November 22, 2025

Jonah Aragon

Jordan Warne

Nate Bartram

Welcoming Nate to Privacy Guides! Plus, the EU scales back the GDPR, Windows 11 Adds "Agentic AI," & More...

Our top stories this week:

The European Union scales back aspects of the GDPR after pressure from Big Tech.
Elcomsoft, a forensics firm, achieves full filesystem extraction of the 2020 Apple TV 4k model.
NovaCustom starts selling the SHIFTphone 8.1 with iodéOS, prompting community criticism.
Windows 11 implements experimental agentic AI mode despite security concerns.

Additional thanks to Kevin Pham for writing this newsletter.

TWIP Live 🔴

Updates From The Team

We are pleased to announce that Privacy Guides has hired a new staff member to join our team. Chances are, you probably already seen his content in the privacy space before.

Nate Bartram, from The New Oil and formerly Surveillance Report, is our new resident Video Content Producer!

Besides appearing in our video content across all platforms, Nate will also be a regular co-host on the This Week in Privacy podcast.

As for other things he will be working on? Nate is working diligently on an comprehensive smartphone security course. More updates to come!

If you want to support Nate's position here, and all of the work we do at Privacy Guides, the best way to do so is to become a Privacy Guides member.

None of this is possible without your support, and we have so many exciting plans going in to next year that we can't wait to share with you all!

💜 Become a Member

Additional details about Nate's role were also published to the forum:

Published Articles

We are currently experimenting with publishing our own news briefs to complement the stories we share to you on the website. They will summarize primary sources such as blogs or reports that are too biased or convoluted for the average person to read.

Although each week is different, we anticipate sharing a combination of Privacy Guides briefs and external articles on This Week in Privacy. We will update the website and newsletter to better reflect this change.

In other words, we are becoming an actual newsroom!

Our longer-form explainers, opinion pieces, and tutorials are here to stay. We will only feature them in this section of the newsletter as they provide more original analysis when compared to the objective reporting you may encounter in our news briefs.

Speaking of that, Fria has authored a new explainer on the current state of email security that you should look into!

Sources

EU Digital Omnibus supposedly simplifies digital privacy regulation

Bowing down to Big Tech pressure, The EU Commission has put forth their Digital Omnibus Regulation Proposal, which aims to simplify the GDPR in order to foster competitiveness.

The amendments are explicitly focused on making personal data more accessible to companies.

For these reasons, the amendments focus on unlocking opportunities in the use of data, as a fundamental resource in the EU economy, not least in view of supporting the development and use of trustworthy artificial intelligence solutions in the EU market. Targeted amendments to the data protection and privacy rules support this objective and provide immediate simplification measures for businesses and individuals, strengthening their ability to exercise their rights.

Critics accuse the Commission of bowing to Big Tech pressure. Amnesty International released a statement about their concerns with the EU's "ongoing deregulatory push" which includes this proposal, saying that it could dismantle the EU's current protections against digital threats.

Elcomsoft achieves full filesystem extraction for Apple TV 4K on tvOS 26

Elcomsoft, a forensics firm, announced that they were the first to achieve a full filesystem extraction for the Apple TV 4K running tvOS 26, marking the first forensic extraction of one of Apple's latest operating systems, according to them. They plan to release support in their iOS Forensic Toolkit later.

The first-generation Apple TV 4K runs the same A10X SoC found in the iPad Pro 2, bringing into question what security features Apple's streaming devices miss out on from newer chips.

They highlight the difficulties of extracting data when the device lacks a USB C port, however there is apparently a hidden lightning connection in the ethernet port. Apple sells the Apple TV in two configurations: one without an ethernet port and one with one, so maybe the one without an ethernet port is a bit more secure against forensic extraction.

When we think of security, we tend to focus on securing our phones and desktop computers. But as more IoT devices enter our lives, we need to start thinking about the security of those as well.

NovaCustom announces SHIFTphone with iodéOS: security community concerned

Dutch-based computer manufacturer NovaCustom announced that they are selling a configurable version of the SHIFTphone 8.1, a modular smartphone similar to the Fairphone, with iodéOS pre-installed. However, many in the privacy and security community have raised concerns about the operating system's track record.

It appears that NovaCustom will be replacing the stock Android operating system on the SHIFTphone by pre-installing iodéOS 6, which itself is a fork of Lineage OS 22. Unfortunately, this limits the phone to Android 15 QPR1 and security updates up to November 2024.

iodéOS is a privacy-focused Android custom ROM which replaces Google Play Services with microG, a free and open-source wrapper for Google Play which replaces Google's proprietary client code with open-source alternatives. Notably, it does not replace Google's server-side APIs by default.

Windows announces "Experimental Agentic Features", admits potential for prompt injection and malware

Windows is getting a new feature called Copilot Actions that allows Copilot to perform actions on behalf of the user by interacting with local files and applications.

The agents will use a separate, contained environment called an ”Agent Workspace,” effectively acting “like a separate desktop instance just for Copilot.” Some example use cases they give are sorting through your files, converting files, and extracting data from PDFs. They say they are starting out with a narrow set of use cases “while we optimize model performance and learn.”

Microsoft assures us that they’re taking security seriously with this feature and trying to isolate and give the agents minimal privileges, but there will always be potential for the agents to do something you don’t want them to, as they themselves admit:

Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.

Forum Updates

Many in the Privacy Guides community are excited for the rebirth of the Pebble Watches. However, conflict between Rebble, the FOSS continuation of the Pebble app store, and Core Devices, which is Pebble founder Eric Migicovsky's new company, concerns all of us.

Lets hope they fix their conflict in time for us to have a functioning smartwatch.