Internet Freedom Weekly: News Recap, May 25–29, 2026

Child safety is an extraordinary framing device. It got age verification into adult websites, then social media, then app stores, and now operating systems. It got a UK consultation to seriously consider age-checking every VPN user. It got a Canadian medical association to declare social media riskier than drugs based on a voluntary poll of 6% of its members.

Meanwhile, China rolled out facial recognition glasses for its police force, Serbia's airport handed unlimited camera access to its intelligence agency with no paperwork, and Microsoft's response to a researcher finding real bugs in Windows Defender was to get them banned from two platforms in five days.

May 25 through 29 gave us twelve stories across four continents, covering surveillance infrastructure, government censorship, security disclosure gone wrong, and one cloud storage dataset that shows just how much of the internet is sitting wide open.

Texas Accuses Meta of Running a Three-Billion-User Encryption Scam on WhatsApp

Texas Attorney General Ken Paxton filed suit against Meta, alleging that WhatsApp's end-to-end encryption marketing is consumer fraud. The lawsuit claims internal documents show contractors reviewing message content, metadata collection incompatible with genuine E2EE, and law enforcement compliance that undermines the "private by design" promise Meta has built its WhatsApp brand around.

The case lands at a moment when Meta has already quietly removed E2EE from Instagram DMs, citing low opt-in rates for a feature most users didn't know existed. Whether the Texas suit succeeds legally, the underlying argument that "encrypted" has been doing marketing work rather than technical work is not easily dismissed.

Read the full article

Malaysia's Online Safety Codes Are Live and so Is the Age Verification Problem

Malaysia's Online Safety codes took effect June 1, requiring social media users to upload government-issued documents for age verification and blocking anyone under 16 from opening accounts. Every adult user's identity document is now held by platforms with well-documented breach histories, verified by a mechanism a determined teenager can bypass in minutes with a parent's ID.

The infrastructure this creates outlasts the policy rationale that justified it. A database of identity documents held by social media platforms is available to any government that decides it needs them, and Malaysia's direction of travel on mandatory digital identity has been consistent for some time.

Read the full article

What's Inside the World's Open Buckets: A Mysterium VPN Research

Mysterium VPN's research team indexed 535,480 publicly listable cloud buckets and found 19.6 billion exposed files with no login or breach required. Among them: 685,047 credential and key files, 985,645 SQL database exports, and over 764,000 files with "secret" in the filename, sitting there for anyone who looks.

The cause is structural. Centralized cloud storage guarded by a single access-control checkbox means one misconfiguration exposes everything at once, and the scale of what's exposed suggests misconfiguration is the norm rather than the exception.

Read the full article

The Never-Ending Story of India's Relationship With the Internet

India recorded 84 internet shutdowns in 2024, second only to Myanmar, and scored 51 out of 100 on Freedom House's internet freedom index. In February 2026, the government quietly cut content takedown timelines from 36 hours to 3, a window too short for human review and designed for automated removal. Aadhaar, the world's largest biometric database with 1.38 billion enrollments, was opened to private companies in 2025.

When the world's largest democracy treats shutdowns as routine governance and three-hour automated takedowns as moderation, other governments notice. The tools being normalized in India have a way of becoming standard practice everywhere else.

Read the full article

Pezeshkian Has Ordered Iran's Internet Restored

Iranian President Masoud Pezeshkian ordered the Ministry of Communications to restore international internet access on Day 87 of the country's near-total blackout, with the resolution passing 9–2 at the Special Task Force on Cyberspace Management. ICT Minister Hashemi confirmed restoration had begun. Day 88 arrived with connectivity at 1–3%, and IRGC-affiliated media publicly questioned whether the president had the legal authority to issue the order at all.

The blackout has cost tens of millions of dollars a day, and Iran's central bank governor reportedly urged Pezeshkian to restore access as an economic stabilization measure. Whether it holds depends on institutions that have never answered to the presidency.

Read the full article

How a Protest Activist Exposed Serbia's Airport Surveillance Free-for-All

Serbia's data protection commissioner found that Belgrade Airport gave border police, customs, and the BIA access to its entire camera system without signing the data-sharing agreements required by law, leaving footage accessible to an "unlimited number of people." The investigation was triggered after a pro-government tabloid published surveillance screenshots of protest activist Nikola Ristic's departure time, destination, and flight details.

