After years of star­ing down the world’s biggest tech com­pa­nies and set­ting the bar for tough reg­u­la­tion world­wide, Europe has blinked. Under in­tense pres­sure from in­dus­try and the US gov­ern­ment, Brussels is strip­ping pro­tec­tions from its flag­ship General Data Protection Regulation (GDPR) — in­clud­ing sim­pli­fy­ing its in­fa­mous cookie per­mis­sion pop-ups — and re­lax­ing or de­lay­ing land­mark AI rules in an ef­fort to cut red tape and re­vive slug­gish eco­nomic growth.

The changes, pro­posed by the European Commission, the bloc’s ex­ec­u­tive branch, changes core el­e­ments of the GDPR, mak­ing it eas­ier for com­pa­nies to share anonymized and pseu­do­nymized per­sonal datasets. They would al­low AI com­pa­nies to legally use per­sonal data to train AI mod­els, so long as that train­ing com­plies with other GDPR re­quire­ments.

The pro­posal also wa­ters down a key part of Europe’s sweep­ing ar­ti­fi­cial in­tel­li­gence rules, the AI Act, which came into force in 2024 but had many el­e­ments that would only come into ef­fect later. The change ex­tends the grace pe­riod for rules gov­ern­ing high-risk AI sys­tems that pose “serious risks” to health, safety, or fun­da­men­tal rights, which were due to come into ef­fect next sum­mer. The rules will now only ap­ply once it’s con­firmed that “the needed stan­dards and sup­port tools are avail­able” to AI com­pa­nies.

One change that’s likely to please al­most every­one is a re­duc­tion in Europe’s ubiq­ui­tous cookie ban­ners and pop-ups. Under the new pro­posal, some “non-risk” cook­ies won’t trig­ger pop-ups at all, and users would be able to con­trol oth­ers from cen­tral browser con­trols that ap­ply to web­sites broadly.

Other amend­ments in the new Digital Omnibus in­clude sim­pli­fied AI doc­u­men­ta­tion re­quire­ments for smaller com­pa­nies, a uni­fied in­ter­face for com­pa­nies to re­port cy­ber­se­cu­rity in­ci­dents, and cen­tral­iz­ing over­sight of AI into the bloc’s AI Office.

“We have all the in­gre­di­ents in the EU to suc­ceed. But our com­pa­nies, es­pe­cially our start-ups and small busi­nesses, are of­ten held back by lay­ers of rigid rules,” said Henna Virkkunen, ex­ec­u­tive vice-pres­i­dent for tech sov­er­eignty at the European Commission. “By cut­ting red tape, sim­pli­fy­ing EU laws, open­ing ac­cess to data and in­tro­duc­ing a com­mon European Business Wallet we are giv­ing space for in­no­va­tion to hap­pen and to be mar­keted in Europe. This is be­ing done in the European way: by mak­ing sure that fun­da­men­tal rights of users re­main fully pro­tected.”

The pro­posal now heads to the European Parliament and the EU’s 27 mem­ber states — where it will need a qual­i­fied ma­jor­ity — for ap­proval, a process that could drag on for months and po­ten­tially in­tro­duce sig­nif­i­cant changes.

The pro­posed over­haul won’t land qui­etly in Brussels, and if the de­vel­op­ment of the GDPR and AI Act are any­thing to go by, a po­lit­i­cal and lob­by­ing firestorm is on its way. The GDPR is a cor­ner­stone of Europe’s tech strat­egy and as close to sa­cred as a pol­icy can be. Leaked drafts have al­ready pro­voked out­rage among civil rights groups and politi­cians, who have ac­cused the Commission of weak­en­ing fun­da­men­tal safe­guards and bow­ing to pres­sure from Big Tech.

The de­ci­sion fol­lows months of in­tense pres­sure from Big Tech and Donald Trump — as well as high-pro­file in­ter­nal fig­ures like ex-Ital­ian prime min­is­ter and for­mer head of the European Central Bank Mario Draghi — urg­ing the bloc to weaken bur­den­some tech reg­u­la­tion. The Commission has sought to frame the changes as sim­pli­fy­ing the EU’s tech laws, not weak­en­ing them — a way of sooth­ing grow­ing fears in Brussels that its tough rules are ham­per­ing its abil­ity to com­pete glob­ally. With very few ex­cep­tions, Europe does­n’t have any cred­i­ble com­peti­tors in the global AI race, which is dom­i­nated by US and Chinese com­pa­nies like DeepSeek, Google, and OpenAI.

The U. S. Patent and Trademark Office (USPTO) has pro­posed new rules that would ef­fec­tively end the pub­lic’s abil­ity to chal­lenge im­prop­erly granted patents at their source—the Patent Office it­self. If these rules take ef­fect, they will hand patent trolls ex­actly what they’ve been chas­ing for years: a way to keep bad patents alive and out of reach. People tar­geted with troll law­suits will be left with al­most no re­al­is­tic or af­ford­able way to de­fend them­selves.

We need EFF sup­port­ers to file pub­lic com­ments op­pos­ing these rules right away. The dead­line for pub­lic com­ments is December 2. The USPTO is mov­ing quickly, and stay­ing silent will only help those who profit from abu­sive patents.

Tell USPTO: The pub­lic has a right to chal­lenge bad patents

We’re ask­ing sup­port­ers who care about a fair patent sys­tem to file com­ments us­ing the fed­eral gov­ern­men­t’s pub­lic com­ment sys­tem. Your com­ments don’t need to be long, or use le­gal or tech­ni­cal vo­cab­u­lary. The im­por­tant thing is that every­day users and cre­ators of tech­nol­ogy have  the chance to speak up, and be counted.

Below is a short, sim­ple com­ment you can copy and paste. Your com­ment will carry more weight if you add a per­sonal sen­tence or two of your own. Please note that com­ments should be sub­mit­ted un­der your real name and will be­come part of the pub­lic record.

I op­pose the USPTO’s pro­posed rule changes for in­ter partes re­view (IPR), Docket No. PTO-P-2025-0025. The IPR process must re­main open and fair. Patent chal­lenges should be de­cided on their mer­its, not shut out be­cause of le­gal ac­tiv­ity else­where. These rules would make it nearly im­pos­si­ble for the pub­lic to chal­lenge bad patents, and that will harm in­no­va­tion and every­day tech­nol­ogy users.

