como garantir o consentimento informado e a transparência técnica para quem usa, entendendo que há uma brecha estrutural (territorial e de gênero) no acesso às tecnologias?

Na América Latina, o tema da violência digital de gênero é trabalhado há mais de uma década e sob perspectivas muito diversas. Daí nosso interesse em compreender e nos envolver nos desenvolvimentos técnicos disso, já que eles podem impactar tanto os panoramas de risco e ameaças, como as respostas (técnicas, legais e psicossociais) necessárias para transformar uma situação crítica como a violência de gênero, que persiste e se adapta ao entorno digital (ainda emergente em vários setores da população latino-americana).

A modelagem DULT traz cenários de VGFT, mas seu desenvolvimento continua dominado por uma perspectiva técnica abstrata, enquanto a atuação das linhas de ajuda e outros processos de acompanhamento e resposta à VGFT na América Latina (e em muitas outras regiões da Maioria Global) se baseia em conhecimentos situados, empíricos e contextualizados.

Como diz Ruha Benjamin em seu livro Race after Technology, para transformar a maneira como as tecnologias funcionam hoje, é necessário entender que não basta ter as melhores intenções em relação à forma como elas se desenvolvem para outras pessoas. É preciso deixar de priorizar a eficiência em detrimento da equidade. No nosso caso, consideramos que o desafio de um grupo como o DULT não é simplesmente traduzir os documentos técnicos para serem digeríveis por “especialistas em VGFT”. Isso implica transformar o próprio processo de padronização, de modo que haja o envolvimento de acompanhantes, que conhecem as necessidades em primeira mão, em contextos muito diversos. Para isso, é necessário compreender que os padrões técnicos costumam ser construídos em espaços altamente técnicos, com barreiras econômicas e linguísticas; e que as organizações que acompanham sobreviventes de violências baseadas no gênero e facilitadas pela tecnologia trabalham em lugares de urgência, precariedade e sobrecarga constantes.

Inserir essa experiência exigiria articular processos formais de consulta regional e financiar a participação de organizações da sociedade civil em espaços de padronização, além de reconhecer a VGFT como cenário predominante, não excepcional.

Como dissemos antes, valorizamos o esforço técnico do grupo de trabalho DULT, mas acreditamos ser necessário ampliá-lo. Se esta modelagem de ameaças pretende ter alcance global, precisa abandonar a ficção da neutralidade contextual, porque é justamente aí que o Norte Global se mantém como modelo para o resto do mundo. É preciso incorporar as experiências diversas de quem trabalha com esses temas e, além disso, desenvolver uma abordagem interseccional, de modo que os avanços tecnológicos não representem uma ameaça potencial para certos contextos e grupos sociais historicamente vulneráveis no mundo.

/raiz_común é: Martu Isla (Independent), Linda (Social TIC), PatyMori (MariaLab), Juliana Guerra (Independent)

Tradução: Florencia Aguilar e Sarah Reimann

Un estándar que no se pretenda universal, ¿es posible?

Sat, 13 Jun 2026 08:00:00 +0000

La violencia de género facilitada por tecnología (VGFT) no suele ser parte constitutiva del diseño técnico. No es algo que se considera hasta que sucede, y entonces se busca “corregir”, como si de un bug o un parche de seguridad se tratara. Las tecnologías serían muy distintas si en los procesos de diseño se preguntara desde el inicio: ¿cómo puede esta tecnología ser usada por una pareja abusiva? ¿Qué pasa si un agresor tiene acceso físico al dispositivo? ¿Cómo afecta mi diseño a personas en contextos de desigualdad estructural? Entre otras cuestiones que quedan relegadas cuando se diseñan productos tecnológicos “de impacto global”, o “para el uso generalizado”.

En el caso de los protocolos técnicos de internet, que están diseñados para quienes operan las redes y desarrollan tecnologías para “los usuarios finales”, es aún más común que este tipo de cuestiones se omitan en las discusiones, o que se aborden pero rápidamente sean puestas a un lado, para facilitar la lectura y el entendimiento de los grupos y escenarios donde los protocolos deben tener un impacto, es decir en la industria tecnológica de internet. En este texto analizamos de manera muy general el grupo de trabajo DULT (Detecting Unwanted Location Trackers; en español “Detección de rastreadores de ubicación no deseados”) de la IETF (Internet Engineering Task Force), ya que se encuentra desarrollando una serie de documentos para responder a un tipo de VGFT, como es el rastreo de localización utilizando dispositivos Bluetooth.

Desde hace poco más de dos años, DULT se encuentra desarrollando un modelo de amenazas para dispositivos de rastreo que funcionan sobre redes colaborativas de localización (como Find My de Apple o Find Hub de Google). Estas redes permiten que miles de dispositivos actúen como nodos que detectan señales Bluetooth de “tags” cercanos, y reporten su ubicación a un servidor central. Esto lo pueden hacer de forma pasiva, comprometiendo la privacidad de las personas usuarias al ejecutarse sin su consentimiento expreso.

Para que se entienda mejor el funcionamiento de estas redes, aquí se puede ver el diagrama de la red Find My extraído del artículo Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System:

Fuente: positive-security/find-you

Este modelo de amenazas servirá de base para el desarrollo del protocolo DULT, para detectar rastreadores de ubicación no deseados, de forma interoperable entre distintos tipos de dispositivos y aplicaciones. Sin embargo, como señala el borrador Intimate Partner Violence Digital Considerations (IPVC) del grupo de trabajo sobre consideraciones de Derechos Humanos en los protocolos (hrpc-RG), rara vez se incorporan escenarios específicos de violencia de pareja en el modelado de amenazas de los protocolos técnicos. Y si bien el de DULT describe algunos de estos escenarios, no los integra plenamente en su arquitectura conceptual.

Al respecto, es importante mencionar que esta tecnología colaborativa de rastreo de localización se diseñó para encontrar objetos perdidos a través de un ecosistema conectado con Bluetooth, permitiendo mejorar la experiencia de las personas usuarias y expandiendo la infraestructura de rastreo. Pero al reportarse los casos de rastreo abusivo se añadieron alertas, sonidos, y otras medidas de protección, dentro de las cuales nunca se pensó en un escenario donde una persona que agrede a su pareja -no necesariamente un atacante en los términos que lo entiende el documento-, pudiera tener acceso físico a los dispositivos, o que pudiera coercionar, compartir cuentas, o desactivar alertas en los dispositivos. Todavía hace falta pensar y diseñar un sistema suponiendo esa realidad. La pregunta es, ¿debería ser un estándar?

Una sola respuesta para realidades muy distintas

En este momento el modelo de amenazas de DULT se encuentra en su fase final de redacción. Sobre este documento se podrá continuar con otros dos, de corte más técnico: uno con recomendaciones para fabricantes de dispositivos de rastreo, para que puedan implementar la funcionalidad de detección de rastreo indeseado; y otro que define el protocolo con el cual los dispositivos reportan a los “tags” que han visto, de manera que sea posible localizarlos.

Mientras se discuten los ajustes finales, y como parte de un trabajo colectivo de análisis de DULT, llevamos a cabo un grupo focal con 12 personas de distintas líneas de ayuda feministas y proyectos que trabajan VGFT en América Latina, buscando conocer mejor sobre el contexto al que se enfrentan las personas que acuden a este apoyo feminista en la región, y si tecnologías de rastreo como las mencionadas representan una amenaza en los escenarios que ven día a día.

En el modelo de amenazas de DULT, esconder un “tag” en la mochila o el coche es una de las amenazas principales. Sin embargo, en las líneas de ayuda con las que conversamos esta no es una preocupación central, ya que el rastreo o monitoreo -una forma de violencia muy común y extendida en la región- se da principalmente mediante el uso de cuentas compartidas, la función de ubicación en tiempo real desde el celular, el historial de las cuentas de Google (las más utilizadas, así como los dispositivos Android), o aplicaciones de control parental, entre otras. Usualmente, el abuso ocurre aprovechando los servicios que ya están integrados al teléfono y las cuentas asociadas al mismo, y no mediante uso de “tags” u otro hardware adicional.

También se mencionó que los AirTags no son tan comunes, ya que el uso de entornos Apple parece estar concentrado en sectores de clase media y alta. Según los datos a febrero de 2026 de Statcounter, iOS representa poco más de 20 % del mercado en América Latina. Por otra parte, el mercado de “tags” aún no es popular, pero existe cierta preocupación entre las personas acompañantes en casos de VGFT, ya que en tiendas en línea se consiguen dispositivos de rastreo a precios accesibles y compatibles con Android, así que existe un riesgo futuro de que el alcance y la popularidad de estos dispositivos crezca rápidamente y se normalice su uso entre grupos más amplios de la población.

Otra reflexión que se dio en este espacio fue que en contextos donde la desaparición forzada y la violencia extrema son una realidad, la geolocalización más que como un riesgo se puede percibir también como una herramienta de apoyo y cuidado para la búsqueda. Estas tecnologías se insertan en realidades donde está en mayor riesgo la seguridad física de los círculos familiares de las personas desaparecidas, así como de las personas activistas. Un documento como el modelo de amenazas de DULT, no contempla el giro que esta tecnología puede tener en contextos de violencia estructural, en regiones como América Latina.

La incidencia de un documento

Como personas que trabajamos desde el soporte técnico en el acompañamiento a mujeres y personas LBTQIA+ que sufren VGFT, encontramos enorme valor en que exista un esfuerzo como DULT, y que empiece por un modelo de amenazas basado en la descripción narrativa de situaciones o escenarios que no son solo “casos de uso” técnicos, sino que ofrecen “información realista sobre las limitaciones a las que se enfrentan las personas que son objeto de seguimiento mediante etiquetas de localización” (traducido del inglés en el draft_04). Así mismo, reconocemos que en este documento se intenta considerar diferentes situaciones, y que se hace explícito el alcance limitado y cambiante de lo que describe. Al respecto, nos parece importante reflexionar sobre el borrador que, esperamos, próximamente sea publicado como RFC y pueda servir de base para continuar desarrollando los documentos técnicos; pero también sobre el proceso y las decisiones que llevan a lo que se publica por consenso del grupo de trabajo en IETF.

