Burrow OS
Drea
Drea
password
Log In
Open cat pics
Clean Up Desktop
Change Background ▸
About This Computer
VPN: connected
London
11°
Rain · Weekly forecast
AirPort: connected
Network: linksys
Signal: weak
About This Computer
Open Latest Note
Recent Items ▸
Log Out…
:)

hey

make yourself at home. poke around, read my notes, open everything, take out my trash? 👀
jk brb.

— drea

p.s. it's always 2003 in The Burrow, so some of these files shouldn't even EXIST. and yet...

Macintosh HD
Macintosh HD
They Arrested the Guy Who Saved the Internet
No Warrant, No Problem
Bueller? Bueller?
America's Backdoor
So Much for Switzerland
Encrypted, Not Invisible
Teamwork Makes the Dream Work
cats
cats
The Business of Browser Fingerprinting
dollz
dollz.jpg
peek
peek.app
[CLASSIFIED]
>_
Terminal
companies that don't sell your data
companies_that_dont_
sell_your_data.url
my setup pics
my setup pics
new avatar
new_avatar.png
~*to do*~

set up homelab

finally launch The Burrow

click the link aunt carol sent

push risk assessment to github

pick up dry cleaning

build a cyberdeck (?)

renew library book

install linux

the mansion
sherwood drive
milton keynes
mk3 6eb

Encryption vs. Metadata

Encrypted, Not Invisible

logged: 2026.03.05
the rabbit holeIf you have shit OPSEC it doesn't matter what company you use, your privacy will never be protected. Everyone's dragging Proton for handing users over to the authorities. *screams into the void* PROTON NEVER BROKE ENCRYPTION. It can't read your emails. What it handed over was metadata, the stuff around your messages, not the messages themselves. And metadata is more than enough to find you.

Here's the part nobody melting down seems to grasp: a company HAS to have metadata. Any payment, from any company, any business, any person, that isn't physical cash inherently creates metadata the second the transaction happens. It's not a company decision or policy. It's how the technology works.

So many people are out here chasing maximum privacy and maximum encryption without understanding who they're actually hiding from, why, or how any of it works.

Real-world examples

  • 2021: Proton handed over IP address and browser fingerprint of a climate activist to Swiss police when requested through Europol. User didn't use a VPN though.
  • 2024: Proton handed over a recovery email which was an iCloud email address (metadata and not required by Proton) of a person to Spanish police. Apple then provided full name, home addresses, and linked Gmail.

So what IS encrypted? Content

  • Email text and attachments
  • Files stored in encrypted drives
  • Calendars, notes, etc.
  • End to end meaning even the provider can't read it

What's NOT encrypted? Metadata

  • IP addresses used to log in
  • Account creation date
  • Recovery email addresses
  • Payment method used
  • Email timestamps and recipient addresses(!)
  • Device/browser fingerprint (isn't unique 1/1 but can narrow down a search)
TL;DRThere's a scene in Citizenfour I can't stop thinking about. Snowden's about to type a password, so he pulls a blanket over his head and the laptop to do it. Poitras is right across from him filming, someone he TRUSTS with his literal life, and he still covers up in case the keystrokes reflect off something. Paranoid? No. Prepared. He knew exactly what he was up against. Your privacy has to match your threat. The man "given up" by Proton was under terrorism investigation. The recovery email that burned him? An iCloud address. That he added himself. That was completely optional. Proton is not the problem.
filed under: opsec / proton slander / pebkac
The Computer Fraud and Abuse Act

They Arrested the Guy Who Saved the Internet

logged: 2026.05.09
the rabbit holeSo you volunteer to help the US government by stopping a GLOBAL cyberattack. You save the internet. And your reward is getting arrested by the FBI at the Las Vegas airport on a Wednesday. Nothing says thank you like ten felony charges and forty years.

Real-world example

On May 12, 2017, a ransomware worm called WannaCry was tearing through 150 countries and crippling the UK's National Health Service among many other victims. A 22-year-old British researcher named Marcus Hutchins was reverse engineering a sample from his bedroom when he noticed the malware was making a query to an unregistered domain before executing. He registered the domain for $10.69 which triggered a kill switch that had been built into the code and stopped the attack from spreading further. Within hours, WannaCry was contained and affected computers began recovering. He worked with the UK's National Cyber Security Centre and his US-based employer Kryptos Logic over the following days to keep the kill switch domain online and prevent a second wave. He was widely regarded as the hacker who saved the internet.