Inter partes re­view, (IPR), is­n’t per­fect. It has­n’t elim­i­nated patent trolling, and it’s not avail­able in every case. But it is one of the few prac­ti­cal ways for or­di­nary de­vel­op­ers, small com­pa­nies, non­prof­its, and cre­ators to chal­lenge a bad patent with­out spend­ing mil­lions of dol­lars in fed­eral court. That’s why patent trolls hate it—and why the USPTO’s new rules are so dan­ger­ous.

IPR is­n’t easy or cheap, but com­pared to years of lit­i­ga­tion, it’s a life­line. When the sys­tem works, it re­moves bo­gus patents from the table for every­one, not just the tar­get of a sin­gle law­suit.

IPR pe­ti­tions are de­cided by the Patent Trial and Appeal Board (PTAB), a panel of spe­cial­ized ad­min­is­tra­tive judges in­side the USPTO. Congress de­signed  IPR to pro­vide a fresh, ex­pert look at whether a patent should have been granted in the first place—es­pe­cially when strong prior art sur­faces. Unlike  full fed­eral tri­als, PTAB re­view is faster, more tech­ni­cal, and ac­tu­ally ac­ces­si­ble to small com­pa­nies, de­vel­op­ers, and pub­lic-in­ter­est groups.

Here are three real ex­am­ples of how IPR pro­tected the pub­lic:

Personal Audio claimed it had “invented” pod­cast­ing and de­manded roy­al­ties from au­dio cre­ators us­ing its so-called pod­cast­ing patent. EFF crowd­sourced prior art, filed an IPR, and ul­ti­mately knocked out the patent—ben­e­fit­ing  the en­tire pod­cast­ing world.

Under the new rules, this kind of pub­lic-in­ter­est chal­lenge could eas­ily be blocked based on pro­ce­dural grounds like tim­ing, be­fore the PTAB even ex­am­ines the patent.

SportBrain sued more than 80 com­pa­nies over a patent that claimed to cover ba­sic gath­er­ing of user data and send­ing it over a net­work. A panel of PTAB judges can­celed every claim.

Under the new rules, this patent could have sur­vived long enough to force dozens more com­pa­nies to pay up.

For more than a decade, Shipping & Transit sued com­pa­nies over ex­tremely broad “delivery no­ti­fi­ca­tions”patents. After re­peated losses at PTAB and in court (including fee awards), the com­pany fi­nally col­lapsed.

Under the new rules, a troll like this could keep its patents alive and con­tinue car­pet-bomb­ing small busi­nesses with law­suits.

IPR has­n’t ended patent trolling. But when a troll waves a bo­gus patent at hun­dreds or thou­sands of peo­ple, IPR is one of the only tools that can ac­tu­ally fix the un­der­ly­ing prob­lem: the patent it­self. It dis­man­tles abu­sive patent mo­nop­o­lies that never should have ex­isted,   sav­ing en­tire in­dus­tries from preda­tory lit­i­ga­tion. That’s ex­actly why patent trolls and their al­lies have fought so hard to shut it down. They’ve failed to dis­man­tle IPR in court or in Congress—and now they’re count­ing on the USPTO’s own lead­er­ship to do it for them.

First, they want you to give up your de­fenses in court. Under this pro­posal, a de­fen­dant can’t file an IPR un­less they promise to never chal­lenge the paten­t’s va­lid­ity in court.

For some­one ac­tu­ally be­ing sued or threat­ened with patent in­fringe­ment, that’s sim­ply not a re­al­is­tic promise to make. The choice would be: use IPR and lose your de­fenses—or keep your de­fenses and lose IPR.

Second, the rules al­low patents to be­come “unchallengeable” af­ter one prior fight. That’s right. If a patent sur­vives any ear­lier va­lid­ity fight, any­where, these rules would block every­one else from bring­ing an IPR, even years later and even if new prior art sur­faces. One early de­ci­sion—even one that’s poorly ar­gued, or did­n’t have all the ev­i­dence—would block the door on the en­tire pub­lic.

Third, the rules will block IPR en­tirely if a dis­trict court case is pro­jected to move faster than PTAB.

So if a troll sues you with one of the out­ra­geous patents we’ve seen over the years, like patents on watch­ing an ad, show­ing pic­ture menus, or clock­ing in to work, the USPTO won’t even look at it. It’ll be back to the bad old days, where you have ex­actly one way to beat the troll (who chose the court to sue in)—spend mil­lions on ex­perts and lawyers, then take your chances in front of a fed­eral jury.

The USPTO claims this is fine be­cause de­fen­dants can still chal­lenge patents in dis­trict court. That’s mis­lead­ing. A real dis­trict-court va­lid­ity fight costs mil­lions of dol­lars and takes years. For most peo­ple and small com­pa­nies, that’s no op­por­tu­nity at all.

IPR was cre­ated by Congress in 2013 af­ter ex­ten­sive de­bate. It was meant to give the pub­lic a fast, af­ford­able way to cor­rect the Patent Office’s own mis­takes. Only Congress—not agency rule­mak­ing—can rewrite that sys­tem.

The USPTO should­n’t be al­lowed to qui­etly un­der­mine IPR with pro­ce­dural traps that block le­git­i­mate chal­lenges.

Bad patents still slip through every year. The Patent Office is­sues hun­dreds of thou­sands of new patents an­nu­ally. IPR is one of the only tools the pub­lic has to push back.

These new rules rely on the ab­surd pre­sump­tion that it’s the de­fen­dants—the peo­ple and com­pa­nies threat­ened by ques­tion­able patents—who are abus­ing the sys­tem with mul­ti­ple IPR pe­ti­tions, and that they should be lim­ited to one bite at the ap­ple.

That’s ut­terly up­side-down. It’s patent trolls like Shipping & Transit and Personal Audio that have sued, or threat­ened, en­tire com­mu­ni­ties of de­vel­op­ers and small busi­nesses.

When peo­ple have ev­i­dence that an over­broad patent was im­prop­erly granted, that ev­i­dence should be heard. That’s what Congress in­tended. These rules twist that in­tent be­yond recog­ni­tion.

In 2023, more than a thou­sand EFF sup­port­ers spoke out and stopped an ear­lier ver­sion of this pro­posal—your com­ments made the dif­fer­ence then, and they can again.

Our prin­ci­ple is sim­ple: the pub­lic has a right to chal­lenge bad patents. These rules would take that right away. That’s why it’s vi­tal to speak up now.