Por el tono que debe llevar este modelo de amenazas para ser entendible por fabricantes y desarrolladores, y el enfoque limitado al protocolo técnico, tal como lo define el grupo de trabajo, los cinco escenarios que se describen abordan el rol de atacante como quien: coloca un dispositivo; intenta evadir detección; aprovecha limitaciones técnicas; no tiene que acceder a las cuentas personales de su objetivo. Sin embargo, en contextos de VGFT es prioritario considerar que la persona agresora puede: tener acceso físico continuo al dispositivo; coercionar; compartir cuentas legítimamente; ser propietaria legal del dispositivo o las cuentas; controlar económicamente a la víctima; entre otras situaciones.

Como se menciona en el borrador sobre IPVC, estos factores cambian radicalmente el modelo de amenaza, por la relación de poder que se establece entre quien agrede y la persona agredida, pero también dentro de un círculo social más amplio. Por eso, la VGFT no puede entenderse (ni atenderse) solo considerando factores técnicos, si no que requiere un entendimiento sobre factores sociales estructurales y contextuales.

Por otra parte, el modelo de amenazas de DULT propone una matriz de amenazas con niveles de impacto, probabilidad e impacto potencial. Sin embargo, como describimos más arriba, la probabilidad y el riesgo no son universales. Por ejemplo, la amenaza de despliegue de múltiples tags (Deploying Multiple Tags) aparece con probabilidad alta, pero en la mayoría de América Latina esta probabilidad puede ser media o baja, debido a los costos y despliegue desigual de redes; la amenaza de redes heterogéneas (Heterogeneous Tag Networks) depende fuertemente del mercado regional de iOS y Android. Esta es una realidad que da pie al desarrollo mismo del trabajo de DULT y que no puede tomarse como un parámetro universal; la desactivación de alertas (Disabling Target Tag Detection) es considerada menos probable, pero desde nuestra experiencia con VGFT sabemos que el acceso físico a dispositivos por parejas o exparejas íntimas es extremadamente común.

La matriz asume condiciones técnicas del norte global y no integra desigualdades socioeconómicas, prácticas culturales ni dinámicas de poder propias de otras regiones, como puede ser América Latina. Y sobre esto, queremos llamar la atención sobre una discusión que tuvo lugar en la reunión interina de diciembre 4 de 2025, sobre el nivel de experticia de quienes han contribuido al desarrollo de este documento, la importancia de hacer llegar este trabajo a quienes trabajan en VGFT, y las prioridades que un documento de IETF debe tener. Por mencionar solo un ejemplo, allí se menciona que quienes han trabajado sobre el modelo de amenazas son personas expertas en VGFT, pero no se reconoce que todas quienes lo mencionan trabajan en el contexto de Estados Unidos de Norteamérica.

Priorizar la eficiencia sobre la equidad

Muchas preguntas están ahora en discusión, y serán abordadas en el desarrollo de los documentos técnicos. Como grupo de trabajo hacktransfeminista, nos interesa entender cómo se espera manejar (al nivel de fabricantes) la decisión (de una persona usuaria) de desactivar la participación de su dispositivo como nodo en la red. Esto porque el modelo de amenazas DULT asume la existencia de la red colaborativa como condición dada. Sin embargo, ¿cómo garantizar el consentimiento informado y la transparencia técnica para las personas usuarias, entendiendo que hay una brecha estructural (territorial tanto como de género) en el acceso a tecnologías?

En América Latina se ha trabajado el tema de la violencia digital de género desde hace más de una década, y desde muy diversas perspectivas. De ahí nuestro interés en comprender e involucrarnos en los desarrollos técnicos en esta materia, ya que pueden impactar tanto los panoramas de riesgo y amenazas, como las respuestas (técnicas, pero también legales y psicosociales) necesarias para transformar una situación crítica como es la violencia de género que persiste y se adapta al entorno digital (todavía emergente en amplios sectores de la población latinoamericana).

El modelo DULT menciona escenarios de VGFT, pero su desarrollo sigue dominado por una mirada técnica abstracta, mientras que el trabajo de líneas de ayuda y otros procesos de acompañamiento y respuesta a VGFT en América Latina (y muchas otras regiones de la mayoría global) trabajan con conocimiento situado, empírico y contextualizado.

Como dice Ruha Benjamin en su libro Race after Technology, para transformar la manera como funcionan las tecnologías hoy es necesario entender que no es suficiente con tener mejores intenciones frente a la manera como las tecnologías se despliegan para otros. Se requiere dejar de priorizar la eficiencia sobre la equidad. En nuestro caso, consideramos que el desafío de un grupo como DULT no es simplemente traducir los documentos técnicos para que sean digeribles por “personas expertas en VGFT”. Implica transformar el proceso mismo de estandarización para que exista un involucramiento de las personas que acompañan, que conocen las necesidades de primera mano, en muy diversos contextos. Y para eso, es necesario entender que los estándares técnicos suelen construirse en espacios altamente técnicos, con barreras económicas y lingüísticas; y que las organizaciones que acompañan sobrevivientes de VBG y VGFT trabajan en contextos de permanente urgencia, precariedad y sobrecarga.

Integrar esta experiencia requeriría incorporar procesos formales de consulta regional y financiar la participación de organizaciones de la sociedad civil en espacios de estandarización, además de reconocer la VGFT como escenario primario, no excepcional.

Como decíamos antes, valoramos el esfuerzo técnico del grupo de trabajo DULT, pero creemos que es necesario ampliarlo. Si este modelo de amenazas pretende ser de alcance global, necesita abandonar la ficción de la neutralidad contextual, porque es allí donde Norte Global se mantiene como modelo para el resto del mundo. Se requiere integrar las experiencias diversas de quienes trabajan estos temas, y además trabajar por un abordaje interseccional, de manera que los avances tecnológicos no supongan una potencial amenaza para ciertos contextos o grupos sociales históricamente vulnerados en el orden global.

/raiz_común es: Martu Isla (Independent), Linda (Social TIC), PatyMori (MariaLab), Juliana Guerra (Independent)

Is it possible to have a standard that does not claim to be universal?

Sat, 13 Jun 2026 08:00:00 +0000

Technology-facilitated gender-based violence (or TFGBV) is often not something that gets built into the design from the start. It’s not something usually considered until it happens, and the following step is to “fix it”, as if it were a bug or a security patch. Every piece of technology would be very different if, early in the design processes, people wondered: could this technology be used by an abusive partner? What could happen if an attacker has physical access to the device? How does this design affect people in structural inequity contexts? These types of questions, among others, tend to be pushed aside when “global impact” or “mass adoption” technological products are designed.

When it comes to internet technical protocols, which are built by and for those who operate networks and develop technologies for end-users, these types of issues tend to either be left out of conversations entirely or are addressed briefly and then get brushed aside. The goal is to facilitate the reading and understanding of the groups and scenarios where protocols need to have an impact, ie, the internet technological industry.

In this article, we look at the DULT (Detecting Unwanted Location Trackers) working group that falls under the IETF (Internet Engineering Task Force). The group is putting together a set of documents to address a certain type of TFGBV: location-tracking Bluetooth devices.

For the past 2+ years, DULT has been developing a threat model for tracking devices that run on collaborative location networks, like Apple’s Find My or Google’s Find Hub. These networks allow thousands of devices to act as nodes, detecting Bluetooth signals from nearby tags, and logging their location to a central server. This can be executed passively, jeopardizing the users’ privacy by doing so without their explicit consent.

For a better understanding of how these networks function, you can see the Find My diagram’s network taken from the article Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System:

Source: positive-security/find-you

This threat model is meant to serve as the foundation for a DULT protocol to detect unwanted tracking-location devices across different types of devices and apps in an interoperable way. But as the Intimate Partner Violence Digital Considerations (IPVC) draft (from the Human Rights Protocols Considerations Working Group) points out, those specific domestic violence scenarios are rarely included when building threat models for protocols. Whereas DULT does describe some of these scenarios, they’re not fully integrated into their conceptual architecture.

On that point, it is worth noting that this collaborative location-tracking technology was originally designed to find lost objects using a Bluetooth ecosystem to improve the user experience and expand the tracking infrastructure. But once reports of abusive tracking started coming in, alerts, signals, and other protective measures were added. Because there was never in mind a scenario where someone abusing a partner (not necessarily an attacker, in the way the document defines it) could have physical access to the devices or could coerce, share accounts, or simply disable alerts, we are still thinking and designing a system where that reality is the baseline. The question is, shouldn’t this be a standard thought?

A unique answer for very different realities

At this point, the DULT threat model is in its final stages of being written. Two more technical documents will come out of this: one laying out best practices for accessory manufacturers on how to implement unwanted tracking detection into their devices, and another one that defines the protocol for how the devices can report the tags seen, so that they can be easily located.

While final adjustments are still being discussed, and as part of our collective analysis on the work DULT is doing, we carried out a focus group with 12 people from different feminist helplines and projects working on TFGBV in Latin America. Our goal was to better understand the context where people resort to this kind of support in the region, and whether tracking technologies, such as the one we’ve mentioned before, represent a threat in the scenarios they see every day.