Three months later, the FBI arrested him at the Las Vegas airport as he was leaving DEFCON to fly home to the UK. The charges had nothing to do with WannaCry. The US Department of Justice indicted him on ten counts under the Computer Fraud and Abuse Act and the Wiretap Act related to creating, advertising, and selling Kronos, a banking trojan he had worked on years earlier as a teenager, and a related piece of malware called UPAS Kit. Kronos was sold by an unidentified co-conspirator known online as "Vinny" on dark web forums and was used by criminals to steal banking credentials from victims primarily in the UK and India and later spread globally. Hutchins spent over a year on bail in Los Angeles before pleading guilty to two counts and receiving time served. The other eight counts were dropped.

What the CFAA is

The Computer Fraud and Abuse Act is a US federal law passed in 1986. It is the central statute the US uses to prosecute computer crime, criminalizing unauthorized access to a computer, transmitting code with intent to damage a protected computer, password trafficking, and computer-related fraud. The CFAA defines a "protected computer" as any computer used in or affecting interstate or foreign commerce, which courts have interpreted to cover essentially any computer connected to the internet.

The CFAA does not criminalize writing malware. Creating malicious code is protected speech in the US. Selling and distributing malware to people you know will use it for crimes is criminal under 18 U.S.C. § 2512 which prohibits the manufacture, distribution, and advertising of devices "primarily useful" for intercepting electronic communications. The Wiretap Act (18 U.S.C. § 2511) makes it illegal to intentionally intercept electronic communications without permission.

Federal prosecutors typically combine the CFAA with §2512, the Wiretap Act, conspiracy, and wire fraud to build cases around one event, a practice known as charge stacking.

Critique of the CFAA

The DOJ misrepresents writing as a crime

The DOJ's press release announcing Hutchins's plea was titled "Marcus Hutchins Pleads Guilty to Creating and Distributing the Kronos Banking Trojan." Creating malware is not a crime although selling it to people you know are criminals is. The framing misrepresents the law.

Vague intent and authorization standards

Core CFAA terms like "intent to cause damage," "exceeding authorized access," and "protected computer" have never been clearly defined by Congress or consistently interpreted by courts. Prosecutors decide what counts as criminal after the fact when beneficial for their case. Researchers cannot always predict whether their work will be charged.

Charge stacking creates plea pressure

Federal prosecutors slice one crime into multiple counts under multiple statutes. Hutchins faced ten counts under the CFAA, the Wiretap Act, §2512, conspiracy, and wire fraud for what was essentially one criminal partnership with Vinny. Maximum exposure: 40 years. In these scenarios even defendants with viable defenses plead. Stacking is legal under the Blockburger test which says that the same conduct can be charged under multiple statutes as long as each requires proof of at least one element the others don't, yet it produces the punishment that double jeopardy was meant to prevent. This is why it's widely criticized for creating unjust outcomes in federal criminal law as a whole.

The law stays vague on purpose

Pleas avoid trial. Without trials judges are never made to clarify or define what these terms actually mean. Each new researcher facing similar charges has no clearer answer than the last. The vagueness is not a flaw the system is working to fix...it is the leverage the system runs on.

Critique of UK government complicity

GCHQ used him for WannaCry, then let him walk into the arrest

Hutchins worked directly with the UK's National Cyber Security Centre which is part of GCHQ during the WannaCry response. He helped them keep the kill switch online and prevent a second wave. Three months later, GCHQ knew the FBI was investigating him for Kronos and planned to arrest him when he flew to DEFCON. Hutchins was not warned whatsoever. He boarded the flight and was arrested at the Las Vegas airport. The same agency that needed him during the attack stood by while another government grabbed him.

The UK had clear jurisdiction and didn't use it

Hutchins lived in the UK and wrote the code in the UK. The Computer Misuse Act 1990 (the UK's main computer crime law) has covered "making, supplying, or obtaining articles for use in computer misuse offences" since 2006. UK prosecutors had clear authority to charge him but chose not to. Why?

The US could punish him harder

US jurisdiction was based on a small amount of Kronos activity that touched US soil, which was enough under the CFAA's broad "protected computer" definition (any computer connected to the internet). Hutchins faced up to 40 years across his ten US counts under the CFAA. The same conduct under the UK's Computer Misuse Act carries a maximum of two to ten years per offense depending on the section but realistically sentences are much shorter. If anyone in either government wanted Hutchins to actually serve significant time then the US was the venue.

The UK did the US a quiet favor

An anonymous UK government source told The Sunday Times the arrest "freed the British government and intelligence agencies from yet another headache of an extradition battle." The same source added: "Our US partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition." The UK had repeatedly refused to extradite UK hackers like Gary McKinnon (blocked 2012) and Lauri Love (blocked 2018). Letting the US grab Hutchins on US soil evened the score without the UK government having to formally approve anything.

