Flock Camera Leaks, Google Searches Accessible By Warrant, EU VPN Data Retention, and More!

TWIP Live 🔴

Updates from the Team

While things have been a bit quieter over the holiday break, we are staying busy behind the scenes. We are hoping to release one final video before we ring in the New Year, and our production calendar for 2026 is already filling up fast.

In the meantime, you can stay connected by subscribing to Privacy Shorts on YouTube (or PeerTube) and signing up for our email news alerts to get our latest articles delivered straight to your inbox. We have some incredible projects in the works for 2026.

And as always, the Privacy Guides team wishes you happy holidays and an amazing New Year!

Data Breaches

This week's data breaches mostly came from universities, but also Nissan and an update to an insurance company that impacted half their users. And to think, this was a slow week!

Sources

Flock exposes its AI-powered cameras to the internet

Flock left livestreams and administrator control panels for at least 60 of its AI-enabled Condor cameras around the country exposed to the open internet, where anyone could watch them, download 30 days worth of video archive, and change settings, see log files, and run diagnostics.

Unlike their mainstream product line, Flock's Condor Pan-Tilt-Zoom cameras are designed to automatically track and zoom into the faces of individuals walking along its line of sight. They are usually placed in public spaces

This vulnerability was reported by content creator and Security Researcher Jon "GainSec" Gaines who uploaded his discoveries into a YouTube video.

404 Media reports:

The exposure highlights the fact that Flock is not just surveilling cars—it is surveilling people, and in some cases it is doing so in an insecure way, and highlight the types of places that its Condor cameras are being deployed. Condor cameras are part of Flock’s ever-expanding quest to “prevent crime,” and are sometimes integrated with its license plate cameras, its gunshot detection microphones, and its automated camera drones.

Pennsylvania Supreme court rules that police can access Google searches without a warrant

The Pennsylvania Supreme Court has ruled that police can access Google searches without a warrant due to the "reasonable expectation" that your data is being collected anyways.

This comes after a criminal case involving a rape went cold. Local law enforcement requested a list of people who searched up the victim's address in the past week, resulting in the arrest of the defendant. After being found guilty, he appealed to the state supreme court.

The official decision cited a statement from Google where they, "...expressly informed its users that one should not expect any privacy when using its services"

This decision only affects those residing in the U.S. State of Pennsylvania, but may have privacy implications elsewhere. If Google appeals to the U.S. Supreme Court, a similar ruling could have disastrous implications on the federal level.

The EU prepares ground for wider data retention – and VPN providers are among the targets

In its "ProtectEU" Initiative, the European Union is set to draw up plans for greater data retention for VPN providers. This may potentially end the existence of "No-Log" VPNs in Europe.

A Netzpolitik report first disclosed these discussions to the public. According to the document dated to November 27, the Danish Presidency of the EU Council wanted to explore a framework for a data retention mandate in 2026. It chiefly cited metadata, such as traffic and location history, as most critical for law enforcement.

While this is indeed worrying, Privacy Guides will keep you updated on the situation as it develops into the next year.

Judge blocks Texas app store age verification law

A federal judge has executed a preliminary injunction against the Texas App Store Accountability Act, preventing it from being enforced on January 1st, 2026.

Judge Robert Pitman argued that the law "is akin to a law that would require every bookstore to verify the age of every customer at the door and, for minors, require parental consent before the child or teen could enter and again when they try to purchase a book.”

The Verge reports that although the court case has not yet reached a final decision, Judge Pitman's decision to order a preliminary injunction means that he believes that Texas may not be successful in defending it.

South Korea to require face scans to buy a SIM

South Korea's Ministry of Culture and ICT has issued a new requirement for SIM purchases in the country. Now, local carriers are required to implement facial recognition technology to curb the risk of criminal activity and fraud.

This will be done via "PASS", an app offered by South Korea's three main telecommunications providers: SK Telecom, LG Uplus, and Korea Telecom. PASSES will store the user's biometric identity on-device for verification purposes.

Voice phishing is a common occurrence in South Korea, but will only get worst. It is believed that the government took these measures in response to a catastrophic data breach exposed more than half the country's population. SK Telecom suffered a breach that contained all 23 million customers, while e-commerce store Coupang leaked over 30 million records. Given South Korea's population of almost 52 million people, we are sad to see facial recognition become increasingly normalized because of this.

Forum Updates

Show Hosts

Kevin is a Master's student in cybersecurity at Tufts University and the 2025 intern with our community & news team, where he was instrumental in the creation of our weekly live show. Past experience: Freedom of the Press Foundation, Cornell Tech.

Nate is a member of Privacy Guides' video and news team. He has been advocating for privacy on his personal blog The New Oil since 2018, and is the former host of Surveillance Report, a popular cybersecurity podcast he published with Techlore.