A practical issue
Some timely tips on how to protect your and your family's privacy
Hello, privacy-minded readers, and welcome to Control, Spy, Delete! I’m Anna Baydakova and I’m back from a short Christmas - New Year break with a fresh batch of digital surveillance and censorship news for you.
Over the holidays, I kept my eye on articles offering helpful advice and practical guidance on how to protect our privacy in various situations. I found a good bunch to share with you – consider this issue partially taken over by the Tips and Tricks section!
Read on for smart tips on safeguarding your devices while traveling, maximizing anonymity when you head out to protest, and choosing smart toys for your children that won’t expose your family to unnecessary surveillance.
What else? New details on how ICE is vacuuming up Americans’ data, another spyware company biting the dust, and fresh updates on biometrics taking over the world.
This year, I’ve pledged to create more original content for you, and I already have a few things in the works, so stay tuned! Better yet, help me spread the word by forwarding this newsletter to a friend who would enjoy it.
Now, let’s get into it!
Subscribe to stay aware.
Biometrics briefing
Biometrics provider Accu-Time Systems Inc. has agreed to pay a $1.5 million settlement to resolve a class-action lawsuit brought by employees of multiple Illinois companies, alleging that the company unlawfully collected and stored their fingerprints without notice or consent. – ID Tech Wire
Wegmans is now using facial recognition tech in its grocery stores to prevent theft. In response, Connecticut state senators sponsored legislation banning retailers from using biometric surveillance tools. – CT Insider
Pakistan has introduced a facial recognition-based biometric verification system for citizens for accessing banks, mobile carriers, property deals registration and other services. Fingerprints were already used for biometric authentication, but facial recognition is supposed to help people for whom fingerprinting doesn’t work. – Pakistan Today
Lurking in the files again
New year, same themes! Starting 2026 with another story on U.S. Immigration and Customs Enforcement’s quest to gather as much data as it can.
Since the first days of the Trump administration, the government agencies have been pooling together previously unconnected databases and turning a collection of “walled gardens” of data into a surveillance Disneyland. ICE has become one of the main focal points of this data accumulation.
In particular, last summer The Associated Press revealed an agreement between between the Centers for Medicare and Medicaid Services and the Department of Homeland Security allowing ICE to access information on Medicaid recipients. According to the Department of Health and Human Services, the goal was to identify people who were enrolled in Medicaid improperly (undocumented immigrants cannot enroll).
And this week, we learned some more details on that agreement: 404 Media has published a copy of the document. According to the text, ICE will be able to access various data on immigrants receiving Medicaid, including “address, telephone number, banking information (routing number, account type, account number), email address, internet protocol (IP) addresses, or other information relevant to identifying and locating aliens in the United States.”
The reporters obtained the document after Freedom of the Press Foundation and 404 Media sued DHS last year, as the agency failed to provide the agreement in response to 404 Media’s Freedom of Information Act (FOIA) requests. Turned out, the document had already been released in another lawsuit that various states brought against the Department of Health and Human Services and DHS.
ICE has been previously trying to find illegal immigrants among the database of U.S. taxpayers – in November, a federal judge blocked the program, prohibiting the Internal Revenue Service (IRS) from giving ICE the home addresses of taxpayers who might be undocumented.
Will ICE find what it’s looking for this time? If they do, we’ll probably find out on social media pretty soon. If they don’t but think they do we’ll hear about it, too. In the meantime, let’s get used to the idea that everything any U.S. government agency knows about you will eventually be known to the rest of the government as well. Not happening today, maybe not even tomorrow, but the trend is clear.
And the trend is global, too: projects to create overarching databases with all available information on citizens and residents are in the works around the world. For example, in Russia, a Universal Population Register containing data from various databases has just become operational, under the auspices of the Federal Tax Service.
ICE’s $28 billion war chest
In the meantime, have you lost track of all ICE’s spyware shopping? The Electronic Frontier Foundation has published a recap to remind us what a vast amount of resources has been poured into America’s immigration enforcement agency, putting it on par with some of the most well-funded armies in the world.
ICE has already spent $28.7 billion dollars for 2025 and is planning to spend at least another $56.25 billion over the next three years, EFF reminds. Not all of these resources go toward removing undocumented immigrants – ICE’s primary goal. U.S. green card holders and even citizens have felt the heavy hand of deportation agents, having been unlawfully detained during the latest wave of deportation raids.
The new reality is anyone in the U.S. – or applying for a U.S. visa – can potentially be affected by ICE’s sprawling surveillance arsenal. So what’s in it?