I op­pose the USPTO’s pro­posed rule changes for in­ter partes re­view (IPR), Docket No. PTO-P-2025-0025. The IPR process must re­main open and fair. Patent chal­lenges should be de­cided on their mer­its, not shut out be­cause of le­gal ac­tiv­ity else­where. These rules would make it nearly im­pos­si­ble for the pub­lic to chal­lenge bad patents, and that will harm in­no­va­tion and every­day tech­nol­ogy users.

Who con­trols what you can do on your mo­bile phone? What hap­pens when your de­vice can only run what the gov­ern­ment de­cides is OK? We are dan­ger­ously close to this kind of to­tal­i­tar­ian con­trol, thanks to a com­bi­na­tion of gov­ern­ment over­reach and tech­no­cratic in­fra­struc­ture choices.

Most Americans have a smart­phone, and the av­er­age American spends over 5 hours a day on their phone. While these de­vices are crit­i­cal to most peo­ple’s daily lives, what they can ac­tu­ally do is shaped by what apps are read­ily avail­able. A slim ma­jor­ity of American smart­phone users use an iPhone, which means they can only in­stall apps avail­able from Apple’s AppStore. Nearly all the rest of US smart­phone users use some vari­ant of Android, and by de­fault they get their apps from Google’s Play Store.

Collectively, these two app stores shape the uni­verse of what is avail­able to most peo­ple as they use the Internet and make their way through their daily lives. When those app stores block or limit apps based on gov­ern­ment re­quests, they are shap­ing what peo­ple can do, say, com­mu­ni­cate, and ex­pe­ri­ence.

Recently, Apple pulled an app called ICEBlock from the AppStore, mak­ing it un­avail­able in one fell swoop. This app was de­signed to let peo­ple anony­mously re­port pub­lic sight­ings of ICE agents. In the United States peo­ple ab­solutely have a First Amendment right to in­form oth­ers about what they have seen gov­ern­ment of­fi­cials do­ing and where — very much in­clud­ing im­mi­gra­tion agents whose tac­tics have been con­tro­ver­sial and vi­o­lent. Apple pulled the ICEBlock app at the de­mand of the US Department of Justice. The fol­low­ing day, Google pulled a sim­i­lar app called Red Dot from the Google Play Store.

The DOJ’s pres­sur­ing of Apple is an un­ac­cept­able, cen­so­ri­ous over­reach. And Google’s sub­se­quent re­moval of Red Dot looks like trou­bling pre­ma­ture ca­pit­u­la­tion. While some ex­perts and ac­tivists have ex­pressed con­cerns over ICEBlock’s de­sign and de­vel­op­ment prac­tices, those con­cerns are no rea­son for the gov­ern­ment to med­dle in soft­ware dis­tri­b­u­tion. The ad­min­is­tra­tion’s os­ten­si­ble free speech war­riors are try­ing to shape how Americans can com­mu­ni­cate with each other about mat­ters of press­ing po­lit­i­cal con­cern.

Infrastructure choices

But the gov­ern­men­t’s over­reach is­n’t the whole story here. The cur­rent struc­ture of the mo­bile phone ecosys­tem en­ables this kind of abuse and con­trol.

Apple’s iOS (the op­er­at­ing sys­tem for any iPhone) is de­signed to only be able to run apps from the AppStore. If Apple has­n’t signed off on it, the app won’t run. This cen­tral­ized con­trol is ripe for abuse:

Unlike Apple, Google’s Android op­er­at­ing sys­tem has tra­di­tion­ally al­lowed rel­a­tively easy ac­cess to “sideloading”, which just means in­stalling apps through means other than Google’s Play Store. Although most in­stal­la­tions de­fault to get­ting apps from the Play Store, the avail­abil­ity of side­load­ing means that even if Google cen­sors apps in the Play Store, peo­ple can still in­stall them. Even apps crit­i­cal of Google can make it onto an Android de­vice. It’s also pos­si­ble to run a vari­ant of Android with­out the Play Store at all, such as GrapheneOS.

Unfortunately that is all set to change with a re­cent Google an­nounce­ment that it will block apps from “certified Android” de­vices (which is nearly all Android phones) un­less they come from what Google calls a “verified de­vel­oper.” This means that the com­mon Android user try­ing to in­stall an app will have to get Google’s bless­ing: does this app come from some­one that Google has “verified”? How Google will de­cide who is al­lowed to be ver­i­fied and who is not is still un­clear. Can a de­vel­oper be­come “unverified”?

This up­com­ing change is framed by Google as a se­cu­rity mea­sure, but merely know­ing the iden­tity of the de­vel­oper of an app does­n’t pro­vide any se­cu­rity. So the only way that the “verified de­vel­oper” re­quire­ment can of­fer se­cu­rity is if Google with­holds “verified de­vel­oper” sta­tus from peo­ple it deems bad ac­tors. But Google’s abil­ity to with­hold that sta­tus can be abused in the same way that Apple’s AppStore lock-in is be­ing abused. A gov­ern­ment will sim­ply make a de­mand: “treat this de­vel­oper as a bad ac­tor” and ef­fec­tively cut off any app by tar­get­ing its de­vel­oper.

When a lever of con­trol is avail­able, the would-be cen­sors will try to use it. It has never been true that some­one who buys a Lenovo or Dell lap­top, for ex­am­ple, has to let Lenovo or Dell tell them what pro­grams they can and can­not in­stall on their com­puter. Yet that will soon be the sit­u­a­tion with re­gards to nearly all cell phones used in the United States.

Note that American iPhones are lim­ited to only apps from the AppStore, but European Union (EU) iPhones don’t have that re­stric­tion. The EU’s Digital Markets Act (DMA) re­quired Apple to per­mit al­ter­nate app stores and side­load­ing (which Apple calls “web dis­tri­b­u­tion”). As a re­sult, mar­ket­places like AltStore are start­ing to be­come avail­able — but Apple only lets EU cus­tomers use them. The European regime is not per­fect, how­ever; while side­loaded apps and al­ter­na­tive app stores aren’t sub­ject to the app store’s con­straints, they are still obliged to fol­low Apple’s “Notarization” re­quire­ments, which re­quires Apple to re­view all iOS apps — even from these al­ter­nate sources — on the ba­sis of sev­eral vaguely worded ra­tio­nales. For ex­am­ple, if the DoJ were to claim that ICEBlock “promoted phys­i­cal harm” (even though it clearly does not), Apple could use this as an ex­cuse to jus­tify re­vok­ing their no­ta­riza­tion of the app, which would pre­vent it from be­ing in­stalled even from these al­ter­nate chan­nels.