In the DULT threat model, hiding a tag on a backpack or a car is considered one of the main threats. However, when talking to helplines, we realized tags are not a core concern while tracking or monitoring is a very common type of violence widespread regionally. It happens through shared account use, real-time location sharing on phones, Google account history (these are the most used ones, just as with Android devices), parental control apps, and the like. Usually, abuse occurs by using the services already built into the phone and its associated accounts, and not by means of tags or any other additional hardware.

It was also mentioned that AirTags are not that common, since the use of Apple devices seems to be concentrated among middle and high-income sectors of society. According to data from Statcounter in February 2026, iOS accounts for over 20% in Latin America. Moreover, the tags market isn’t very popular yet, but there is some concern among people supporting TFGBV cases, since you can purchase these tracking devices online at affordable prices and compatible with Android. There’s a future risk that their reach and popularity could grow quickly and become the norm in wider population groups.

Another thing to consider is that in contexts where enforced disappearance and extreme violence are a reality, geolocalization can be perceived as a support and care tool to be used during that search. These technologies exist in realities where the physical safety of the family members from those disappeared and activists is at risk. A document such as DULT threat model does not consider how this technology can be used in contexts of structural violence in regions such as Latin America.

The impact of a document

As people working in technical support who accompany women and LBTQIA+ people suffering TFGBV, we believe an effort like DULT is tremendously valuable. It starts as a threat model grounded in a narrative description of situations or scenarios that are not just technological “use cases”, but they offer “realistic insights into the constraints of people being targeted through location-tracking tags.” (from the draft).

Therefore, we acknowledge that this document tries to consider different situations and it makes explicit its limited scope and ever-changing nature. We believe it’s important to reflect on the draft, which we hope will soon be published as an RFC document, not only as the foundation for other technical documents, but also in terms of the processes and consensual decisions made within the IETF working group.

The tone of this threat model needs to be understandable by manufacturers and developers, and it should stay within the scope of the technical protocol, as defined in the working group. The five scenarios described focus on the attacker as someone who places a device, tries to avoid detection, takes advantage of technical limitations, and doesn’t need access to their target’s personal accounts. However, in TFGBV contexts, it’s essential to consider that the attacker can have continuous physical access to the device, coerce, illegitimately share accounts, become the legal owner of the device or accounts, control the victim financially, and more.

As mentioned in the IPVC draft, these factors radically change the threat model, not only because of the power dynamics between the attacker and the targeted person, but also within a broader social context. That’s why TFGBV cannot be understood or addressed by only considering technical factors; it requires an understanding of social, structural, and contextual factors.

On the other hand, the DULT threat model proposes a threat matrix with probability and potential impact levels. However, as noted before, neither probability nor risk is universal. For instance, the threat of Deploying Multiple Tags is rated as high chance, whereas in Latin America, that probability could be medium or low, due to the costs and uneven network coverage. The threat of Heterogeneous Tags Networks depends strongly on the iOS and Android regional markets. This is a reality that underlies the DULT development work itself: it cannot be taken as a universal standard. Similarly, the Disabling Target Tag Detection is considered less likely to happen, but from our experience with TFGBV, we know that actual access to devices belonging to partners or ex-partners is extremely common.

The matrix is based on technical conditions from the Global North and does not reflect socioeconomic inequalities, cultural practices, or power dynamics from other regions, such as Latin America. On this point, we’d like to highlight a discussion that took place at the interim meeting on December 4th, 2025, about the level of expertise of those who had contributed to the development of this document, the importance of having this work over to people working with TFGBV, and what priorities a TFGBV document should have. Just to mention an example, in that discussion, it was mentioned that the people working on the threat model are experts on TFGBV, but there was no acknowledgement that their expertise is rooted in the context of the United States of America.

Prioritizing efficiency over equity

A lot of questions are under discussion at the moment, and they will be addressed as the technical documents are developed. As a hack-transfeminist working group, we are interested in understanding how (at the manufacturer’s level) the decision (for an end user) to disable the participation of their device as a node on the internet is handled. We are mentioning this because the DULT threat model assumes the existence of a collaborative network as a given condition. But how can informed consent and technical transparency for end users be guaranteed, understanding there’s a structural gap (both territorial and gender-wise) in access to technologies?

In Latin America, the issue of digital gender violence has been approached from various perspectives for over a decade. That’s how our interest began: wanting to understand and get involved in the technical developments around this issue, since they can affect both risk and threat situations, but also responses (technical, legal and psychosocial) needed to transform a critical situation like gender violence which persists and adapts to the digital environment (still emerging in several sectors of the Latin American population.)

The DULT threat model mentions TFGBV scenarios, but its development is still dominated by an abstract technical view, whereas the work of helplines and other support processes responding to TFGBV in Latin America (and many other regions of the Global Majority) draws on empirical, situated, and contextualized knowledge.

As Ruha Benjamin says in her book Race After Technology, to transform the way technologies work, we need to understand that it’s not enough to have the best intentions before technologies are deployed onto others. We have to stop prioritizing efficiency over equity. In our particular case, we believe the challenge of a group such as DULT is not mainly to translate the technical documents so they are digestible for “TFGBV experts.” It also implies transforming the standardization process itself, so that there is genuine commitment from the people doing supporting work, who know the needs first-hand in various contexts. Bearing that in mind, we need to understand that the technical standards are usually built on highly technical spaces, with economic and linguistic barriers, whereas organizations that support survivors of GBV and TFGBV work in contexts of continuous urgency, precarity, and overload.

Integrating this experience would require adding formal processes of regional consultation and funding the participation of civil society organizations in standardization spaces, while also acknowledging TFGBV as a primary scenario, not an exceptional one.

As we mentioned before, we appreciate the technical effort from the DULT working group, but we do believe it needs to be expanded. If this threat model aims to have a global reach, it needs to abandon the fiction of context neutrality, because that’s how the Global North positions itself as the model for the rest of the world. We need to add the diverse experiences of those working on these issues, and to do so with an intersectional approach, in a way that technological advances don’t pose a potential threat to certain contexts or historically vulnerable social groups in the global order.

/raiz_común is: Martu Isla (Independent), Linda (Social TIC), PatyMori (MariaLab), Juliana Guerra (Independent)

Translation: Florencia Aguilar and Sarah Reimann

Demystifying phone unlocking tools

Fri, 17 Apr 2026 08:00:00 +0000

Your phone is, for all practical purposes, your most intimate possession. It holds your conversations, your contacts, your movements, your photos, and often the internal communication of every organization you belong to. When a phone is seized and unlocked by authorities, or by anyone else with the right tools, it is the privacy of every person you have ever communicated with that gets violated.

This post provides an overview of the commercial phone unlocking industry, explains at a high level how these tools work, and offers concrete defensive strategies for individuals and communities.

A booming and unregulated market

The use of forensic phone unlocking tools by law enforcement and other actors is incredibly common. Several companies compete in this space, and the market is almost entirely unregulated. While spyware tools designed to remotely infect a device are at least nominally subject to export controls (controls that consistently fail in practice), forensic unlocking tools are not even covered by that much. The companies that build phone unlocking tools have successfully avoided being classified as dual-use technologies, despite the obvious implications for human rights.

The major commercially available players include Cellebrite, Magnet Forensics (which markets the GrayKey device), and Oxygen Forensics. Among these, Cellebrite and GrayKey stand out because they actively acquire and deploy zero-day vulnerabilities to bypass device security.

Licenses are relatively cheap, especially in relation to the capabilities these tools provide. They are well within reach of local police departments, private investigators, and in some documented cases, phone repair shops and consultants operating with even less oversight.

As Osservatorio Nessuno recently documented, abuses of this technology is occurring even for minor infractions or investigations. It is also routinely used at borders and on vulnerable people, including in the European Union. Amnesty International has documented similar abuses in Serbia, where Cellebrite tools were used to target journalists and activists.

How phone unlocking works

It helps to distinguish between two related but different operations: unlocking and extraction. Unlocking means gaining access to a device, typically by bypassing or recovering the PIN or password. Extraction means making a forensic copy of the device’s data – its file system, applications, messages, and metadata. In practice, unlocking is usually required before a full extraction can take place.

Modern smartphones encrypt their storage. The strength of that encryption, and how difficult it is to bypass, depends heavily on two factors: the state of the device and the hardware it runs on.

A device that has never been unlocked since it was powered on is in a state known as “Before First Unlock” (BFU). In this state, most user data is encrypted with keys that are derived from the user’s passcode and protected by dedicated security hardware. Attacking a device in BFU state is significantly harder and more expensive. A device that has been unlocked at least once since boot is in “After First Unlock” (AFU) state. In AFU, many decryption keys are already loaded into memory, and the lock screen is effectively a user interface overlay rather than a cryptographic barrier. This is why the single most important defensive action, when a device might be seized, is to turn it off.

Flagship devices like Google Pixels include a dedicated secure element (Google’s Titan chip) that stores cryptographic keys in dedicated hardware and enforces rate-limiting on passcode attempts. Most budget and mid-range phones, particularly those running MediaTek chipsets, lack this protection entirely. Many MediaTek processors are vulnerable to known boot ROM exploits that compromise the entire chain of trust and cannot be patched. For these devices, even a long password may ultimately be defeated through offline brute-forcing.

According to Cellebrite’s own February 2025 support documentation, nearly all non-Pixel, non-Samsung devices are considered unlockable. Even among Samsung and Pixel devices, the level of protection varies significantly depending on the chipset, the Android version, and the security patch level.

Defenses that could exist but don’t (yet)

One of the most effective mitigations against forensic phone unlocking is remarkably simple: automatically rebooting the device after a period of inactivity, returning it to the BFU state. GrapheneOS, the security-focused Android distribution, has implemented this feature for years. Apple introduced a version of it for iOS. However, stock Android, which runs on the vast majority of devices worldwide, has been slow to adopt it. Google has made some progress with Android 15, but the implementation remains fairly limited, since Google has chosen to set the reboot timeout at 72 hours, likely as a compromise with authorities.