The UK avoided the political cost of prosecuting a national hero

UK prosecution of Hutchins immediately after WannaCry would have politically been toxic. The press would have run the story of a young man who saved the NHS being charged by that same government for code he wrote as a teenager under blackmail. Public sympathy likely would have been on his side. Also likely, a UK trial produces a light sentence or acquittal. Letting the US prosecute meant the UK government could express "concern" while doing nothing and get the conviction without the political cost. Where someone is prosecuted is not always a legal question but a political one.

Critique of who was charged vs. who wasn't

Out of every actor connected to either Kronos or WannaCry, only one was prosecuted: Hutchins. Everyone with more responsibility either couldn't be reached, was institutionally protected, or worked for the agency that built the exploit in the first place.

Kronos

Hutchins

Wrote the UPAS rootkit foundation around age 17. Refused to write the bank targeting web inject. Helped integrate code from a second programmer when blackmailed. Made approximately $8,000 from five sales of Kronos as of November 2014, according to FBI intercepted chats. Indicted on ten counts:

  • 1. Conspiracy to violate the CFAA and Wiretap Act
  • 2. Conspiracy to commit wire fraud
  • 3. Distributing a §2512 device (Kronos)
  • 4. Selling a §2512 device (Kronos)
  • 5. Promoting a §2512 device (Kronos)
  • 6. Advertising a §2512 device (Kronos)
  • 7. §2512 violations relating to UPAS Kit
  • 8. Unauthorized interception under the Wiretap Act
  • 9. Transmitting damaging code under the CFAA
  • 10. Lying to the FBI

Pleaded guilty to two (counts 1 and 6). Eight were dropped. Time served.

Vinny

Ran the operation. Marketed Kronos on AlphaBay and Russian forums. Hired and paid the second programmer to write the bank targeting web inject. Blackmailed Hutchins into continuing development by threatening to give his real name and address to the FBI. Took the bulk of the profits. The same indictment that charged Hutchins names Vinny as the unnamed co-conspirator on every count except count 10. Based on the descriptions in court documents, Vinny would face significantly more charges than Hutchins did.

Charges in the indictment (shared with Hutchins):

  • 1. Conspiracy to violate the CFAA and Wiretap Act
  • 2. Conspiracy to commit wire fraud
  • 3. Distributing a §2512 device (Kronos)
  • 4. Selling a §2512 device (Kronos)
  • 5. Promoting a §2512 device (Kronos)
  • 6. Advertising a §2512 device (Kronos)
  • 7. §2512 violations relating to UPAS Kit
  • 8. Unauthorized interception under the Wiretap Act
  • 9. Transmitting damaging code under the CFAA

Additional charges Vinny alone would face based on his conduct:

  • 10. Money laundering on Bitcoin proceeds (§1956)
  • 11. Wire fraud, multiple counts, each sale a separate count (§1343)
  • 12. Aggravated identity theft for use of stolen banking credentials (§1028A), mandatory 2 year consecutive sentence per count
  • 13. Extortion via interstate communications for blackmailing Hutchins (§875(d))
  • 14. Separate conspiracy with the second programmer (§371)
  • 15. Separate conspiracies with each Kronos buyer who committed fraud (§371)
  • 16. Receiving stolen funds from buyers (§2315)
  • 17. Possibly RICO for running an ongoing criminal enterprise (§1962)

Federal prosecutors stacked ten counts against Hutchins under the same logic that produces the punishment double jeopardy was meant to prevent. Applying that same logic to Vinny, the operator they say ran the entire enterprise, produces seventeen+ counts and a conservative maximum exposure of around 160 years before any per sale wire fraud or per victim identity theft is fully broken out. Whether the government ever identified him is unknown. What is known is that he was never publicly named and he was never charged.

The unidentified second programmer

Wrote the web inject which was the code that actually made Kronos a banking trojan. Without their work UPAS Kit was just a rootkit not a full bank targeting tool. Based on descriptions in court documents they would face the same §2512 and conspiracy charges Hutchins did in the same range or higher. The stacking math above gives us a sense of what the exposure looks like. Also never publicly identified. Also never charged.

The buyers

People who paid up to $7,000 to use Kronos against actual bank customers. Some buyers were in the US, the UK, India, France, Germany, and Poland. Some were identified by researchers tracking the malware. Most were never charged.