App store se­cu­rity and sur­veil­lance

Both Apple and Google make claims that their app dis­tri­b­u­tion mech­a­nisms im­prove se­cu­rity for their users. And clearly, these tech gi­ants do block some abu­sive apps by ex­er­cis­ing the con­trol they have.

But both of them also reg­u­larly al­low apps that con­tain com­mon ma­li­cious pat­terns, in­clud­ing many apps built with sur­veil­lance tool­ing that sell their users’ data to data bro­kers. If ei­ther tech gi­ant were se­ri­ous about user se­cu­rity, they could ban these prac­tices, but they do not. Google’s se­cu­rity claims are also un­der­mined by the fact that the cell­phone hack­ing com­pany Cellebrite tells law en­force­ment that Google’s Pixel phones can be hacked, while those run­ning GrapheneOS, cre­ated by a small non-profit, can­not. (Asked by a re­porter why that was so, Google did not re­spond.)

Making mat­ters worse, or­ga­ni­za­tions like Google are un­clear about their poli­cies, and some of their pol­icy state­ments can put de­vel­op­ers and users at risk. Discussing block­ing Red Dot, for ex­am­ple, Google told 404Media that “apps that have user gen­er­ated con­tent must also con­duct con­tent mod­er­a­tion.” This im­plies that Google could be­come un­will­ing to dis­trib­ute fully end-to-end en­crypted apps, like Signal Private Messenger or Delta Chat, since those app ven­dors by de­sign are in­ca­pable of re­view­ing user-gen­er­ated con­tent. End-to-end en­crypted apps are the gold stan­dard for se­cure com­mu­ni­ca­tions, and no app store that sig­nals a will­ing­ness to re­move them can claim to put se­cu­rity first.

In ad­di­tion, even if you’ve care­fully cu­rated the apps you have in­stalled from these dom­i­nant app stores to avoid spy­ware and use strongly se­cure apps, the stores them­selves mon­i­tor the de­vices, keep­ing dossiers of what apps are in­stalled on each de­vice, and maybe more. Being a user of these app stores means be­ing un­der heavy, reg­u­lar sur­veil­lance.

Other op­tions ex­ist

These cen­tral­ized, sur­veilled, cen­sor­ship-en­abling app stores are not the only way to dis­trib­ute soft­ware. Consider al­ter­na­tive app stores for Android, like Accrescent, which pri­or­i­tizes pri­vacy and se­cu­rity re­quire­ments in its apps, and F-Droid, which en­ables in­stal­la­tion of free and open source apps. In ad­di­tion to of­fer­ing qual­ity tools and au­dit­ing, F-Droid’s poli­cies in­cen­tivize the apps dis­trib­uted on the plat­form to trim out over­whelm­ing amounts of cor­po­rate spy­ware that in­fest both Google and Apple’s app stores. Neither F-Droid nor Accrescent do any sur­veil­lance of their users at all.

The F-Droid de­vel­op­ers re­cently wrote about the im­pact that Google’s up­com­ing de­vel­oper reg­is­tra­tion re­quire­ments are likely to have on the broader ecosys­tem of pri­vacy-pre­serv­ing Android apps. The out­come does­n’t look good: the abil­ity to in­stall free and open source soft­ware on a com­mon de­vice might be go­ing away. Those few peo­ple left us­ing un­usual de­vices (“uncertified” Android de­ploy­ments like GrapheneOS, or even more ob­scure non-An­droid op­er­at­ing sys­tems like phosh) will still have the free­dom to in­stall tools that they want, but the over­whelm­ing ma­jor­ity of peo­ple will be stuck with what can quickly de­volve into a gov­ern­ment-con­trolled cop-in-your-pocket.

How we can push back

In an in­creas­ingly cen­tral­ized world, it will take very lit­tle for an abu­sive gov­ern­ment to cause an ef­fec­tive or­ga­niz­ing tool to dis­ap­pear, to block an app that be­longs to a crit­i­cal dis­sent­ing me­dia out­let, or to force in­va­sive mal­ware into a soft­ware up­date used by every­one. We need a shared in­fra­struc­ture that does­n’t per­mit this kind of cen­tral­ized con­trol. We can dis­rupt oli­gop­o­lis­tic con­trol over soft­ware through user choice (e.g., pre­fer­ring and in­stalling free soft­ware), build­ing good pro­to­col frame­works (e.g., de­mand­ing tools that use open stan­dards for in­ter­op­er­abil­ity), and through reg­u­la­tory in­ter­ven­tion (e.g., break­ing up mo­nop­o­lis­tic ac­tors, or man­dat­ing that an OS must al­low side­load­ing, as the EU did with the DMA).

The de­vice you carry with you that is privy to much of your life should be un­der your con­trol, not un­der the con­trol of an abu­sive gov­ern­ment or cor­po­ra­tions that do its bid­ding.

Posts from this au­thor will be added to your daily email di­gest and your home­page feed.

This time I’m re­ally go­ing to do it. I am go­ing to put Linux on my gam­ing PC. Calling it now. 2026 is the year of Linux on the desk­top. Or at least on mine.

To be clear, my desk­top works fine on Windows 11. But the gen­eral ra­tio of cool new fea­tures to egre­gious bull­shit is low. I do not want to talk to my com­puter. I do not want to use OneDrive. I’m sure as hell not go­ing to use Recall. I am tired of Windows try­ing to get me to use Edge, Edge try­ing to get me to use Bing, and every­thing try­ing to get me to use Copilot. I paid for an Office 365 sub­scrip­tion so I could edit Excel files. Then Office 365 turned into Microsoft 365 Copilot, and I tried to use it to open a Word doc­u­ment and it did­n’t know how.

Meanwhile, Microsoft is end­ing sup­port for Windows 10, in­clud­ing se­cu­rity up­dates, forc­ing peo­ple to buy new hard­ware or live with the risks. It’s dis­abling workarounds that let you set up Windows 11 with a lo­cal ac­count or with older hard­ware. It’s turn­ing Xboxes into PCs and PCs into up­sells for its other busi­nesses. Just this week, the com­pany an­nounced that it’s putting AI agents in the taskbar to turn Windows into a “canvas for AI.” I do not think Windows is go­ing to be a bet­ter op­er­at­ing sys­tem in a year, so it feels like a good time to try Linux again.