Similarly, USB port restrictions, such as disabling data transfer over USB when a device is locked, are a powerful mitigation against the physical exploitation techniques that forensic tools rely on. Both Android 15 and iOS offer versions of this feature.

Encrypt, then minimize

Encryption is essential, but it is not sufficient. What we learned from analyzing forensic unlocking capabilities is this: recovering long deleted data is harder than recovering encrypted data. If an exploit is found that defeats your device’s encryption, everything stored on the device is exposed. However, data that has been deleted for some time might not be as easy to extract.

This has direct implications for how communities should think about operational security. The most impactful single measure any group can adopt is to enable disappearing messages on every messaging application, for every conversation, all the time. Signal, WhatsApp, and other major messaging platforms all support disappearing messages with configurable timers. For groups handling sensitive communications, shorter timers provide stronger protection.

This “encrypt, then minimize” approach acknowledges a straightforward truth: you or someone in your community will eventually have a device seized, and it is everyone’s responsibility to protect their peers.

Technical defenses for individuals

For those who want to maximize their protection against forensic unlocking tools, the following measures are effective to our knowledge based on current capabilities:

Use GrapheneOS on a Pixel device. According to Cellebrite’s own documentation, GrapheneOS on recent Pixel hardware (6a and newer) provides the strongest protection available on any Android device. A secondhand Pixel 6a running GrapheneOS is a meaningful security upgrade over almost any other Android phone.

Use a strong alphanumeric password, not a PIN. A six-digit PIN or pattern will likely always be cracked. Offline brute-forcing of numeric PINs, when the key material can be extracted, is trivially fast. An alphanumeric password of reasonable length and complexity makes this attack computationally infeasible. The password is only required after a reboot, as biometric authentication handles daily unlocking unless you are in a jurisdiction where physical coercion is possible or likely.

Turn your phone off when it might be seized. This returns the device to BFU state, where cryptographic protections are the most solid. It is the single most impactful action in the moment.

Restrict USB access. On Android 15 and later, disable or restrict USB data transfer when the device is locked. On iOS, enable USB Restricted Mode. On both platforms, enable Lockdown Mode or Advanced Protection where available.

Enable auto-reboot. GrapheneOS allows configuring automatic reboots after a set period without unlocking. This ensures that a seized device returns to BFU state even if the owner was unable to power it off. If You have GrapheneOS or the timer is configurable, consider either keeping it low, or lowering it (e.g.: 1-2 hours) before participating in an action or event which could result in seizure.

Use application-level encryption. Use application-level encryption. Applications like many password managers offer their own encryption layer with a separate password. Enabling this provides an additional barrier if all other defenses fail.

Disable display of notifications content. Applications like Signal have a setting to chose whether to display message content in notifications. This should be disabled, as it allows for forensics message ecovery from the notifications cache. Keeping notifications enabled is fine, but they should contain at most the sender.

If you have an unlocked bootloader, almost none of these measures apply, as the device’s chain of trust is already broken.

After a compromise

If a device has been seized and returned, the following steps are suggested. Reset all passwords from a separate, trusted device. Log out of all sessions on every service. Run the Mobile Verification Toolkit (MVT) to check for indicators of compromise, and share the results with a trusted technical contact. At minimum, factory reset the device; ideally, replace it entirely. Alert your contacts that their communications have been exposed.

A broader challenge

The forensic phone unlocking market operates in a regulatory vacuum. These tools are not classified as weapons, are not subject to meaningful export controls, and are sold to a customer base that extends well beyond law enforcement. As Osservatorio Nessuno has described in detail, the companies involved in this market are active participants in the zero-day vulnerability trade, purchasing and stockpiling security flaws rather than reporting them. This practice weakens the security of every device, for every user, everywhere.

The technical defenses outlined above are generally effective, but they are individual mitigations against a structural problem.

This blogpost summarises the ‘tech dive’ delivered by Osservatorio Nessuno to the members of the Public Interest Technology Group. For a more detailed technical analysis, see the full research series on osservatorionessuno.org.

Osservatorio Nessuno is an Italian non-profit dedicated to defending privacy, anonymity, freedom of expression, and digital rights. Founded in 2021, the group operates Tor infrastructure, provides technical assistance to activists and journalists, develops open-source security tools, and conducts analysis and reverse engineering of surveillance technologies.

If you are an activist or journalist concerned about the security of your devices, or if your device has been seized and you need technical assistance, contact Osservatorio Nessuno via their contacts page.

The Need for an OSINT Protocol for Journalists

Mon, 23 Mar 2026 08:00:00 +0000

In the first hours after a missile strike, a natural disaster or a political assassination, the same thing happens every time: social media fills with photos and videos faster than any newsroom can process them. Some are real. Some are from a different country, a different year, a different war. Some are AI-generated. A journalist with a large following shares one without checking. It spreads. By the time the correction goes out, the original post has half a million impressions.

This is the problem that open source intelligence was supposed to solve. And in many ways, it has. But the most powerful investigative tool available to journalists today was not developed for journalists. It was developed for prosecutors, war crimes investigators, and intelligence analysts. Journalists borrowed it, adapted it, and built entire beats around it — without ever stopping to consider specific rules and standards. Especially around ethics.

OSINT, short for Open Source Intelligence, refers to the methodology and tools that leverage public-facing information like satellite imagery, radio, ship and plane tracking data, social media photos and videos, for either storytelling or accountability purposes. (There are far more tools than anyone could master or count, but collectives like Bellingcat do a great job at compiling and explaining what each tool does.)

OSINT helps us verify whether a photo or video is real, where and when it was taken, and whether it’s been used out of context. By examining individuals’ digital footprints, we can identify potential perpetrators and trace chain of command structures for criminal responsibility in war and conflict zones. We can also cross-reference weapons and equipment visible in footage against databases like the Open Source Munitions Portal to identify who the arms suppliers are in a conflict, and use platforms like Flightradar24 and MarineTraffic to track military air and naval movements, blockades, and resource flows.

The possibilities are infinite. But so are the mistakes. In the end, OSINT is less about the tools and more about the methodology. More than the open source information we collect, OSINT is about collecting what is relevant, archiving it, and analyzing it without error.

Most OSINT handbooks and tutorials tend to be tool-oriented. And only recently has the OSINT methodology been codified in documents like the Berkeley Protocol on Digital Open Source Investigations.

In this blog post, I want to argue that even though the Berkeley Protocol has enormously contributed to the field, it is mostly written for those who investigate human rights violations and war crimes at an international level. It doesn’t work for journalists. It’s of course a guiding document on the craft regardless, at a time when blogs are abundant but normative documents are scarce. And yet the Berkeley Protocol reads like a law. It makes sense, as it was written so that social media videos and photos from conflict zones could be accepted as evidence in international courts. It was very much needed in that space.

But it’s of little use to journalists.

Don’t get me wrong: most of the principles are very relevant. Keeping yourself and your team safe, not breaking the law, being transparent in your findings, knowing your biases, and archiving the information you collect are all sound practices. But the Protocol is written in language that is barely understandable by journalists, and it contemplates outputs that have to work within the constraints of a trial, including the right to due process, the legal principle requiring states to respect someone’s rights before depriving them of life, liberty, or property.

Journalism follows a different logic. It involves characters that take the audience through a plot and hold power to account. It operates within a news cycle, and deadlines are a lot stricter. It’s precisely those differences between human rights law and journalism that affect not only the collection methods, but also the outcome, the presentation, and the ethical rules.

It’s time for an OSINT Protocol for journalists and storytellers, especially given its rise in the past years as a method of investigation.

The tools are the same for human rights practitioners and journalists alike. But the methodology, the output, and the process change. What follows is what I think an OSINT Protocol for journalists should include at the minimum, and what it should leave out. These are not meant to be comprehensive, but rather to get the conversation started.

What it should leave out

The Berkeley Protocol has genuinely useful principles that should apply across disciplines, regardless of whether your output is a war crimes tribunal or a front-page story.

But the Protocol was written with a specific reader in mind, one whose job is to build a legal case that can withstand cross-examination in an international court. That reader has to respect the due process rights of the people they’re investigating. Even an alleged war criminal has a right to privacy, a right to a fair trial, and a right not to have evidence collected through methods that could get it thrown out. The Protocol’s stricter principles exist to protect those rights, and to protect the integrity of the prosecution.

Journalists operate under a different obligation. We are accountable to the public and to the truth, not to evidentiary standards designed for The Hague.

Take “data minimization,” the principle that investigators should collect only what is strictly necessary, conduct preliminary assessments before gathering material, and develop formal retention and deletion policies for everything they handle. For a prosecutor, this makes sense: over-collection can constitute a privacy violation and compromise a case. For a journalist, the calculus is different. Our concern when gathering material is relevance to the story, not whether collecting a public social media post might infringe on someone’s legal rights.

The same goes for chain of custody, the strict chronological documentation of who has controlled a piece of evidence, when, and how it was transferred or analyzed, so that it can be admitted in court. Maintaining a formal digital preservation system to satisfy chain of custody requirements is a reasonable demand on a war crimes investigator. It is an unreasonable demand on a reporter working on deadline. That doesn’t mean journalists shouldn’t archive their material carefully. They should, for their own reasons. But the standard is different, and pretending otherwise produces compliance theater rather than better journalism.

What it should include

For all its wonders, OSINT can be abused: exposing someone’s private or intimate information, stalking, harassing, or impersonating could all be done with OSINT tools and methods. That’s why the first thing an OSINT Protocol for journalists should address is ethical standards.