WannaCry

Hutchins

Stopped the attack. Worked with the UK's National Cyber Security Centre on the response FOR FREE with no formal protection or recognition from the UK government. Three months later, he was the only individual federally prosecuted in connection with the WannaCry response on unrelated charges and the same UK government let him fly into FBI hands without warning.

NHS leadership

Ignored a year of NHS Digital patch warnings. The National Audit Office confirmed the attack was preventable. Sir Chris Wormald, the Permanent Secretary at the Department of Health and Social Care, told the Public Accounts Committee in 2018 that "Cyber attacks and cyber crime are a fact of life. You are never completely safe from them, and indeed, if you believed you were completely safe from cyber crime, it would be an extremely bad sign." Nobody at NHS Digital, NHS England, or the Department of Health was fired, charged, fined, or formally disciplined. Instead(!) Sir Chris Wormald was promoted. Despite UK taxpayers paying an additional £196 million for cybersecurity through 2020 after WannaCry, a 2018 parliamentary audit found that all 200 NHS organizations checked still failed cybersecurity checks. The NHS continues to fail its legal obligation to protect patient data and has been breached every year since:

  • 2022: LockBit took down NHS 111 emergency triage and stole 80,000 people's data
  • 2023: Ransomware on Barts Health stole 7 terabytes of patient data
  • 2024: NHS Scotland breached by Inc Ransom
  • 2024: Alder Hey Children's Hospital and Wirral University Teaching Hospital both hit
  • 2024: A ransomware attack on NHS contractor Synnovis disrupted more than 10,000 appointments at King's College Hospital and contributed to a patient's death
  • 2025: Clop breached Barts Health a second time
  • 2025: DevMan ransomware stole 300 GB from DXS International, the NHS GP software supplier serving 2000 GP practices
  • 2026: NHS trusts hit by the 2024 Synnovis attack still operating without fully restored systems, with 161,560 pathology reports delayed at South London and Maudsley alone

The NSA

Built EternalBlue, the exploit WannaCry depended on. Lost control of it when the Shadow Brokers leaked it in April 2017. No agency accountability and no public investigation.

Lazarus Group

Conducted the actual attack. Out of US legal reach as a North Korean state actor.

Acts of God

When someone as high up as the Permanent Secretary at the UK Department of Health calls cyberattacks "a fact of life," they are making excuses in advance for future preventable vulnerabilities. Yes, breaches happen everywhere but this specific breach happened to the NHS because the NHS specifically ignored its specific patch warnings. "Breaches happen" is not a defense for "this breach has happened to us, again and again, for nearly a decade."

TL;DRThe CFAA is so vague that prosecutors decide what's a crime after the fact, and they stack one act into ten counts until you plead. Hutchins faced 40 years and took a deal. The kingpin who blackmailed him faced an estimated 160 and was never named. The law decides what's possible, but politics determines who pays. Convictions are often a matter of convenience. Hutchins was reachable, helpful, and standing in an airport. So he's the one with a record.
filed under: cfaa / no good deed / charge stacking
Executive Order 12333

No Warrant, No Problem

logged: 2026.04.19
the rabbit holeIn 2013, leaked documents showed the NSA was tapping into Google's data cables to steal millions of records per day. We know this because someone at the NSA drew a diagram of how they did it and put a smiley face on the exact point where they tapped into the cable.

Real-world example

In 2013, documents leaked by Edward Snowden revealed the MUSCULAR program. The NSA and its UK counterpart GCHQ tapped into the private underwater(!) fiber-optic links that connected Google's and Yahoo's data centers around the world. Before your email left Google's network to travel the public internet, it was encrypted. After it left, it was encrypted. But between Google's own data centers, on Google's own private cables, it was not encrypted because Google assumed that network was theirs. The NSA tapped those cables and collected hundreds of millions of records a day. Because the collection was happening outside of the US targeting non-US infrastructure, it required zero warrants, no FISA court approval, and no Section 702 certification. It was done legally under the authority of Executive Order 12333. An actual NSA slide describing the location of the tap had a smiley face drawn on it.

What Executive Order 12333 is

This is an executive order (issued directly by the President without Congress voting on it) by President Reagan on December 4, 1981. It is the foundational authority governing how US intelligence conducts surveillance outside the US against non-US persons. It covers the CIA, NSA, DIA, and the intelligence arms of other agencies when they operate abroad. It came decades before FISA Section 702 (2008) and the Patriot Act (2001) but is still in effect today.