That’s not to say I know what I’m do­ing. I’ve used Macs for a decade for work, and I dab­bled in Ubuntu 20-something years ago, but oth­er­wise I’ve been a Windows guy since 3.1. At first, that’s be­cause it’s what we had at home, later be­cause that’s where the games were, and fi­nally out of force of habit (and be­cause that’s where the games were). I brought a desk­top to col­lege in­stead of a lap­top (so I could play games), and I’ve been build­ing my own PCs for 18 years. I started my jour­nal­ism ca­reer at Maximum PC mag­a­zine, test­ing gam­ing PC com­po­nents.

I try to stay fa­mil­iar with all the ma­jor op­er­at­ing sys­tems be­cause of my job, so in ad­di­tion to my work MacBook I also have a Chromebook, a ThinkPad, and a col­lec­tion of older hard­ware I refuse to get rid of. I can work pretty well in Windows, in ma­cOS, or in ChromeOS.

All of those pro­jects, ex­cept the Chromebook one, took longer than ex­pected, and cut into my van­ish­ingly rare dis­cre­tionary time. That’s also the time I use for gam­ing, read­ing, star­ing into the void, and half-start­ing or­ga­ni­za­tional pro­jects, so you can see how pre­cious it is to me.

The prospect of in­stead us­ing that time try­ing to get my com­puter back to a base­line level of func­tion­al­ity — that is, as use­ful as it was be­fore I tried in­stalling Linux — is tempt­ing, but it’s also why I haven’t done it yet.

It’s a good time to try gam­ing on Linux. Antonio and Sean have been hav­ing fun with Bazzite, a Linux dis­tro that mim­ics SteamOS; my friend and for­mer col­league Will Smith is co­host­ing a PCWorld pod­cast called Dual Boot Diaries with this ex­act premise.

And what bet­ter de­vice to try it on than my per­sonal desk­top with an AMD Ryzen 7 9800X3D proces­sor and Nvidia GeForce RTX 4070 Super graph­ics card? I just re­built this thing. The Windows in­stall is only like six months old. It’s work­ing about as well as Windows does.

Based on lis­ten­ing to two and a half episodes of Dual Boot Diaries and a brief text con­ver­sa­tion with Will, I’m go­ing to in­stall CachyOS, an Arch-based dis­tro op­ti­mized for gam­ing on mod­ern hard­ware, with sup­port for cut­ting-edge CPUs and GPUs and an al­legedly easy setup.

I don’t ex­pect things to go smoothly. I don’t re­ally know what I’m do­ing, and Linux is still a very small per­cent­age of the PC gam­ing world. As of the most re­cent Steam Hardware & Software Survey — the best proxy we have for PC gam­ing hard­ware info as a whole — just over 3 per­cent of Steam users are run­ning Linux. Of those, 27 per­cent are us­ing SteamOS (and there­fore a Steam Deck), 10 per­cent are us­ing Arch, 6 per­cent are us­ing CachyOS, 4 per­cent are us­ing Bazzite, and the rest are split over a bunch of dis­tros.

So if any­thing goes wrong in my in­stall, it’ll be a lot of fo­rum-hop­ping and Discord search­ing to fig­ure it all out. But I’ve clev­erly arranged it so the stakes are only medium: I have other ma­chines to work on while my desk­top is in­evitably borked (and to run pro­grams like Adobe Creative Suite), and if I end up spend­ing hours of my dis­cre­tionary time learn­ing Linux in­stead of gam­ing, well, that’s not the worst out­come.

If your or­ga­ni­za­tion uses Microsoft Exchange-based email, you’ll be happy to hear that Thunderbird’s lat­est monthly Release ver­sion 145, now of­fi­cially sup­ports na­tive ac­cess via the Exchange Web Services (EWS) pro­to­col. With EWS now built di­rectly into Thunderbird, a third-party add-on is no longer re­quired for email func­tion­al­ity. Calendar and ad­dress book sup­port for Exchange ac­counts re­main on the roadmap, but email in­te­gra­tion is here and ready to use!

Until now, Thunderbird users in Exchange hosted en­vi­ron­ments of­ten re­lied on IMAP/POP pro­to­cols or third-party ex­ten­sions. With full na­tive Exchange sup­port for email, Thunderbird now works more seam­lessly in Exchange en­vi­ron­ments, in­clud­ing full folder list­ings, mes­sage syn­chro­niza­tion, folder man­age­ment both lo­cally and on the server, at­tach­ment han­dling, and more. This sim­pli­fies life for users who de­pend on Exchange for email but pre­fer Thunderbird as their client.

For many peo­ple switch­ing from Outlook to Thunderbird, the most com­mon setup in­volves Microsoft-hosted Exchange ac­counts such as Microsoft 365 or Office 365. Thunderbird now uses Microsoft’s stan­dard sign-in process (OAuth2) and au­to­mat­i­cally de­tects your ac­count set­tings, so you can start us­ing your email right away with­out any ex­tra setup.

If this ap­plies to you, setup is straight­for­ward:

Create a new ac­count in Thunderbird 145 or newer.

In the new Account Hub, se­lect Exchange (or Exchange Web Services in legacy setup).

Important note: If you see some­thing dif­fer­ent, or need more de­tails or ad­vice, please see our sup­port page and wiki page. Also, some au­then­ti­ca­tion con­fig­u­ra­tions are not sup­ported yet and you may need to wait for a fur­ther up­date that ex­pands com­pat­i­bil­ity, please re­fer to the table be­low for more de­tails.

As men­tioned ear­lier, EWS sup­port in ver­sion 145 cur­rently en­ables email func­tion­al­ity only. Calendar and ad­dress book in­te­gra­tion are in ac­tive de­vel­op­ment and will be added in fu­ture re­leases. The chart be­low pro­vides an at-a-glance view of what’s sup­ported to­day.

While many peo­ple and or­ga­ni­za­tions still rely on Exchange Web Services (EWS), Microsoft has be­gun grad­u­ally phas­ing it out in fa­vor of a newer, more mod­ern in­ter­face called Microsoft Graph. Microsoft has stated that EWS will con­tinue to be sup­ported for the fore­see­able fu­ture, but over time, Microsoft Graph will be­come the pri­mary way to con­nect to Microsoft 365 ser­vices.