OSINT is still too new in journalism. Ethics codes like the one from the Society of Professional Journalists (SPJ) are not even reflective of the social media era, let alone open source intelligence methods or AI. Some ideas that came up in the Open Source Investigative Reporting class I used to teach with Alexa Koenig and David Barstow at UC Berkeley are the following:

1. We don’t hack. This seems obvious. And yet it needs to be said, because the line between open source investigation and unauthorized access can blur faster than you’d expect, especially when the information is sitting right there, one more click away. OSINT, by definition, is information that is publicly accessible by design, or that has been made available through legal means. OSINT journalism is not hacking. It doesn’t matter how important the story is. It doesn’t matter if the target is a war criminal, a corrupt official, or a corporate fraudster. It doesn’t matter if the door was technically left open. It’s a threshold we shouldn’t cross.

2. We don’t break the law. This principle sounds obvious, but it deserves closer examination because OSINT creates specific ambiguities that general journalism ethics codes were never written to address. Scraping public data might be legal in one country but not in another. In some places you need a person’s consent to record a phone call; in others you can record without it. The ethical principle here is about knowing the laws in the places where you are working, especially given the international nature of OSINT.

3. We don’t doxx people. Doxxing is the act of publishing someone’s private or identifying information with the intent to harass, threaten, or extort. It’s one of the most obvious misuses of OSINT, and it’s sometimes done accidentally. The distinction matters. There is a difference between identifying a person in the public interest, such as naming a military commander responsible for a documented atrocity or identifying the owner of a shell company linked to corruption, and publishing a private individual’s home address, phone number, or daily routine. The first is accountability journalism. The second is unethical.

4. We don’t take advantage of sources. OSINT can create a power imbalance that is different from traditional source relationships. You may know a great deal about someone before they know you exist. You may have their location history, their social connections, their family situation. You may have found them because they posted something in a moment of grief, anger, or confusion, in a community they thought was private, or in a language they didn’t expect a foreign journalist to read. This is especially true when the people you’re dealing with are victims.

5. We fact-check. Fact-checking is different from verification. Fact-checking is about corroborating facts with multiple sources and being clear about where you got your information. Verification in OSINT is about establishing where a photo or video was taken (geolocation) and when it was taken (chronolocation). But OSINT alone is never enough. In 2017, Bellingcat located the site of an execution based on satellite imagery and social media videos, noting that from the satellite you could see what appeared to be blood stains exactly where people had been executed. Fact-checking in OSINT journalism means treating your open source findings as a lead, not a conclusion. In that case, it would mean obtaining additional evidence to confirm that those spots were actually blood, whether through a witness who was present or someone who analyzed the stains directly. It means seeking ground truth: physical verification, on-record sources, documentary evidence that either corroborates or complicates what the data shows. It means being willing to hold a story that is visually compelling but not yet confirmed.

6. We verify before we publish. More and more journalists re-share AI-generated photos or older videos taken out of context and passed off as breaking news. The speed of social media has made this worse: a compelling image gets shared by a journalist with a large following before anyone has asked the basic questions, namely when it was taken, where, and by whom. A new ethical principle for journalists in the disinformation era would be to use OSINT tools and methods to determine the veracity of information before publishing, not after it has already spread. Reverse image search takes thirty seconds. Checking a video’s metadata, cross-referencing landmarks, or running a clip through a tool like InVID takes a few minutes more. These are not exotic skills. They are, increasingly, the minimum standard of care. The correction, when it comes, rarely travels as far as the original error.

A whole discussion could be had about a particularly fraught principle for US-based journalists: “We don’t misrepresent ourselves.” Not everyone takes the same approach, especially with OSINT. Is it acceptable to pose as a white supremacist to gain access to a Facebook group you’re investigating? Do you always have to disclose yourself as a journalist? European news organizations tend to be considerably more permissive about undercover investigations. I’m setting this principle aside for now because it merits its own post.

Conclusion

The OSINT field has matured faster than the frameworks meant to govern it. The Berkeley Protocol was a landmark, rigorous, necessary, and built for a specific purpose. But a document designed to get satellite imagery admitted as evidence at the International Criminal Court was never going to serve a journalist trying to verify a video before a 6 p.m. deadline.

What journalists need is a protocol written in their language, for their constraints, and with their outputs in mind. Not a legal brief, but a practical and honest set of commitments that reflects how open source investigation actually works inside a newsroom: the collaborative chaos of it, the time pressure, the platforms, the AI-generated noise, and the very real ethical traps that existing codes were never designed to catch.

The principles sketched out here, including not hacking, not breaking the law, not doxxing, not exploiting sources, fact-checking, and verifying before publishing, are a starting point, not a finished document. But the conversation has to start somewhere. The disinformation environment isn’t waiting for journalism to catch up, and neither are the people who would misuse these methods. An OSINT Protocol for journalists won’t solve everything. It will, at least, give the field something to argue about. And in journalism, that’s usually how progress gets made.

Gisela Pérez de Acha is an open source investigative reporter specializing on extremism, disinformation and environmental issues. She works as a cybersecurity expert and a digital safety trainer with PEN America. In 2021, she created a partnership between at UC Berkeley’s Investigative Reporting Program and its Human Rights Center to teach a first-of-its-kind Open Source Investigative Reporting course at Berkeley Journalism.

Geopolitics at the Internet’s Core – A Policy Practitioners Perspective

Wed, 04 Feb 2026 08:00:00 +0000

The Internet Protocol was borne out of conflict and that legacy is only intensifying and more visible beyond the expert community as technical infrastructure is increasingly a proxy for political and economic power. After 20 years on the front lines of some rather public, but also very private battels around Internet policy at both the national and international levels, I wanted to offer a fact-based accounting of events. Partnering with a thoughtful, smart, and supportive team of experienced academics on Geopolitics at the Internet’s Core provided that space for me.

Uniquely co-authored by a trio of academics that span both sides of the Atlantic and one former government policy practitioner allowed for the blending of academic analytical research and, on the ground, firsthand policy experience. My participation as a co-author resulted in a drafting process that could be likened to having a “permanent interviewee” as part of the writing team. Crafted over a 4-year period via Google Docs and weekly Zoom meetings, the drafting process was full of spirited discussion, debate, and coordination.

Using the ecosystem approach that is a mainstay of theoretical frameworks from science and technology studies, the Internet Protocol ecosystem can defined as a combination of virtual resources, abstract specifications, tangible infrastructure, functionally specific systems, and the institutions and rules that design, operate, and coordinate these systems. This allows the Internet Protocol to be used as a lens into the governance structure of the Internet, which – while highly decentralized in many aspects – has a few centralized coordination points.

Understanding five key elements is crucial to appreciating what exactly it is about the Internet Protocol that generates so much geopolitical attention. These include the technical criticality of the systems themselves to the Internet, as well as the fact that there is a finite pool of resources prompts concerns of equity. The reality that these resources can be used for personal identification, and if tapped in the right manner can also be a choke point for control, makes them an attractive target for governments, irrespective of impact or effectiveness. Lastly, the not historically market-based approach used to distribute these resources via multistakeholder, or privatized processes raises questions of legitimacy.

The progression of the Internet Protocol has endured crises all along the way and detailing the stories of its foundational struggle (the choice of TCPIP over OSI), the expansion struggle (IPv4 to IPv6), and the oversight struggle (the privatization of the management of the domain name system) clearly demonstrates this point. Weaving in numerous illustrative mini case studies to make different complex issues more accessible, as well as several insights ‘from the field, illustrate how the contemporary policy issues of content, security, and inclusion relate to the IP ecosystem. Stories covered include, the pollicization of IP addresses in Russia’s war on Ukraine, content-blocking efforts to mediate societal concerns related to human safety during the Covid-19 pandemic, and Internet standard bodies capacity development efforts.

Geopolitics at the Internet’s Core concludes by offering a taxonomy of eight levers of power within the IP ecosystem drawn from the case studies presented and suggests this framework could be used for other technologies. Observing that the Internet Protocol ecosystem – rightly or not – has occupied a unique place at the center of many public policy issues in the digital era, controversies around core Internet architecture are a feature of our sociotechnical world. How these conflicts unfold has had and will continue to have enormous consequences for human rights, national security, economic stability, and the very heart of the Internet, which continues to have the Internet Protocol at its core.

Fiona M. Alexander is a Distinguished Fellow at the Internet Governance Lab, American University. She previously worked in the U.S. government at the National Telecommunications and Information Administration. This blog post by Fiona M. Alexander summarizes a presentation she made to the Public Interest Technology Group on November 10, 2025, on a book she co-authored with Dr. Laura DeNardis, Dr. Nanette S. Levinson, and Dr. Francesca Musiani.

The PITG Travel Fund in 2024

Mon, 25 Aug 2025 08:00:00 +0000

The PITG Travel Fund (PITG-TF) operates on a rolling basis to support underrepresented voices in Internet governance and standards bodies. We target individuals from civil society and public interest technology backgrounds who have historically been absent from these technically complex forums. This funding is critical because Internet infrastructure decisions made in these rooms affect billions of users worldwide, yet the voices of those most impacted by surveillance, censorship, and digital inequality are systematically excluded due to financial barriers and institutional gatekeeping.

The PITG Travel Fund supports participation in key organizations including the Internet Engineering Task Force (IETF), World Wide Web Consortium (W3C), International Telecommunications Union (ITU), Institute of Electrical and Electronics Engineers (IEEE), and the 3rd Generation Partnership Project (3GPP), among others, with the goal of promoting public interest perspectives, bridging knowledge gaps between technical communities and civil society, and cultivating sustained participation that increases diversity in these critical spaces where Internet standards are developed.