Why "executive order" matters

Section 702, as flawed as it is, does at least have some oversight. Congressional committees, sunset clauses, FISA court review, public debate, etc. EO 12333 has almost none of that. It cannot be modified by Congress because it is an executive order. It has no sunset clause so it never expires and never provides a reauthorization conversation. It is not subject to FISA court review because the FISA court only covers FISA. The intelligence community interprets EO 12333 internally, with the rules for what to do when Americans' data gets swept up set by the agencies themselves. Most of what is done under it is classified. The public has almost no visibility into the largest category of US surveillance.

Legislation from a different time

1981 was before the commercial internet, even before cellphones, before cloud computing, before undersea fiber-optic cables carried the majority of global communications, before Google existed, before email was common, before anyone imagined that a person in Illinois would have their private emails routed through servers in Ireland and back through London. EO 12333 was written for a world of embassies, foreign agents, and cold war intelligence yet is being applied to a world where the physical infrastructure of citizen communications happens to pass through foreign jurisdictions by default. The law has not caught up with the world that exists today. The permissions have not been adjusted...the surveillance has just expanded to fill the technology as it was built.

The exposure

Most corporate data flows through foreign infrastructure at some point. Overseas offices, international customers, cloud providers with servers abroad, and routine traffic that crosses borders invisibly. All of it is potentially exposed to EO 12333 collection, and that exposure cannot be contracted around by any "privacy-focused" company or service. This is part of why Schrems II was decided the way it was: US surveillance law, including the parts the US government would prefer not to discuss, gives intelligence agencies access that violates GDPR standards.

TL;DRSome surveillance laws at least come with oversight, courts, expiration dates, public fights over renewal. EO 12333 has none of that. It's an executive order from 1981, it can't be touched by Congress, it never expires, and the agencies write their own rules for what happens when your data gets swept up. It's the biggest bucket of US surveillance and the one nobody's allowed to see. Signing up for a privacy-focused company is always a solid effort. But when the government is tapping a company's actual UNDERWATER FIBER OPTIC CABLES(!!!), no service, device, or law can protect you from that.
filed under: eo 12333 / mass surveillance / smiley face
The Wyden Letter

Bueller? Bueller?

logged: 2026.04.19
the rabbit holeThe US government recommends you use a VPN to protect your privacy. A VPN changes your location, which can make your data look foreign. And the government is allowed to surveil foreigners without a warrant. Six lawmakers asked the Director of National Intelligence to confirm or deny whether this is happening. Months later: nothing.

Real-world example

On March 26, 2026, six Democratic lawmakers: Senators Ron Wyden, Alex Padilla, Ed Markey, and Elizabeth Warren, plus Rep. Sara Jacobs and Rep. Pramila Jayapal sent a formal letter to Director of National Intelligence Tulsi Gabbard. The letter asks her to publicly clarify whether Americans who use commercial VPN services are being treated as foreigners for surveillance purposes and so losing their protections under the Fourth Amendment. As of now, Gabbard has not responded. The timing was intentional as the letter was sent while Congress is actively debating Section 702 reauthorization which forces the VPN question into the fight.

The core question

VPNs route internet traffic through servers in other locations to hide a user's real location. That is the point. But under Section 702 the government can obtain foreign communications without a warrant. If an American's traffic exits through a VPN server in Amsterdam, does the intelligence community treat that traffic as Dutch/foreign/okay to collect without a warrant? The lawmakers are asking Gabbard to say publicly whether this is happening or not. If yes, it means a privacy tool is actually stripping Americans of their Fourth Amendment rights. If no, Gabbard should say so on the record.

How Congress forces an answer

This is also a clean example of how Congress actually pulls answers out of the executive branch. You don't ask quietly. You put the question in writing, you make it public, and you time it to a vote that matters, here, Section 702 reauthorization. That way the silence costs something.

TL;DRThe privacy tool you bought could be the exact thing the government uses to invade your Fourth Amendment rights. The lawmakers didn't even ask the government to stop, they simply asked them to say out loud if it's happening or not. No is an easy answer, if it's the truth.
filed under: vpns / section 702 / left on read
new_avatar.png
new avatar
Section 702 FISA

America's Backdoor

logged: 2026.04.19
the rabbit holeThere are different levels to a privacy setup, but a VPN is always the go-to, one of the easiest changes you can make. So to find out it could give away your data to the very people you're trying to keep it from is disappointing at best, dystopian at worst.