Because EWS re­mains widely used to­day, we wanted to en­sure full sup­port for it first to en­sure com­pat­i­bil­ity for ex­ist­ing users. At the same time, we’re ac­tively work­ing to add sup­port for Microsoft Graph, so Thunderbird will be ready as Microsoft tran­si­tions to its new stan­dard.

While Exchange email is avail­able now, cal­en­dar and ad­dress book in­te­gra­tion is on the way, bring­ing Thunderbird closer to be­ing a com­plete so­lu­tion for Exchange users. For many peo­ple, hav­ing re­li­able email ac­cess is the most im­por­tant step, but if you de­pend on cal­en­dar and con­tact syn­chro­niza­tion, we’re work­ing hard to bring this to Thunderbird in the near fu­ture, mak­ing Thunderbird a strong al­ter­na­tive to Outlook.

Keep an eye on fu­ture re­leases for ad­di­tional sup­port and in­te­gra­tions, but in the mean­time, en­joy a smoother Exchange email ex­pe­ri­ence within your fa­vorite email client!

If you want to know more about Exchange sup­port in Thunderbird, please re­fer to the ded­i­cated page on sup­port.mozilla.org. Organization ad­mins can also find out more on the Mozilla wiki page. To fol­low on­go­ing and fu­ture work in this area, please re­fer to the rel­e­vant meta-bug on Bugzilla.

By click­ing Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.

Skip to main con­tent

Sign in to view more con­tent

Create your free ac­count or sign in to con­tinue your search

By click­ing Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.

By click­ing Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.

​​​Blackouts led to loss of steer­ing and propul­sion on 984-foot-long ves­sel

WASHINGTON (Nov. 18, 2025) — The NTSB said Tuesday that a sin­gle loose wire on the 984-foot-long con­tain­er­ship Dali caused an elec­tri­cal black­out that led to the gi­ant ves­sel veer­ing and con­tact­ing the nearby Francis Scott Key Bridge in Baltimore, which then col­lapsed, killing six high­way work­ers.

At Tuesday’s pub­lic meet­ing at NTSB head­quar­ters, in­ves­ti­ga­tors said the loose wire in the ship’s elec­tri­cal sys­tem caused a breaker to un­ex­pect­edly open — be­gin­ning a se­quence of events that led to two ves­sel black­outs and a loss of both propul­sion and steer­ing near the 2.37-mile-long Key Bridge on March 26, 2024. Investigators found that wire-la­bel band­ing pre­vented the wire from be­ing fully in­serted into a ter­mi­nal block spring-clamp gate, caus­ing an in­ad­e­quate con­nec­tion.

​Illustration show­ing how place­ment of wire-la­bel band­ing af­fects the way wires are seated in their ter­mi­nal blocks. (Source: NTSB)

After the ini­tial black­out, the Dali’s head­ing be­gan swing­ing to star­board to­ward Pier 17 of the Key Bridge. Investigators found that the pi­lots and the bridge team at­tempted to change the ves­sel’s tra­jec­tory, but the loss of propul­sion so close to the bridge ren­dered their ac­tions in­ef­fec­tive. A sub­stan­tial por­tion of the bridge sub­se­quently col­lapsed into the river, and por­tions of the pier, deck and truss spans col­lapsed onto the ves­sel’s bow and for­ward­most con­tainer bays.

A seven-per­son road main­te­nance crew and one in­spec­tor were on the bridge when the ves­sel struck. Six of the high­way work­ers died. The NTSB found that the quick ac­tions of the Dali pi­lots, shore­side dis­patch­ers and the Maryland Transportation Authority to stop bridge traf­fic pre­vented greater loss of life.

”Our in­ves­ti­ga­tors rou­tinely ac­com­plish the im­pos­si­ble, and this in­ves­ti­ga­tion is no dif­fer­ent,’ said NTSB Chairwoman Jennifer Homendy. “The Dali, at al­most 1,000 feet, is as long as the Eiffel Tower is high, with miles of wiring and thou­sands of elec­tri­cal con­nec­tions. Finding this sin­gle wire was like hunt­ing for a loose rivet on the Eiffel Tower.

“But like all of the ac­ci­dents we in­ves­ti­gate,this was pre­ventable,” Homendy said. “Implementing NTSB rec­om­men­da­tions in this in­ves­ti­ga­tion will pre­vent sim­i­lar tragedies in the fu­ture.”

Contributing to the col­lapse of the Key Bridge and the loss of life was the lack of coun­ter­mea­sures to re­duce the bridge’s vul­ner­a­bil­ity to col­lapse due to im­pact by ocean-go­ing ves­sels, which have only grown larger since the Key Bridge’s open­ing in 1977. When the Japan-flagged con­tain­er­ship Blue Nagoya con­tacted the Key Bridge af­ter los­ing propul­sion in 1980, the 390-foot-long ves­sel caused only mi­nor dam­age. The Dali, how­ever, is 10 times the size of the Blue Nagoya.

​The com­par­a­tive sizes of the Blue Nagoya and the Dali rel­a­tive to the Key Bridge. (Source: NTSB)

As part of the in­ves­ti­ga­tion, the NTSB in March re­leased an ini­tial re­port on the vul­ner­a­bil­ity of bridges na­tion­wide to large ves­sel strikes. The re­port found that the Maryland Transportation Authority—and many other own­ers of bridges span­ning nav­i­ga­ble wa­ter­ways used by ocean-go­ing ves­sels—were likely un­aware of the po­ten­tial risk that a ves­sel col­li­sion could pose to their struc­tures. This was de­spite long­stand­ing guid­ance from the American Association of State Highway and Transportation Officials rec­om­mend­ing that bridge own­ers per­form these as­sess­ments.

The NTSB sent let­ters to 30 bridge own­ers iden­ti­fied in the re­port, urg­ing them to eval­u­ate their bridges and, if needed, de­velop plans to re­duce risks. All re­cip­i­ents have since re­sponded, and the sta­tus of each rec­om­men­da­tion is avail­able on the NTS­B’s web­site.