In 2024, the PITG-TF received 46 applications, and 12 were approved. Grantees attended a wide variety of events, mostly standards fora including IETF (120 and 121) and the Internet Corporation for Assigned Names and Numbers (ICANN 80 and 81), but also other governance spaces such as RightsCon, the Internet Governance Forum and the Association for Women’s Rights in Development (AWID) Forum. We are proud to say that geographic location of grantees was also diverse, as five of them were based in Africa (Morocco, Ghana, Kenya, Nigeria and Zimbabwe), one in Europe (Germany), three in North America (USA), two in South America (Brazil), and one in Asia (Palestine).

Although it is satisfying to see the participation of public interest technologists in these spaces grow, we recognize that there are still some barriers that as a Fund are hard to overcome. Two of the 2024 PITG TF grantees were not able to complete their travel because of visa issues, and some trips had to be delayed for the same reason. Whenever possible we have supported grantees in their visa application processes, arranged their flights and accommodation directly, and we have endeavored to maintain open and honest communication regarding our limitations as a small fund.

We are committed to support under-represented groups to allow them to have meaningful participation in technical standards forums and conversations. That is why we are constantly working on administrative adjustments that help us better respond to their needs and overcome constraints individuals face in attending in-person meetings.

Below are two examples of success of PITG-TF 2024 grantees and what they worked on with the Fund’s support.

Kris Shrishak
Germany, Europe
IETF 120, 20-26 July 2024
Kris has focused their participation in IETF on privacy enhancing technologies related working groups, including HRPC and GREEN BoF. In DULT, Kris had advocated for the threat model draft authors to get inputs from outside US/EU since IETF 119, but it had not still happened; DIEM BoF main use case is the use of digital emblems, something that many participants consider a too broad scope that should be limited to e.g., ICRC, with specific desirable properties; in SAAG and ISOPEN, questions regarding “national” cryptography and its potential standardization at the IETF were raised, but it was stated that IETF itself does not standardize new cryptography and relies on external experts including the academic community for that. Kris considers as problematic that DULT and PPM are working on corporate models and interests, with a lack of discussion and advances on reducing data collection.

“I realized the importance of BoF sessions during this IETF (I had previously only attended DULT BoF). They help scope working groups and speaking up at BoFs is one of the most effective ways to shape the work at the IETF.”

Tabitha Wangechi
Kenya, Africa
ICANN 81 Annual General Meeting, 9-14 November 2024
Tabitha’s participation was focused on contributing to discussions on Universal Acceptance and its critical role in fostering inclusivity on the Internet, and to help bridge the gap between grassroots realities and technical policy discussions. She shared insights on the barriers rural communities face in taking part in the domain names industry (mainly cost and access to localized digital content). In a discussion on how to build consumer confidence in the DNS registration data process, she emphasized on the importance of data protection and safety for communities.

Tabitha highlights the focus on DNS abuse mitigation during the whole meeting, which allowed her to understand that DNS abuse motivations are mainly financial, and it has to be taken into consideration while developing solutions. In her own words, “this insight will inform future capacity-building programs at Digital Rurals”.

The internet’s architecture is not predetermined—it emerges from the people who participate in shaping it. Every technical standard, every protocol decision, every seemingly abstract infrastructure choice ultimately determines whether the digital world becomes more open or more controlled, more inclusive or more exclusive. The PITG Travel Fund recognizes that meaningful change happens when diverse voices are present where these decisions are made. When Kris advocates for privacy-enhancing technologies at IETF or Tabitha brings rural perspectives to DNS policy discussions at ICANN, they are ensuring that internet governance reflects the needs of all users, not just those with traditional access to these spaces. Building a truly public internet requires more than good intentions—it requires sustained participation from the communities most affected by these technical choices and the funding to do so. PITG TF is just one of many efforts needed in that direction.

Please reach out to chairs@pitg.network if you are interested in applying for the fund, supporting the fund’s continued existence, or have any question related to the scope, topics or events that are in the PITG-TF remit.

Juliana Guerra is a co-chair of the Public Interest Technology Group.

Tackling tech consolidation from the inside: insights from the PITG Dublin Unconference

Fri, 15 Aug 2025 09:00:00 +0000

Last November 2024, the Public Interest Technology Group (PITG) held its first unconference alongside the IETF in Dublin with support of our community. As digital infrastructure like networks, encryption, and cloud computing become even more central to daily life, a group of technologists gathered at Trinity College to tackle urgent threats to internet freedom: surveillance, censorship, and the dangerous consolidation of power in the hands of a few tech giants.

The issues discussed at this unconference affect everyone who uses the internet—from the apps on your phone to the websites you visit. When a handful of companies control the fundamental infrastructure of the web, they effectively control who gets to participate in our digital future and under what conditions.

The PITG unconference brought together 23 researchers, advocates, and engineers who work inside the very socio-technical systems they are trying to reform—from internet standards bodies like the Internet Engineering Task Force (IETF) to browser development teams at major tech companies. Their mission was to ensure that the internet’s fundamental infrastructure serves public rather than corporate interests.

The never-ending encryption wars

The day began with a sobering assessment of where we stand in the fight against government and corporate surveillance. The protocols that encrypt your web traffic determine whether governments and corporations can spy on your online activity, manipulate the websites you see, or censor your access to information. As such, encryption should matter to everyone. While the Snowden revelations sparked progress in standards—encrypted Domain Name Service (DNS) protocols, Transport Layer Security 1.3, and other privacy-enhancing technologies—unconference participants noted a continued asymmetry in how standards bodies approach different threats.

The Internet Engineering Task Force (IETF) effectively considers government adversaries, multiple participants observed, but continues to struggle with addressing corporate surveillance threats. Possibly because many participants work for companies that run on data collection. This tension plays out in real standards battles. Take encrypted DNS protocols like DNS-over-Hyper Text Transfer Protocol Secure (DoH), which should theoretically protect users from surveillance and manipulation of their web traffic.

Despite being technically sound, DoH faces slow adoption due to government blocking, browser implementations defaulting to less secure options, and Internet Service Provider (ISP) resistance. Meanwhile, protocols that serve corporate interests of decreasing latency—like Google Quick UDP Internet Connection (QUIC)—deploy smoothly across the internet. The lesson we can draw from this is that privacy-enhancing technologies often struggle when they “stick out” or reveal conflicts between user privacy and corporate business models. As many of the technologists present agreed: the challenge is not just technical—it is political.

Locked out of rough consensus and running code

The people making decisions about internet protocols determine everything from whether your messages stay private to which companies can build competing browsers or apps. As such, another unconference discussion centered on who gets to make decisions about internet infrastructure. Despite being “open” in theory, public interest advocates face significant barriers in meaningfully participating in standards bodies like the IETF. With meeting attendance costing $3,000-5,000 per person (counting the participation fee, hotel, travel, visa, per diems etc.) and requiring weeks of travel annually, decision-making power concentrates among employees of large companies who can afford to send engineers to lengthy technical meetings.

Unlike organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN), the IETF lacks robust infrastructure and funding for diverse participation. Decision-making power concentrates among employees of large companies who can afford to send engineers to lengthy technical meetings. While fee waivers, childcare, and mentoring programs exist, they cannot overcome fundamental power dynamics that favor those who control operating systems, networks, and hardware.

The process itself can be opaque, participants noted, with many implicit rather than explicitly documented procedures and norms. This creates a system where good intentions are not enough—you need institutional backing and deep technical knowledge to influence outcomes. There is no one single solution to this concern. Participants, however, did call for deepening the connections between public interest techies in the various bodies—public interest liaisons, if you will—who can highlight key issues, build common agendas among influential technologists, and better connect efforts across standards bodies.

The consolidation crisis

When a few companies control the essential infrastructure of the internet, they can decide which the general level of protection people can expect from surveillance, which websites load quickly, and what information you can access. The most urgent discussions focused on a problem hiding in plain sight: the dangerous consolidation of economic power across many layers of internet infrastructure. In browsers, for example, we have moved from a diverse ecosystem to Chrome’s overwhelming dominance at 65% market share globally, with a few meaningful alternatives. While Chromium’s open-source nature provides some benefits, Google maintains such overwhelming influence that “de-Googling” Chromium remains nearly impossible. Chrome’s dominance also often means de facto control of web standards, and how and when websites work or break.

Mobile operating systems have consolidated into a Google-Apple duopoly, with Android holding approximately the largest market share followed by Apple, together accounting for almost the entire of the smartphone market. Apple and Google collect a significant commission on most app transactions (reduced somewhat for smaller developers), with Apple alone generating over $10 billion globally in commissions in 2024. This consolidation extends beyond just phones—app stores, design standards, and development frameworks all flow through these two gatekeepers.

Another concerning consolidation happens in cloud infrastructure. A few companies—Amazon (32%), Microsoft (23%), Google (10%)—now provide the majority of hosting, compute and other services for everything from government services to “internet freedom” tools. As participants grimly noted, lots of public money effectively is handed over to cloud providers even by free and open-source software projects. This creates perverse dynamics. Organizations building tools to resist surveillance and reduce consolidation find themselves dependent on the very companies that, in some cases, they are trying to circumvent.

Privacy theater vs. real protection

Companies often implement visible privacy features that make users feel protected while continuing surveillance through less obvious means. The web privacy discussion, in particular, revealed how browser makers engage in elaborate “privacy theater”—security or privacy measures that are primarily designed to create an appearance of protection rather than provide meaningful safeguards—while enabling continued surveillance through other means.

Other measures are often costly or reduce functionality. Apple implements “double hop” systems for known trackers and offers paid privacy relay options—but only for those who can afford premium services. Brave focuses on anti-fingerprinting through data randomization, though this breaks legitimate use cases. Safari limits anti-fingerprinting to private browsing mode.

