Technology News

San Francisco Police Drone Footage Leak Highlights Expanding Urban Surveillance Capabilities

A significant leak of San Francisco Police Department drone video footage, now accessible on the open web, underscores a new and increasingly granular era of urban surveillance with far-reaching implications for privacy and civil liberties. This development arrives amidst heightened scrutiny of technology’s role in public life, as evidenced by the San Francisco City Attorney’s Office taking action against major tech platforms. In parallel, the city’s legal department issued cease-and-desist letters to Apple and Google, demanding the removal of 13 AI-powered "nudifying" or "face-swap" applications from their respective app stores. These applications are predominantly utilized for the creation and dissemination of non-consensual intimate imagery, overwhelmingly targeting women and girls.

The exposure of the SFPD drone footage marks a critical juncture in the ongoing debate surrounding the deployment of surveillance technologies by law enforcement agencies. The sheer volume and detail of the leaked video—spanning hours of operation—paint a stark picture of the sophisticated observational capabilities now at the disposal of police departments. This granular data collection, often justified by public safety imperatives, raises profound questions about data security, potential misuse, and the erosion of personal privacy in public spaces. The accessibility of such sensitive footage on the open web amplifies these concerns, suggesting a vulnerability in how critical surveillance data is managed and protected.

This incident follows a period of intense public and governmental interest in the expanding reach of surveillance technologies. For instance, Meta’s proposed NameTag face-recognition system, first reported in June, has been a subject of considerable controversy. Despite initial opaque and conflicting statements from company executives regarding the feature’s existence and functionality, subsequent analysis has confirmed the development of a very real system, capable of identifying individuals in public spaces. The ongoing uncertainty surrounding the implementation and oversight of such technologies by major corporations highlights a broader trend of technological advancement outpacing regulatory frameworks.

The implications of these developments are amplified by broader concerns about the integrity of information and democratic processes. In a speech delivered recently, President Donald Trump continued to propagate unsubstantiated claims regarding interference in the 2020 US election. Despite promises of substantial revelations through the release of White House documents, the files ultimately failed to substantiate his assertions, and in some instances, directly contradicted them. This episode underscores the challenges posed by the spread of disinformation and the critical need for verifiable evidence in public discourse.

As artificial intelligence (AI) tools continue to proliferate and their capabilities rapidly advance, calls for robust regulatory oversight are growing louder. The tech giant Anthropic has been actively advocating for increased AI regulation at the state level across the United States. Cesar Fernandez, Anthropic’s head of US state and local government relations, emphasized the need for policy responses to evolve in tandem with AI capabilities, stating, "The transparency-focused safety bills of 2025 were a really important start, but as the capabilities of AI systems continue to advance quickly—the policy responses need to match." This sentiment reflects a growing consensus within the tech industry and among policymakers that proactive governance is essential to mitigate potential risks associated with advanced AI.

This comprehensive overview of recent events in security and privacy encompasses several critical developments that warrant deeper examination.

Period Trackers Under Scrutiny for Privacy Practices

The Mozilla Foundation, in collaboration with Harvard’s Berkman Klein Center, recently conducted an audit of popular period-tracking applications, grading them on their privacy practices. The findings revealed a significant disparity in how these apps handle sensitive user health data. Among the six trackers evaluated, only one achieved a perfect score, highlighting widespread vulnerabilities in data protection.

The astrology-themed period tracker, Stardust, received a particularly low rating of 2 out of 10, indicating severe privacy concerns. According to a BBC report, which first detailed the Mozilla audit, Stardust transmits intimate reproductive health details—including birth control type, pregnancy status, moods, and specific symptoms like breast tenderness and stomach cramps—to a data firm not disclosed in its privacy policy. The audit discovered that the app initiates contact with third-party trackers from the moment it is opened, even before a user inputs any information. Upon logging a symptom, the data, along with a persistent user ID, was transmitted to the analytics firm RudderStack. Crucially, there was no in-app mechanism to prevent this data sharing. RudderStack is designed to route data to destinations beyond Mozilla’s observation capabilities. Furthermore, Stardust shares an advertising identifier with Facebook, linking in-app behavior to users’ existing platform profiles. Stardust reportedly informed TechCrunch that it has never received a legal request for user data.

In stark contrast, Euki, a period tracker developed by a non-profit organization, earned a perfect score of 10. Euki requires no account creation, ensures health data remains exclusively on the user’s device, and offers robust security features. Users can set a PIN, schedule automatic data deletion, or activate a decoy screen if their phone is accessed without permission. Its only minor drawback is an in-app browser for educational content, which loads standard web trackers, though identifiers are reset between browsing sessions. This contrast underscores the feasibility of developing user-friendly and privacy-preserving health applications.

Russia Sanctioned for Cyberattack on Polish Infrastructure

In a significant move, the European Union and the United Kingdom, in conjunction with an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA, have sanctioned Russia’s Federal Security Service (FSB) for a cyberattack targeting Poland’s electrical grid. This action marks a notable instance of the FSB, traditionally known for sophisticated cyberespionage rather than disruptive attacks, being directly implicated in such a significant infrastructure breach.