Real-world example

Section 702 was supposed to expire April 20, 2026, unless Congress reauthorizes it. As of tonight, the fight is live. The Trump administration pushed for a clean 18-month reauthorization with no changes. House blocked amendments that would have required warrants for searching Americans' data. On April 17, two back-to-back votes failed. Those were 1: a five-year package with modest reforms which collapsed when roughly a dozen Republicans rejected it and 2: the procedural vote for the clean 18 month extension failed 197-228, with 20 Republicans defying Trump and 4 Dems also voting no. Around 2am the House passed a 10 day stopgap, pushing the deadline to April 30. DNI Tulsi Gabbard, who previously opposed 702 as a congresswoman and co-sponsored legislation to repeal it, reversed position again saying warrants should be required for US person queries which goes against Trump. The reform coalition cuts across both parties (Freedom Caucus Republicans plus progressive Democrats). The coalition protecting 702 also spans across both parties. Outcome unclear.

What is Section 702

A surveillance authority passed in 2008 as part of the FISA Amendments Act. It allows the US government to collect emails, phone calls, and text messages of non-US persons located outside of the US without a warrant. Targets are selected by intelligence analysts, not courts. The Attorney General and DNI issue annual "certifications" (very broad/bulk request like "We want to spy on foreign cyber threats") that the FISA court reviews and generally approves. The FISA court does not approve individual targets. Any American who communicates with a foreign target can have their communications swept into the 702 database as "incidental collection."

The loophole

Once Americans' communications are in the 702 database, the FBI can search them for US person information without a warrant. These are called "US person queries" or backdoor searches. The FISA Court found in 2022 that "compliance problems with the FBI's querying of Section 702 information have proven to be persistent and widespread." From 2020 to 2021 alone, the FBI conducted 278,000 noncompliant searches that the DOJ determined violated FBI standards. Documented abuses include searches targeting Black Lives Matter protesters, January 6 participants, a congressional campaign's 19,000 donors, a US Senator, a state senator, and a state judge. A 2024 federal court ruling held that these backdoor searches are unconstitutional and ordinarily require a warrant. Congress has reauthorized 702 multiple times despite the abuses.

Why Europe won't touch US cloud

Section 702 is why US cloud services struggle with EU data protection compliance. The EU's Schrems II ruling in 2020 found that US surveillance law, specifically 702, gives US intelligence agencies too much access to European data, which violates GDPR. Any organization handling EU citizen data through US-based infrastructure is exposed to this, and no contractual clause overrides a surveillance authority like 702.

TL;DRSection 702 lets the US government collect foreigners' messages without a warrant. The catch: anything an American sends a foreigner is included as well. Then the FBI can search the database for that American's data, still no warrant. In one year alone, they ran over 278,000 improper searches. It's why the EU ruled US cloud services unsafe for European data. No company, service, or policy can override it, because it's the law underneath. Section 702 is 18 years old, and it's up for renewal again in about two weeks.
filed under: section 702 / the fourth amendment / "incidental"
Swiss Surveillance Law (VÜPF)

So Much for Switzerland

logged: 2026.03.05
the rabbit holeSwitzerland has always been the privacy haven. Strong data protection laws, no forced logging, and no allegiance to US or EU surveillance. So if even Switzerland is reversing its stance, what's left?

Real-world example

Switzerland built its reputation as a kind of privacy refuge. Swiss law historically categorized VPN providers differently from telecom providers so VPNs had no logging obligations which is why companies like Proton based themselves there.

What's changing

Switzerland is proposing a revision to the VÜPF that would begin in late 2026:

  • Require VPN and email providers to log IP addresses for 6 months
  • Mandate user ID verification (official ID or phone number)
  • Wants to create a backdoor to decrypt data

Why it matters

  • This would make Swiss surveillance more invasive than the US or EU, and it wouldn't even touch US-based services like Gmail or WhatsApp. It only binds the providers who came to Switzerland for privacy in the first place.

Proton's response

  • Started moving physical infrastructure to Germany and Norway (EU courts have ruled blanket data retention illegal)
  • Proton has already moved new-ish Lumo AI chatbot which is hosted in Germany
  • Headquarters remain in Geneva, not complete relocation
  • CEO Andy Yen said "If necessary, we can shut down the systems in Switzerland within a short period of time"
TL;DRSwitzerland was the gold standard for privacy right up until its proposed changes to invade user privacy went further than the countries everyone went there to escape. Proton's already moving servers to Germany and Norway and said it'll shut down Swiss servers entirely if it comes to that. It's not about Switzerland. It's that no protection is permanent. And the promises and laws that once provided privacy can change at any time.
filed under: vüpf / data retention / paradise lost
Mutual Legal Assistance Treaties

Teamwork Makes the Dream Work

logged: 2026.03.05
the rabbit holeYour data has a passport. And it travels more than you do.