Google’s approach, as of last November, was to change Chrome’s fingerprinting policy to allow a broad range of tracking techniques. Given Chrome’s massive 65% market share, this essentially sets the standard for what is acceptable across the web. Meanwhile, research shows that reducing web tracking does not just improve privacy—it actually reduces fraud rates, demonstrating clear public benefits beyond individual privacy concerns.

The road ahead

The PITG unconference revealed both the scope of the challenges and the different streams of work within the PITG community to counter surveillance, censorship and consolidation. Participants committed to collaborating on projects ranging from abuse prevention in federated messaging to advocacy efforts for cloud accountability. But perhaps the most important insight was strategic: the open internet cannot be protected through protest or regulation alone. It requires technologists who understand both the technical details and the political stakes, working inside standards bodies and tech companies to ensure that the infrastructure we all depend on serves human rights rather than corporate profit.

The next PITG unconference is already being planned for 2026. In a world where tech consolidation accelerates daily and hype distracts from fundamental infrastructure questions; our work remains critical. As one participant noted, “Every protocol decision, every standard, every piece of infrastructure code is a political choice about who gets to participate in our digital future”. The PITG community is working to build both the technical tools and political frameworks needed to keep the internet working in the public interest, bit-by-bit.

Corinne Cath-Speth is co-chair of the Public Interest Technology Group.

The PITG chairs would like to extend their thanks to Dr. Stephen Farrell of Trinity College Dublin; the Ford Foundation for their core support of PITG and the Open Tech Fund (OTF) for generously providing travel support to the unconference; baby Aloys for being the youngest participant at only 3 months; and everyone who volunteered to moderate or take notes in the sessions!

Beyond cookies: browser fingerprinting in 2025

Fri, 15 Aug 2025 08:00:00 +0000

Cookies are optional. Fingerprinting isn’t. In 2025, the easiest way for trackers and third-party advertisers to follow you across the Web is to read the traits your browser can’t help revealing (screen, fonts, GPU quirks) and stitch them into a stable ID. The third-party advertising and tracking ecosystem has metastasized to a point that even US intelligence agencies use ad blockers internally for security reasons. The connection between real-time bidding and personal data leaks is well-established. This personal data often ends up with data brokers and subsequently leads to users experiencing financial fraud.

This blog post gives an overview of browser fingerprinting as a means of tracking users, how browsers protect users, and how users can protect themselves. This latter part is important, because most browsers (even the privacy-respectful ones) don’t always automatically enable anti-fingerprinting measures.

What is a browser fingerprint?

A browser fingerprint is much like a human fingerprint: a unique identifier that is hard to change. The more ways in which you’re different from other users, the more uniquely-identifiable your browser fingerprint, and the easier you are to track across the Web. If all a website comes to know is that you’re on an iPhone 16, that’s not particularly identifying, since you are far (far, far) from the only iPhone 16 user. But websites also need to know things like your screen size (to properly display the website for your screen), your timezone (to show you your calendar), whether or not you have dark mode enabled (for accessibility as well as general hacker vibes), etc. In combination, all of these small differences contribute to making your browser look unique.

For a browser, this presents a dilemma: break the ability for websites to detect dark mode and you incur the wrath of your most vocal users whose hacker aesthetics you just committed photocide against (ask me how I know). Don’t, and that’s yet another bit of information exposed to malicious tracking scripts. It gets even more complicated with more advanced fingerprinting techniques that rely on subtle differences between how different computers render pixels, or how sound cards process sound. We’ll come back to this point when discussing anti-fingerprinting strategies, but generally, the more modded and customized your computer setup, the more identifiable it is.

This majorly sucks, because the power of the Web is in its dynamism and diversity. JavaScript and other Web technologies let developers design immersive experiences and power the Web economy. Also, the same Wikipedia.org website can work across different operating systems, device manufacturers, form factors and hardware capabilities, ranging from my Apple device to my colleague’s bespoke Sailfish-flashed handset, and I think that’s beautiful. Powerful browsers and adaptive websites are a good thing!

Who does browser fingerprinting?

Advertisers

Advertisers want to know very legal and very cool things like whether that Nike ad you saw on Instagram ended up being responsible for a purchase you made on Nike’s website later that week. Without this kind of tracking data, they have no idea if the billions of dollars they pay advertising platforms like Meta is paying off. Advertising networks also want to know who you are in order to increase the chances you click on an ad. There is an overwhelming financial incentive to get any kind of user tracking they can. Interestingly, browser fingerprinting is controversial even within the advertising industry, though it happens anyway.

Anti-fraud and anti-bot vendors

Anti-fraud and bot-mitigation companies aim to identify unwanted clients by fingerprinting their browsers. “Unwanted” typically means “could be a security threat” or “is a bot”. Identifying non-human traffic is a growing concern, especially as LLMs get better at solving CAPTCHAs. NYTimes and other news websites were caught harvesting local IP addresses as an anti-bot strategy a few years ago.

Law enforcement and nation states

Government agencies frequently use whatever data collection mechanism they can get their hands on. NSA used XKEYSCORE to hoover up Internet traffic directly from fiber optic cables around the world, and extracted browser fingerprints to assess exploitability of their targets. The UK tax revenue agency (HMRC) recently asked around for fingerprinting solutions to detect tax fraud.

After much back-and-forth, Google Chrome announced in April 2025 that they will be rolling back their latest already-watered-down proposal to bring third-party cookie blocking to users (basically just ask them), and will now be doing (checks notes) absolutely nothing. The working title of this post was “tracking in a post-cookie world”, but it looks like that world is still far away, given Chrome’s reluctance to touch third-party cookies and their dominant browser market share. More than half the Web’s traffic comes from Chrome (exact numbers vary depending on who you ask for interesting reasons that deserve their own blog post).

Other major browsers, thankfully, do block and partition third-party cookies. Even so, browser fingerprinting is still widely used by trackers and third-party advertisers to overcome the limitations of cookie-based tracking.

Cookies can be isolated (e.g. Private Browsing)

Users can use dedicated browsing sessions, isolating cookies and other storage. The classic example is Private or Incognito windows which also clear storage when users exit them, but Firefox’s Containers or Chromium’s Profiles serve the same purpose of making sure that whatever state the user picks up in the course of their browsing is isolated to that session.

Browser fingerprinters try to pierce session isolation in order to re-identify users. The NSA used Evercookie to unmask Tor users by recreating cookies even after they were deleted.

Cookies can be cleared

Cookies and other kinds of storage can be proactively cleared by the user even within the same session. Brave and DuckDuckGo offer ways to automatically clear storage when a tab/site/app is closed. Several browsers use heuristics to figure out when it’s safe to clear a website’s storage so as to prevent tracking while preserving benign use-cases. Bounce tracking mitigations is one category of this work that is implemented by most browsers, with varying degrees of aggressiveness. Again, Chrome lags behind other browsers by not applying bounce tracking mitigations by default.

A browser fingerprint is a lot more pernicious and hard to clear, since it relies on inherent characteristics of your machine.

Fingerprinting is invisible

Browser fingerprinting is often passive: the malicious website or script doesn’t need to do anything observable in order to fingerprint you. This is unlike cookies, where the user can see that a tracking script left some state. But if a website is using your User-Agent string to create a fingerprint for your browser, there’s not much you can do about it since you won’t even know that the website is doing it. Brave has a way for users to see if a website invoked a Web API that has fingerprinting protections applied.

Harder for regulators to enforce

Regulators have mostly enforced laws against storage-based tracking, since violations are much easier to detect. Cookie consent notices are a very visible example of this: you’re inundated with them as websites try to comply with laws that require explicit consent for storage on the user’s device. This leaves fingerprint-related profiling under-enforced since it happens by websites and trackers on the backend.

Google announced in 2024 that they will no longer prohibit their advertising customers from fingerprinting users, which was (thankfully) sharply rebuked by the UK ICO.

Protecting against fingerprinting

Trackers doing browser fingerprinting are essentially trying to divide users into buckets that are:

diverse. If every user is in the same bucket (“uses an iPhone”), you haven’t learned much about the user.
stable. If the user changes their fingerprint every time they visit your site, it’s not much of a fingerprint.

Browsers apply fingerprinting protections that are aimed at defeating this bucketing.

Consider the butterfly

Let’s imagine you’re a beautiful and unique butterfly, trying to avoid capture and identification by malicious lepidopterists (apologies in advance to worthy lepidopterists). You have two main strategies to avoid a future that involves being pinned up on a wall:

hide in a crowd
fly randomly

This is much like being a user on the Web, where you’re trying to avoid being fingerprinted by trackers.

Hiding in a crowd (avoid diverse buckets)

As a butterfly, you can evade capture by hiding your unique beauty in a crowd of other butterflies. The goal of “hiding in a crowd” (or herd immunity) is to make every browser look the same. This is the strategy used by Tor browser and Mullvad. The way this works is that you remove APIs and capabilities that reveal a lot of information about the browser. Unfortunately, this often means that powerful APIs end up getting removed from the Tor browser, which limits its widespread use (WebRTC, for example). This might be fine for a browser like Tor, which targets users with a higher-than-usual risk profile and whose users tend to be more concerned about privacy than usability. But more mainstream browsers cannot afford to do this. Having said that, major browsers frequently remove APIs that are low-utility and high-fingerprintability such as the Topics API being removed by Brave, Safari and Firefox.

It’s worth noting that browsers that always run on similar hardware and software, like Apple’s Safari, benefit from the lack of diversity.

Fly randomly (avoid stable buckets)

As a butterfly, instead of trying to be the same as everyone else, you can zig-zag across the sky, evading capture. You can try to be as different as possible, every time.

This is Brave browser’s approach for many Web APIs: randomize the fingerprint per-session and per-site. This effectively means that your fingerprint will be unique for a website but different across every website (which defeats cross-site tracking), and will reset after every browsing session (which defeats cross-session tracking), similar to how cookies and state is cleared after a Private browsing session.