Phone-hacking tools by Cellebrite and Magnet Forensics, which allow agents to unlock phones and extract data, as well as spyware by Paragon to hack into devices ICE can’t physically access;
Location-tracking tool Webloc by Penlink: it maps the locations of phones by gathering data from mobile data brokers – read more about how it works in this article by 404 Media;
Social media surveillance tools: Tangles by Pen Link and ONYX by Fivecast (ICE is also planning to set up a 24/7 social media monitoring office with at least 30 full-time agents);
Automated license plate readers;
Face recognition tool called Mobile Fortify;
Cell-site simulators to track location of phones;
ImmigrationOS by Palantir to aggregate and analyse all this data.
Read the full article by EFF to see how you can protect yourself from unwarranted surveillance.
What are your kids playing with?
I bet some of you have done some Christmas gift shopping to pamper your children lately. In 2026, toys can play with your kids on their own, but while that may be fun and convenient, it isn’t always safe. The Mozilla Foundation published a security study of ten internet-connected toys for kids conducted by 7ASecurity.
Turns out, six out of ten toys have security vulnerabilities that can potentially expose kids’ personal data to unauthorized parties, including the owner’s name, children’s ages, the toy’s location, and access to its microphone and camera. Some toys can be accessed via Bluetooth. In some cases, a rogue actor can take over the toy’s speaker and broadcast arbitrary audio to the child.
The vulnerabilities can lie in the way toy makers transfer data on the internet, manage built-in memory, configure authorization process, etc. Some of these vulnerabilities can turn these toys into bugs for spying on families in the hands of a tech-savvy stalker, the report says.
The researchers looked into:
Amazon Fire Kids Tablet, an Amazon tablet designed for kids age 3-7,
Emo Robot, a mini-robot companion,
GoCube Edge, Bluetooth-connected Rubik’s Cube,
Huawei Watch Kids 4, a smartwatch for kids,
Miko Mini, a conversational companion robot,
PlayShifu Plugo Count, a learning game that connects to a tablet or phone,
Powerup 4.0 Airplane, a smartphone-connected paper airplane,
Sphero Mini Activity Kit, a smartphone-connected robotic ball and toy set,
TickTalk 5, a smartwatch for kids,
Toniebox 1, an audio player for kids.
All of these toys have different relationships with cybersecurity – read the analysis if you own one of those and make your own conclusions. Play safe!
Watch the watchers: Spyware maker pleads guilty
I started this little rubric last year to follow the updates from the spyware industry, and so far, it has mostly consisted of news about spyware providers’ screw-ups. This week was no exception: on Tuesday, Bryan Fleming, founder of the U.S.-based consumer spyware pcTattletale, pleaded guilty to charges of computer hacking, the sale and advertising of surveillance software for unlawful uses, and conspiracy.
According to TechCrunch, Fleming has been under investigation by Homeland Security Investigations (HSI), a unit within ICE, since 2021. Unlike many other spyware and stalkerware producers, pcTattletale was openly marketing its software as a tool to spy on partners and spouses. Once installed on a victim’s device, the program gave the stalker access to files, messages, and location data.
In 2024, the company suffered a data breach when a hacker defaced pcTattletale’s website and stole the data of more than 138,000 customers. After that, Fleming announced shutting down the company but that did not save him from the indictment.
Tips and tricks: travel safely; protest safely
For this week’s portion of helpful tips, let’s focus on two situations where we’re being surveilled the most: catching a flight and going to a protest event.
The New York Times published an explainer on how to protect your privacy when travelling internationally. Last year, U.S. Customs and Border Protection broke records for the number of electronic devices it searched, and having your phone inspected while crossing the U.S. border is a real possibility. Here are some steps to consider as you prepare:
create strong passcodes using a complex string of numbers, letters and special characters,
use the latest version of software, with known security vulnerabilities patched,
buy a second phone for travelling and carry no sensitive data on it,
turn off your device before going through customs or keep it in airplane mode.
back up your device and erase it before going through customs.
Airports are understandably tightly monitored locations, but protest rallies in the U.S. are also heavily surveilled nowadays. Wired suggests some measures to help maximize your anonymity at such events:
leave your phone at home, keep it off or on a Faraday bag,
face masks and sunglasses can protect you from being identified by facial recognition tech;
be careful about what you’re saying online, especially if you’re in the U.S. on a visa.
That’s a very short version, for more detailed instructions read this article by Wired.
***
And that’s all from me this week, folks!
Stay vigilant.
Anna