The commissioner ordered agreements signed in May 2025. By April 2026, only one had been signed, with the BIA, the agency already linked to the leak. Neither the airport nor its French operator Vinci explained how unregulated access was permitted or what had been done to prevent a repeat.

Read the full article

Doctors Manitoba Ranked Social Media Riskier Than Drugs Based on Opinions Alone

Doctors Manitoba surveyed 242 physicians, about 6% of its membership, voluntary throughout, who scored social media and excessive screen time 6.9 against a combined substance use category of 6.4. Secondary outlets translated a 0.5-point opinion gap into "social media as bad as smoking" headlines, a framing significantly stronger than the report itself, with tobacco not appearing in the scoring data at all.

A voluntary poll of 6% of a membership is not a clinical finding. It is the kind of framing, however, that makes blunt prohibition look like medical consensus and gives policymakers cover for legislation that outpaces the evidence it claims to rest on.

Read the full article

China's Police Force Just Got Glasses With Real-Time Facial Recognition

Police in Tianjin are now wearing domestically developed smart glasses with live facial recognition connected to government databases, returning identification results in milliseconds. The official use cases are traffic management and locating missing elderly people, and the same infrastructure identifies anyone on any street, at any time, whether they're a lost pensioner or just someone walking to work.

China's public security tech market doubled between 2015 and 2025. India, the Netherlands, and ICE in the United States have run comparable pilots. The governments watching China's rollout are not treating it as a cautionary tale.

Read the full article

Malaysia's MCCA Nails the Digital Education Argument and Misses the Obvious Conclusion

Malaysia Cyber Consumer Association president Siraj Jalil appeared on Bernama TV to back the incoming age verification codes while calling for comprehensive digital education alongside them. His education argument is correct: knowledge is what actually prepares young people for online life, and without it, they arrive at platforms facing culture shock rather than competence.

The argument also points directly away from ID gatekeeping. A child kept off social media until 16 by a document upload hasn't learned anything. Estonia made exactly this case at the EU level, arguing to regulate platforms and invest in digital literacy, and Siraj's own framing supports that conclusion. He just didn't follow it there.

Read the full article

The UK's Online Safety Consultation Closed and the Hard Decisions Start Now

The UK's "Growing up in the online world" consultation closed May 26 after three months, with a government response expected in summer 2026. On the table: potential social media bans for under-16s, restrictions on infinite scrolling and autoplay, a possible rise in the digital age of consent, and explicit questions about whether every user should face age checks before using a VPN.

The legal powers to act were secured in February, before the first survey was submitted. A coalition of 19 organizations urged the government to hold platforms accountable rather than age-gate the open web, and Ofcom's incoming chair described VPNs as a "technical problem" at a recent hearing.

Read the full article

Age Verification Has Been Climbing the Tech Stack and It Just Reached Your OS

California's Digital Age Assurance Act requires every operating system to collect user age at setup and expose it to app developers via a real-time API, with Colorado's nearly identical SB26-051 set to follow in 2028. No identity check is required, as users self-report a birth year, so the law builds the surveillance infrastructure without building the verification it claims to provide.

Open-source developers pushed back hard enough to earn a partial carve-out for Linux distributions, but Windows, macOS, Android, and iOS remain fully subject. The data pipeline has no expiration date and no opt-out mechanism, and one future amendment is all it takes to expand what the bracket API outputs.

Read the full article

Microsoft Had the Researcher Banned Rather Than Fix the Bugs They Found

Security researcher Nightmare-Eclipse released three Windows Defender exploit tools after Microsoft declined to patch them, with Huntress confirming criminal use of all three within eight days of the first public release. Microsoft's response was to delete the MSRC account the researcher used to file reports, then get GitHub and GitLab to suspend their accounts within five days of each other, removing the public audit trail without issuing a single additional patch.

Two of the three vulnerabilities remain unpatched. Microsoft silently patched one with no CVE and no advisory, which is a curious move for a company invoking responsible disclosure as its justification for everything that followed. The researcher has marked July 14 as the date of a major follow-up disclosure.

Read the full article