Safari 17 introduced advanced fingerprinting protection (though only in Private Browsing mode) largely modeled on Brave’s fingerprinting approach of adding random noise to API output. Encouragingly, Safari 26 will enable advanced fingerprinting protection by default.

When this strategy of randomizing Web APIs works, you get both powerful Web APIs and privacy. In practice, this can be tricky to get right and can lead to web dev frustration and website breakage, when the injected randomness interferes with benign use-cases. Brave had to change their screen fingerprinting protection to report “one-of-few” outputs to bucket users instead of purely randomizing.

Bonus: block known trackers

As a butterfly, you can also start a list containing photographs of lepidopterists so that you can distinguish them from harmless human visitors, and you can share that with your butterfly friends, so you all know to stay away from the bad guys. This “crowdsourced blocklist of known bad actors” approach is surprisingly effective in Web privacy. You might (as a concerned butterfly) ask: What if a blocked lepidopterist just puts on a disguise? What if a new lepidopterist appears? And why are we still continuing with this butterfly analogy when it has clearly broken down several paragraphs ago and was probably broken to begin with? These are all valid questions.

A blocklist to block advertisers and trackers might not seem like a robust approach. But the truth is that most tracking on the Web is done by a few well-known companies, and if you block them, you protect yourself against most of the harms. Also, community lists are surprisingly well-maintained, with new rules being added (to counter new tracking scripts and requests) and removed (to counter website breakage) on the order of minutes.

Every browser uses blocklists in some way to block content: Firefox’s Enhanced Tracking Protection based on Disconnect and Brave’s ad & tracker blocking based on various community-maintained lists are good examples of this. Safari blocks known trackers in Private Browsing mode using a combination of EasyPrivacy and DuckDuckGo’s Tracker Radar. Chrome interestingly also uses this strategy to block “bad ads” as defined by Better Ads Standards using a modified form of EasyList.

How do I protect myself?

Turn fingerprinting protections on!

In practice, every browser applies some mix of the above strategies, depending on the Web API or source of variance they’re trying to minimize. However, not every browser applies fingerprinting protection by default:

Safari

Enable Settings → Advanced → “Use advanced tracking and fingerprinting protection.” → “in all browsing”.
The current default is “in Private Browsing”, though this will change in Safari 26.

Firefox

Turn on Resist Fingerprinting in about:config. See instructions.

Brave

Fingerprinting protections applied automatically and by default.

Chrome

Chrome doesn’t currently do much against fingerprinters. They’re exploring blocking known third-party fingerprinting scripts in Incognito Mode.

Block trackers

If you don’t use a browser with an in-built ad and tracker blocker like Brave, use a good adblocking extension like uBlock Origin. On Chromium-based browsers, unfortunately, the use of adblocking extensions is becoming increasingly harder given Google’s move to phase out Manifest V2 extensions.

Hide your IP address

When possible, try to hide your IP address. IP addresses are fairly stable network-level identifiers that browsers can’t hide easily. Use the following to get around IP address-based tracking:

Apple’s 2-hop iCloud Private Relay: requires an iCloud+ subscription.
A trustworthy VPN: most VPNs are privacy nightmares. Some good ones are bundled into the browser such as Mozilla VPN, Brave VPN or Mullvad.
The Tor network: either via Tor Browser or another browser’s implementation such as Brave’s Tor mode, though always prefer Tor Browser if your safety depends on it.

Lastly, test!

You can check your browser’s vulnerability to fingerprinters by using a good fingerprinting testing website like Cover Your Tracks.

I put together a simple demo website to give a visual example of how browsers apply anti-fingerprinting measures. The website writes and reads data using Canvas API, a widely-used and useful Web API that is also sadly commonly used by fingerprinters. Canvas fingerprinting draws hidden graphics using the Canvas API and re-reads the raw pixels. These pixels encode subtle details about your GPU, driver, fonts and sub-pixel rendering which can then be hashed by a tracker into a stable identifier which survives anything you can do (short of getting a new computer). To combat this, many browsers inject noise into the pixels when they are read back. The demo website shows that the noise injected by the browser (if it does) is ordinarily invisible to the human eye. The test deliberately amplifies the distortion to show how different browsers use different noise-injection strategies.

Brave in default mode. Random noise throughout the canvas.

Above is visualization of Brave in default mode (as tested here at time of publication), where there is random noise throughout the canvas.

Safari in Private Browsing. Notice the subtle random noise at the four corners of the image

And here is Safari in Private Browsing, as tested at time of publication. Notice the subtle random noise at the four corners of the image where noise is highlighted.

For a fun exercise, try out the demo website on Mozilla Firefox with Resist Fingerprinting turned on and see the surprising result you get!

What are we sustaining, the internet or the planet?

Fri, 01 Aug 2025 08:00:00 +0000

The world is burning. Accounts of devastating heatwaves, forest fires, and deadly flooding are symptoms of the fact that we have already exceeded a number of the planetary boundaries. Planetary boundaries are a scientific framework that identifies nine critical Earth system processes—including climate change, biodiversity loss, and nutrient cycles—and establishes safe operating limits for humanity to avoid triggering irreversible environmental changes that could destabilize the conditions necessary for human civilization.

The urgency to act is real. Political and industry leaders are heralding technological progress as a quick solution to these existential crises. But before we, in true Silicon Valley fashion, ‘move fast and break things, ’ we should question who stands to win and lose from these technofixes.

Will these solutions contribute to or delay critical action on proven climate solutions?

In my Tech Dive, I drew on my research into how political and industry leaders are framing the relationship between internet infrastructures and environmental harms and what is missing from these narratives. Which solutions are not included or even considered? I specifically talked about my analysis of the Internet Architecture Board (IAB) workshop on the Environmental Impact of Internet Applications and Systems held in 2022. The IAB is the technical advisory body that provides architectural oversight and guidance for Internet protocol development within the Internet Engineering Task Force.

Here are some of the key findings: discussions on sustainability are built on the premise that digitisation is crucial for economic and social progress, and the internet has the potential to make other sectors, such as transportation, building, manufacturing, agriculture, and energy, more sustainable. These assumptions place the internet and the technology industry at the centre of our understanding of the world and sustainability.

When it comes to minimising the environmental impact of the internet, it is primarily about reducing the carbon emissions associated with routing. The IETF community argues there is a need for standardised measurement approaches across the network to gain more accurate and granular information on the internet’s carbon footprint. These measurements need to be complemented by substituting fossil fuel dependencies with renewable energy sources. More aspirational propositions offered ideas such as ‘carbon-aware networking’, which aims to optimise internet traffic by routing it along ‘greener’ nodes, or ‘sleep mode’, shutting down devices to diminish the total volume of energy consumed by the network.

These efforts aim to reduce the energy required to run the internet, but do not fundamentally challenge the imaginaries of growth ingrained in the community’s understanding of the internet. As Corinne Cath describes, the internet is imagined “as an inherent good whose availability depends on uncurbed growth and a non-prescriptive ethos.” Said differently, internet governance practices should not hinder or put boundaries around the network’s growth through permissionless innovation. A belief that in itself prevents critical engagement with the question: how much internet do we actually need and at what cost?

There is not one quick fix to the climate crisis. Yes, we need to reduce the carbon emissions of the internet, and these engineering solutions will contribute to that. However, their impact will be limited as long as the solutions fail to engage with the economic model of the internet. In modern history, technological efficiency gains have not reduced but increased the overall consumption of natural resources, as all usable capital, time and energy are reinvested again and again. What is called the Jevon paradox. As such, banking on promises of efficiency without questioning the growth paradigm embedded within our economies can lead to more harm than good. Just as the internet’s distributed architecture mirrors Earth’s interconnected systems, addressing our environmental crisis requires recognising that technical solutions alone cannot keep us within planetary boundaries—we need to fundamentally question internet growth, not just efficiency gains.

Public Interest Technology Group

Um padrão que não pretende ser universal é possível?

Uma única resposta para realidades muito diferentes

A incidência de um documento

Priorizar a eficiência em detrimento da equidade

Un estándar que no se pretenda universal, ¿es posible?

Una sola respuesta para realidades muy distintas

La incidencia de un documento

Priorizar la eficiencia sobre la equidad

Is it possible to have a standard that does not claim to be universal?

A unique answer for very different realities

The impact of a document

Prioritizing efficiency over equity

Demystifying phone unlocking tools

A booming and unregulated market

How phone unlocking works

Defenses that could exist but don’t (yet)

Encrypt, then minimize

Technical defenses for individuals

After a compromise

A broader challenge

The Need for an OSINT Protocol for Journalists

What it should leave out

What it should include

Conclusion

Geopolitics at the Internet’s Core – A Policy Practitioners Perspective

The PITG Travel Fund in 2024

Tackling tech consolidation from the inside: insights from the PITG Dublin Unconference

The never-ending encryption wars

Locked out of rough consensus and running code

The consolidation crisis

Privacy theater vs. real protection

The road ahead

Beyond cookies: browser fingerprinting in 2025

What is a browser fingerprint?

Who does browser fingerprinting?

Advertisers

Anti-fraud and anti-bot vendors

Law enforcement and nation states

Why fingerprint (when you can cookie)?

Cookies can be isolated (e.g. Private Browsing)

Cookies can be cleared

Fingerprinting is invisible

Harder for regulators to enforce

Protecting against fingerprinting

Consider the butterfly

Hiding in a crowd (avoid diverse buckets)

Fly randomly (avoid stable buckets)

Bonus: block known trackers

How do I protect myself?

Turn fingerprinting protections on!

Safari

Firefox

Brave

Chrome

Block trackers

Hide your IP address

Lastly, test!

Further reading

What are we sustaining, the internet or the planet?

Further reading