As a re­sult of the in­ves­ti­ga­tion, the NTSB issued new safety rec­om­men­da­tions to the US Coast Guard; US Federal Highway Administration; the American Association of State Highway and Transportation Officials; the Nippon Kaiji Kyokai (ClassNK); the American National Standards Institute; the American National Standards Institute Accredited Standards Committee on Safety in Construction and Demolitions Operations A10; HD Hyundai Heavy Industries; Synergy Marine Pte. Ltd; and WAGO Corporation, the elec­tri­cal com­po­nent man­u­fac­turer; and mul­ti­ple bridge own­ers across the na­tion.

A syn­op­sis of ac­tions taken Tuesday, in­clud­ing the prob­a­ble cause, find­ings and rec­om­men­da­tions, can be found on ntsb.gov​. The com­plete in­ves­ti­ga­tion re­port will be re­leased in the com­ing weeks.

Former Treasury Secretary Larry Summers on Wednesday took leave from his post at Harvard University and said he will not teach classes there for the rest of this se­mes­ter amid a furor over the re­lease of emails be­tween him and the no­to­ri­ous sex of­fender Jef­frey Epstein.

Earlier Wednesday, Summers said that he will re­sign from the board of OpenAI.

Harvard on Wednesday had said it would in­ves­ti­gate Summers’ re­la­tion­ship with Epstein in light of the dis­clo­sure of their emails.

Summers is a for­mer pres­i­dent of Harvard. He is the di­rec­tor of the Mossavar-Rahmani Center for Business and Government at the Harvard Kennedy School.

His spokesman, Steven Goldberg, in a state­ment Wednesday night said, “Mr. Summers has de­cided it’s in the best in­ter­est of the Center for him to go on leave from his role as Director as Harvard un­der­takes its re­view.”

“His co-teach­ers will com­plete the re­main­ing three class ses­sions of the courses he has been teach­ing with them this se­mes­ter, and he is not sched­uled to teach next se­mes­ter,” Goldberg said.

A Harvard spokesman, in a state­ment to The Crimson, the stu­dent news­pa­per, said that Harvard is “conducting a re­view of in­for­ma­tion con­cern­ing in­di­vid­u­als at Harvard in­cluded in the newly re­leased Jeffrey Epstein doc­u­ments to eval­u­ate what ac­tions may be war­ranted.”

Summers had an­nounced on Monday that he would be step­ping back from all pub­lic com­mit­ments, but that he would con­tinue teach­ing classes at Harvard. He was mum un­til Wednesday about re­main­ing on the board of di­rec­tors at the ar­ti­fi­cial in­tel­li­gence startup OpenAI.

“I am grate­ful for the op­por­tu­nity to have served, ex­cited about the po­ten­tial of the com­pany, and look for­ward to fol­low­ing their progress,” Summers said in a state­ment to CNBC con­firm­ing he res­ig­na­tion.

“We ap­pre­ci­ate his many con­tri­bu­tions and the per­spec­tive he brought to the Board,” the OpenAI board of di­rec­tors said in a state­ment.

Details of Summers’ cor­re­spon­dence with Epstein were made pub­lic last week af­ter the House Oversight and Government Reform Committee re­leased more than 20,000 doc­u­ments it ob­tained pur­suant to a sub­poena from Epstein’s es­tate. Summers has faced in­tense scrutiny fol­low­ing the re­lease of those files.

Summers joined OpenAI’s board in 2023 dur­ing a tur­bu­lent pe­riod for the startup. OpenAI CEO Sam Altman was briefly ousted from the com­pany, though he re­turned to the chief ex­ec­u­tive role days later.

In the wake of “The Blip,” as some OpenAI em­ploy­ees call it, Summers was ap­pointed to the board along­side Bret Taylor, for­mer co-CEO of Salesforce, and Quora CEO Adam D’Angelo, who was the only mem­ber of OpenAI’s pre­vi­ous board who still held a seat.

Axios was first to re­port Summers’ res­ig­na­tion from the board.

IT-Security Researchers from the University of Vienna and SBA Research iden­ti­fied and re­spon­si­bly dis­closed a large-scale pri­vacy weak­ness in WhatsApp’s con­tact dis­cov­ery mech­a­nism that al­lowed the enu­mer­a­tion of 3.5 bil­lion ac­counts. In col­lab­o­ra­tion with the re­searchers, Meta has since ad­dressed and mit­i­gated the is­sue. The study un­der­scores the im­por­tance of con­tin­u­ous, in­de­pen­dent se­cu­rity re­search on widely used com­mu­ni­ca­tion plat­forms and high­lights the risks as­so­ci­ated with the cen­tral­iza­tion of in­stant mes­sag­ing ser­vices. The preprint of the study has now been pub­lished, and the re­sults will be pre­sented in 2026 at the Network and Distributed System Security (NDSS) Symposium.

WhatsApp’s con­tact dis­cov­ery mech­a­nism can use a user’s ad­dress book to find other WhatsApp users by their phone num­ber. Using the same un­der­ly­ing mech­a­nism, the re­searchers demon­strated that it was pos­si­ble to query more than 100 mil­lion phone num­bers per hour through WhatsApp’s in­fra­struc­ture, con­firm­ing more than 3.5 bil­lion ac­tive ac­counts across 245 coun­tries. “Normally, a sys­tem should­n’t re­spond to such a high num­ber of re­quests in such a short time — par­tic­u­larly when orig­i­nat­ing from a sin­gle source,” ex­plains lead au­thor Gabriel Gegenhuber from the University of Vienna. “This be­hav­ior ex­posed the un­der­ly­ing flaw, which al­lowed us to is­sue an ef­fec­tively un­lim­ited re­quests to the server and, in do­ing so, map user data world­wide.”

The ac­ces­si­ble data items used in the study are the same that are pub­lic for any­one who knows a user’s phone num­ber and con­sist of: phone num­ber, pub­lic keys, time­stamps, and, if set to pub­lic, about text and pro­file pic­ture. From these data points, the re­searchers were able to ex­tract ad­di­tional in­for­ma­tion, which al­lowed them to in­fer a user’s op­er­at­ing sys­tem, ac­count age, as well as the num­ber of linked com­pan­ion de­vices. The study shows that even this lim­ited amount of data per user can re­veal im­por­tant in­for­ma­tion, both on macro­scopic and in­di­vid­ual lev­els.

* Millions of ac­tive WhatsApp ac­counts were iden­ti­fied in coun­tries where the plat­form was of­fi­cially banned, in­clud­ing China, Iran, and Myanmar.