What is an MLAT

An agreement between two or more countries that allows them to request and share evidence and information for criminal investigations.

What can be requested

  • Witness testimony and statements
  • Documents, records, and evidence
  • Search and seizure execution
  • Locating or identifying people

Key points

  • Only available to government officials, usually prosecutors, not private citizens or civil cases
  • Requests must go through formal legal processes and be approved by a court in the receiving country
  • The US has MLATs with 65+ countries including Switzerland, the UK, and all EU member states for starters

Five Eyes

The most well known is the Five Eyes: an intelligence alliance between the US, UK, Canada, Australia, and New Zealand, sharing since 1946. Wider circles, Nine Eyes and Fourteen Eyes, pull in countries like France, Germany, and the Netherlands. The critique people raise: a government barred from spying on its own citizens can let an ally do it instead, then simply share the results back. The alliance operated secretly for decades until Edward Snowden's bombshell 2013 leaks exposed it. It still operates today in the open.

TL;DRChoosing privacy-focused companies and services is still worth the effort. But most of it is out of our hands. There are countless rules about what a country can do to its own citizens, and almost none about what it can do to a foreigner. So whatever your own government isn't allowed to take, another government already has. And they're all in a group chat.
filed under: five eyes / mlat / sharing is caring
Trash

Trash

Empty

11 items

clippy
Mr_Aquarius.exe
chrome.app
microsoft_copilot.app
old_files
Screenshot_47.png
untitled.rtf
Screenshot_48.png
burned_mixCD.zip
setup.dmg
Memphis_Man.exe
Internet
eePay wichman.io HHHindsight Homes should i buy AAPL?
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewCart
ePay My Cart · Shop · Sell · My ePay Search…
★ LOWEST PRICES OF 2003 ★
Your Shopping Cart (3 items)
iBook
Apple iBook G3 Clamshell Blueberry Vintage Laptop Mac OS 9
Seller: macdaddy2003 ★★★★★ (98.2%)
$294.00
img
Ty Beanie Baby Princess Diana Bear PURPLE Rare Retired 1997 MINT CONDITION w/ Tag
Seller: y2k_vault ★★★★ (94.0%)
$58.00
CD-R
Memorex Blank CD-R 100 Pack 700MB 80min NEW SEALED FAST SHIP
Seller: burned_it_4_u ★★★★★ (99.9%)
$19.99
Subtotal (3 items)$371.99
Shipping$12.50
Estimated tax$30.71
Order total$415.20
Proceed to Checkout »
‹ Continue shopping
Recently viewed
Tamagotchi Original 1997 Virtual Pet White/Gray
Portable CD Player Boombox AM/FM Radio — Used, Good Condition
Apple iPod 1st Generation 5GB Click Wheel - Used
Halloween Complete Set VHS - End of an Era
My ePay · Security Center · Policies · Feedback · Help
Copyright © 1995–2003 ePay Inc. All Rights Reserved. Designated trademarks are the property of their respective owners.
dollz.jpg — Preview
dollz
Mail — Inbox
hello@wichman.io
Inbox 6
FWD:FWD:FWD: Send This Or Else
aunt carol
FINAL NOTICE: Overdue Item
the local library
You Appeared In 29 Searches This Week
LinkedIn
You have 3 new likes
Snog Dating
A Business Proposal
a prince
Re: Your Free Ringtones
no-reply
Drafts 1
(draft) to: you
no subject
Sent 0

select a message

iSeeU
I SEE U User: 770258
drea_dot_io

brb, down a rabbit hole
Online (15)

horror_fan_n1k0

oi_ollie

KIRA_from_AOL

JCP__

xX_dial_up_diva_Xx

cyber_kitten_03

Sk8rJake420

hannahparks*

mike_d22

<3sarah

tommy_guns_xD

KatieM_xo

chrisw

RyanFromBioClass

brandon_99

Offline (15)

Zer0Cool_99

napster_nikki

DJ_DANNYBOY

emilyxglitter

steph<>

laura_loves_pink

_megan_

xX_AlexTheGreat_Xx

jenny*p

kev_works_at_gap

nicole_xox

MattyIce99

ashleeyy_marie

greg_from_NYU

moms_computer

Blocked (1)

DO_NOT_ADD_him

Anonymous Chat
Services
Add User
Settings
GO!
Anonymous Chat
Stranger connected
You're now chatting with a random stranger. Say hi!
Send
×
peek
look what they took
updated --:--:--
battery
screen size
timezone
os
browser
language

The data shown above was transmitted automatically by your browser upon visiting this site. Every website you access receives the same information through a process known as browser fingerprinting. Peek does not collect, store, or transmit any user data.