The attack, which Polish authorities stated "very close" to causing widespread power outages, was initially attributed by cybersecurity firms Dragos and ESET to Sandworm, also known as Unit 74455 of Russia’s GRU military intelligence agency. Sandworm has a well-documented history of aggressive cyber warfare, particularly against Ukraine. However, the Polish computer emergency response team at the time contested this attribution, linking the attack to the FSB. The recent consensus among Western governments supports the FSB’s involvement, suggesting a potential shift in the Kremlin agency’s operational tactics. This incident implies that the FSB may be adopting some of the more aggressive and less discriminate targeting strategies previously associated with its GRU counterparts, posing an escalating threat to critical infrastructure across geopolitical adversaries. The incident also highlights the intricate and often opaque nature of attributing cyberattacks, particularly when state actors are involved.

Alleged Russian Hacker’s Ties to Cybersecurity Firm Raise Concerns

Further evidence of potential entanglements between Russian intelligence and the cybersecurity industry has emerged with reports that Denis Obrezko, a Russian national facing hacking charges in Boston and allegedly linked to the Void Blizzard (or Laundry Bear) hacker group, previously worked for the Russian cybersecurity firm Kaspersky. This development adds another layer of complexity to longstanding allegations, particularly from US officials, about Kaspersky’s ties to the Russian government, which have led to bans on its products within US government and broader commercial use.

According to Reuters, Obrezko was employed by Kaspersky for two years before joining Yutek-NN, another cybersecurity company. It was during his tenure at Yutek-NN that he allegedly participated in a hacking campaign that compromised data and communications from numerous NATO governments and at least 11 US companies. US prosecutors have detailed these alleged activities. Prior to his employment at Kaspersky, Obrezko reportedly worked for the FSB, suggesting a continuous alleged association with Russian intelligence services.

Kaspersky, in a statement to Reuters, asserted that the charges against Obrezko "cannot be related to the individual’s role or responsibilities during the employment at Kaspersky." Obrezko himself has pleaded not guilty to the hacking charges. This case raises critical questions about the vetting processes within cybersecurity firms and the potential for state intelligence agencies to leverage industry professionals for their operations, even indirectly.

Department of Homeland Security Breach Mishandled as False Positive

An incident within the Department of Homeland Security (DHS) has revealed a critical failure in network intrusion detection, where signs of a hacker breach were twice misidentified as false positives, only to be confirmed as a genuine intrusion later. This lapse in security assessment occurred on the Homeland Security Information Network (HSIN) platform, a system used for sharing unclassified but highly sensitive data among federal, state, and local agencies, as well as international partners.

The breach, reported by Nextgov/FCW, was initially detected in mid-May by analysts at the Federal Emergency Management Agency (FEMA). The indicators of compromise included file and code alterations, the hijacking of a legitimate web server, and the deletion of activity logs, all indicative of sophisticated hacker activity. Despite these clear signs, the findings were dismissed as a false alarm. In the subsequent weeks, the hackers returned, and their activity was again detected, only to be misjudged once more.

The reasons behind these repeated misjudgments remain unclear. However, the incident highlights the escalating challenges faced by federal analysts in identifying "living off the land" hacking techniques. These methods leverage legitimate network functionalities to access target assets, making them harder to distinguish from normal system operations than traditional malware-based intrusions. Senator Mark Warner, vice chair of the Senate Intelligence Committee, commented on the breach, noting that while HSIN contains unclassified data, its exposure poses a significant risk to national security due to the sensitive nature of the information it holds. This event underscores the imperative for enhanced threat detection capabilities and more rigorous analysis protocols within critical government networks.

AI Music Generator’s Data Scraping Practices Exposed

A recent hack of the AI music startup Suno has brought to light its extensive data scraping practices, revealing that the company allegedly trained its models on millions of songs, lyrics, and podcasts from major platforms like YouTube Music, Deezer, and Genius, as well as various stock-audio libraries. The breach, detailed by 404 Media, was reportedly facilitated by a hacker who gained access to the company’s internal data. Beyond the training data, the intrusion also compromised account information for hundreds of thousands of customers, including emails, phone numbers, and payment records processed through Stripe.

Internal data, apparently dating from 2023 and 2024, indicates that Suno processed approximately 113,879 hours of YouTube Music audio alone, alongside tens of thousands of hours from other sources such as Pond5 and Deezer. This vast dataset represents decades of musical content. Further investigation of leaked files revealed that Suno utilized Bright Data proxies for its YouTube scraping activities and employed PodcastIndex to target an estimated one million hours of podcast content. The hacker, identified as "ellie.191," claimed to have gained access by compromising an employee’s credentials using the Shai-Hulud worm.

These findings appear to corroborate a central allegation from the music industry that Suno directly scraped songs from YouTube. Suno has maintained that its training practices fall under fair use and previously reached a settlement with Warner Music Group in November. Following the breach, the company stated that the incident involved outdated code and did not compromise sensitive personal information. However, customers whose data was included in a sample shared with 404 Media reported not being notified of the breach. This incident raises significant legal and ethical questions regarding the intellectual property rights of artists and content creators in the age of AI-generated content and the transparency of data acquisition for AI training.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Blog News Tweets
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.