* Population-level in­sights into plat­form us­age, such as the global dis­tri­b­u­tion of Android (81%) ver­sus iOS (19%) de­vices, re­gional dif­fer­ences in pri­vacy be­hav­ior (e.g., use of pub­lic pro­file pic­tures or “about” tagline), and vari­a­tions in user growth across coun­tries.

* A small num­ber of cases showed re-use of cryp­to­graphic keys across dif­fer­ent de­vices or phone num­bers, point­ing to po­ten­tial weak­nesses in non-of­fi­cial WhatsApp clients or fraud­u­lent use.

* Nearly half of all phone num­bers that ap­peared in the 2021 Facebook data leak of 500 mil­lion phone num­bers (caused by a scrap­ing in­ci­dent in 2018) were still ac­tive on WhatsApp. This high­lights the en­dur­ing risks for leaked num­bers (e.g., be­ing tar­geted in scam calls) as­so­ci­ated with such ex­po­sures.

The study did not in­volve ac­cess to mes­sage con­tent, and no per­sonal data was pub­lished or shared. All re­trieved data was deleted by the re­searchers prior to pub­li­ca­tion. Message con­tent on WhatsApp is “end-to-end en­crypted” and was not af­fected at any time. “This end-to-end en­cryp­tion pro­tects the con­tent of mes­sages, but not nec­es­sar­ily the as­so­ci­ated meta­data,” ex­plains last au­thor Aljosha Judmayer from the University of Vienna. “Our work shows that pri­vacy risks can also arise when such meta­data is col­lected and analysed on a large scale.”

“These find­ings re­mind us that even ma­ture, widely trusted sys­tems can con­tain de­sign or im­ple­men­ta­tion flaws that have real-world con­se­quences,” says lead au­thor Gabriel Gegenhuber from the University of Vienna: “They show that se­cu­rity and pri­vacy are not one-time achieve­ments, but must be con­tin­u­ously re-eval­u­ated as tech­nol­ogy evolves.”

“Building on our pre­vi­ous find­ings on de­liv­ery re­ceipts and key man­age­ment, we are con­tribut­ing to a long-term un­der­stand­ing of how mes­sag­ing sys­tems evolve and where new risks arise,” adds co-au­thor Maximilian Günther from the University of Vienna.

“We are grate­ful to the University of Vienna re­searchers for their re­spon­si­ble part­ner­ship and dili­gence un­der our Bug Bounty pro­gram. This col­lab­o­ra­tion suc­cess­fully iden­ti­fied a novel enu­mer­a­tion tech­nique that sur­passed our in­tended lim­its, al­low­ing the re­searchers to scrape ba­sic pub­licly avail­able in­for­ma­tion. We had al­ready been work­ing on in­dus­try-lead­ing anti-scrap­ing sys­tems, and this study was in­stru­men­tal in stress-test­ing and con­firm­ing the im­me­di­ate ef­fi­cacy of these new de­fenses. Importantly, the re­searchers have se­curely deleted the data col­lected as part of the study, and we have found no ev­i­dence of ma­li­cious ac­tors abus­ing this vec­tor. As a re­minder, user mes­sages re­mained pri­vate and se­cure thanks to WhatsApp’s de­fault end-to-end en­cryp­tion, and no non-pub­lic data was ac­ces­si­ble to the re­searchers”, says Nitin Gupta, Vice President of Engineering at WhatsApp.

The re­search was con­ducted with strict eth­i­cal guide­lines and in ac­cor­dance with re­spon­si­ble dis­clo­sure prin­ci­ples. The find­ings were promptly re­ported to Meta, the op­er­a­tor of WhatsApp, which has since im­ple­mented coun­ter­mea­sures (e.g., rate-lim­it­ing, stricter pro­file in­for­ma­tion vis­i­bil­ity) to close the iden­ti­fied vul­ner­a­bil­ity. The au­thors ar­gue that trans­parency, aca­d­e­mic scrutiny, and in­de­pen­dent test­ing are es­sen­tial to main­tain­ing trust in global com­mu­ni­ca­tion ser­vices. They em­pha­size that proac­tive col­lab­o­ra­tion be­tween re­searchers and in­dus­try can sig­nif­i­cantly im­prove user pri­vacy and pre­vent abuse.

This pub­li­ca­tion rep­re­sents the third study by re­searchers from the University of Vienna and SBA Research ex­am­in­ing the se­cu­rity and pri­vacy of preva­lent in­stant mes­sen­gers such as WhatsApp and Signal. The team in­ves­ti­gates how de­sign and im­ple­men­ta­tion choices in end-to-end en­crypted mes­sag­ing ser­vices can un­in­ten­tion­ally ex­pose user in­for­ma­tion or weaken pri­vacy guar­an­tees.

Earlier this year, the re­searchers pub­lished “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers” (distinguished with the Best Paper Award at RAID 2025), which demon­strated how silent pings and their de­liv­ery re­ceipts could be abused to in­fer user ac­tiv­ity pat­terns and on­line be­hav­ior on WhatsApp and sim­i­lar mes­sag­ing plat­forms. Later that same year, “Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp’s Handshake Mechanism” (presented at USENIX WOOT 2025) an­a­lyzed the cryp­to­graphic foun­da­tions of WhatsApp’s prekey dis­tri­b­u­tion mech­a­nism, re­veal­ing im­ple­men­ta­tion weak­nesses of the Signal-based pro­to­col.

“By build­ing on our ear­lier find­ings about de­liv­ery re­ceipts and key man­age­ment, we’re con­tribut­ing to a long-term un­der­stand­ing of how mes­sag­ing sys­tems evolve, and where new risks emerge.” said Maximilian Günther (University of Vienna).

The cur­rent study, “Hey there! You are us­ing WhatsApp: Enumerating Three Billion Accounts for Security and Privacy”, ex­tends this line of re­search to the global scope, show­ing how con­tact dis­cov­ery mech­a­nisms can un­in­ten­tion­ally al­low large-scale user enu­mer­a­tion at an un­prece­dented mag­ni­tude. It will ap­pear in the pro­ceed­ings of the NDSS Symposium 2026, one of the lead­ing in­ter­na­tional con­fer­ences on com­puter and net­work se­cu­rity.

Publication: Gabriel K. Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Johanna Ullrich und Aljosha Judmayer: Hey there! You are us­ing WhatsApp: Enumerating Three Billion Accounts for Security and Privacy. In: Network and Distributed System Security Symposium (NDSS), 2026. Preprint avail­able here.