Peek is a privacy awareness tool used by individuals to identify what data has been exposed without their consent. Mobile devices expose significantly more and pose a greater risk. Learn more →

The Business of Browser Fingerprinting

You, According to Your Browser

logged: 2026.05.26
the rabbit holeEvery site you visit fingerprints your device without your consent. Here's how it happens.

What just happened

Every time you open a website, your browser quietly hands it a few details: your device, your screen size, your time zone, and your language. You didn't type any of it and you weren't asked, yet it happens on every site you visit by design.

Why it matters

On their own, these details sound harmless, but together they form something like a fingerprint, more than enough to know exactly who you are, name or no name. Collecting this is completely legal, and since the US still has no privacy law covering it, gathering and selling this kind of data is a thriving business (only $200 billion).

Now your phone

Your phone does the same thing, but worse, because it goes everywhere you do. In 2022, the FTC sued a data broker called Kochava for selling the precise location data of hundreds of millions of phones to anyone who would pay. The data showed where people went: clinics, places of worship, shelters, doctors' offices, and more. Tracked over time, it showed where they slept at night (their home address), and where they went all day (think their jobs and their kids' schools). Nobody gave permission, nor did they even know it was happening. The best (worst) part is it's still happening right now.

Your move

Use a browser that fights this (Firefox, Brave). Ditch Google and use a search engine that isn't spying on you (DuckDuckGo). Turn off ad tracking on your phone. Stop giving apps your location unless they need it. You'll never be invisible, but you can be informed and wildly inconvenient. That's what The Burrow is about.

redactions/702_oct2018_BOASBERG.pdf

TOP SECRET//SI//ORCON//NOFORN
(declassified in part, ODNI 10/08/2019)

UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT

Memorandum Opinion and Order · Oct. 18, 2018 · Boasberg, J.

Section 702 authorizes the targeting of ██████████████████████████████████ to acquire foreign intelligence information.

In the course of that targeting, the communications of U.S. persons are incidentally acquired and retained in Government databases.

In 2017 the FBI conducted █████████ queries of information acquired under Section 702 on a single system. The Bureau does not record whether a query term is a ████████████████ term.

Each query must be reasonably likely to retrieve foreign intelligence information or evidence of a crime. The Court finds ██████████████████████████, likely occurring ████████████.

Queries were run against the identifiers of ████████████████████████████████████████████, persons not suspected of █████████████.

The Government acknowledged that the improper queries resulted from ████████████████████████████████████████ among personnel with access to raw Section 702 data.

For ████████ the Government did not perform the count of U.S.-person queries that Congress required as a condition of reauthorization.

The Court engaged ██████████, who advised that the procedures failed to satisfy both the statute and the Constitution. The Court agreed in █████████████.

The Court holds that these procedures, as implemented, are inconsistent with the minimization requirement of Section 702 and with the Fourth Amendment████████████████████.

As a remedy, FBI personnel must record a written statement of facts for each U.S.-person query, retained so that ████████████ may conduct oversight.

Notwithstanding the foregoing, the Government’s 2018 certifications are █████████

The remainder of this opinion is classified pursuant to ████████ and is exempt from disclosure under ██████████ and ██████████.

“incidentally” = Americans. they just don’t target you on purpose.
“query” = searching the database. no warrant.
they admit it’s unconstitutional. next line, they approve it anyway.
3.1M searches, one system, one year. this is the spine of it.
still redacted as of May 24, 2026. never released.
companies_that_dont_sell_your_data.xls

404

file not found

turns out this one was always empty.

cats

42 items

cat cat cat cat cat cat cat
my setup pics
setup pic
setup pic
setup pic
setup pic
setup pic
Terminal

Committed revision 143.

[burrow-mac:~] drea% ./wakeup.sh

[warn] system hibernation detected

[error] caffeine levels critical (0%)

[fatal] cannot proceed

[burrow-mac:~] drea% caffeinate -d

Caffeinate drea? [y/n] 

Latest Note
Stickiesto do
Internetinternet
Mailmail
iSeeU
Virtual PCVirtual PC
TerminalTerminal
Pixel
1
Trashtrash
best viewed on a desktop. drag, double-click, the works
Windows — Virtual PC
LemonWire
File  Navigation  View  Tools  Help
SearchMonitorLibraryConnections
Search
NameSizeStatusSpeed
Connecting to the Gnutella network…Sharing 0 files
Pixel wants to play!
×
Feed
Pet
Sleep