California passed a law forcing operating systems to track your age and report it to every app you use. It takes effect January 1, 2027, and applies to *EVERY* operating system. Colorado, Illinois, Louisiana, New York, Texas, and Utah have similar bills pending. Here's what's happening and what you can do.

Watch on Techlore.TV for an ad-free, surveillance-free viewing experience

"Just use Tor!" - or don't. In this 2026 tier list, Henry ranks Brave, Firefox, LibreWolf, Chromite, Edge, Vivaldi, and more. Much more subjective than the Linux tier list, so let us know where you disagree, and enjoy!

Watch on Techlore.TV for an ad-free, surveillance-free viewing experience

Your Password Manager Might Not Be as Trustless as You Think

We put an immense amount of trust in password managers. The #1 selling point is zero-knowledge: the company can't see your passwords – only you can. But new research pulls back the curtain on how that promise holds up in practice. The answer: not as well as advertised.

Researchers analyzed several major password managers (LastPass, Dashlane, and Bitwarden) and found the "zero-knowledge" claim is more marketing than cryptographic guarantee. The issue isn't that these companies are malicious — it's that architectural decisions made for convenience (like account recovery, password sharing, and legacy compatibility) expand the attack surface. Every service tested had meaningful vulnerabilities. What differed was severity and company response.

This matters because password managers are high-value targets. If someone can breach a provider and the architecture isn't truly zero-knowledge, your entire digital life is exposed in one sweep — particularly when features like account recovery or vault sharing are enabled.

This research doesn't mean you should stop using a password manager. It means you should know what you're actually trusting them with, and which features might be better left disabled. KeePass-style local vaults remain the gold standard for removing the need for trust altogether. However, not everyone wants to (or should) use an offline password manager, and a cloud-based solution is still far better than reusing weak passwords. For reference, Bitwarden's audit is publicly available, while 1Password (briefly mentioned in the research) proactively documented their own limitations before being studied.

What you can do: Check whether your password manager has published an audit that specifically validates their "zero-knowledge" architecture. If they haven't, or if you're using a closed source service without verifiable claims, take that into account. Make sure you're always running the latest version. Also look at how each company responds to these types of incidents. Are they dismissive? Responsive? Transparent? If they won't take genuine responsibility in public, there's a good chance they won't do it in private, either.

Bits & Bytes 🤖

~ Google's Android Developer Verification Plan Threatens the Open App Ecosystem

Google announced last year that all Android apps must be tied to a verified developer account, including those distributed outside the Play Store. F-Droid and the broader open-source Android ecosystem have sounded the alarm, and Techlore was a signatory on the Keep Android Open letter pushing back.

Our take: This is a slow squeeze on sideloading and open distribution dressed up as safety. If verified identities become a hard requirement, anonymous and pseudonymous developers — the backbone of privacy-focused FOSS tools — get pushed out. Watch this one carefully.

~ Apple Rolls Out Age Verification Tools Worldwide

Apple quietly launched a global age verification system this week to help app developers comply with a growing patchwork of child safety laws. They are also now blocking downloads of 18+ apps in Australia, Brazil, and Singapore until users confirm their age.

Our take: Age verification sounds reasonable until you think about the data trail it creates. Apple's approach is arguably one of the more privacy-conscious implementations possible — sharing an age range rather than identity details, like birthdays. But the real concern isn't Apple's implementation; it's the legislative pressure underneath it.

~ Android Mental Health Apps with 14.7 Million Installs Are Full of Security Flaws

Researchers analyzed ten Android mental health apps with a combined 14.7 million downloads and found 1,575 security vulnerabilities across them.

Our take: Mental health data is uniquely exploitable. The combination of sensitive content, a trusting user base, and apparently lax security practices is a serious problem. Since the app names aren't public yet, the best thing you can do is check when your mental health app(s) last received an update. If it's been sitting untouched for over a year, that's something to think about.

This Week on Techlore 📺

This week's Surveillance Report dives deep into the password manager research, Google's plans to close off Android, Apple's age verification expansion, and a massive Defense Bulletin packed with breaches and critical service updates:

Password Manager Vaults Aren’t Private, Google Threatens Open Android, & Apple’s Global Age Verification | SR257

Techlore Surveillance Report: Weekly News for Your Digital Freedom

TechloreTori

On Techlore Talks, we had JP Schmetz, founder of Brave Search and CEO of Ghostery, to discuss making trackers visible and reinventing the open web with AI:

Ghostery CEO Explains How Ad Blockers Work, Why They Break, and the Future of Private Search

Techlore Talks brings you in-depth conversations with the experts at the forefront of digital rights, privacy and security.

TechloreTori

The widely-circulated narrative that Google already backed down from forcing developer registration is false. They didn't:

Google Is Closing Android. 37 Orgs Are Fighting Back.

Almost 40 organizations, including Techlore, published an open letter to Google opposing Android Developer Verification – a program that would require all developers to register with Google before distributing apps on Android. The widely-circulated narrative that Google already backed down from this is false. They didn’t, and that misunderstanding may be

TechloreTori

Action Item ✅

Take 10 minutes to look up whether your password manager has published a third-party cryptographic audit. Search "[your password manager] zero-knowledge audit" and see what comes up. If you can't find a clear, verifiable answer — that's your answer.

Quick Note 📝

It's been a hot minute since the last issue of Digital Rights Digest, so we really appreciate the patience as we get our new workflows locked in. Next week Henry & I will be together in person to film Go Incognito V2, but after that trip, we should have the bandwidth to be more consistent. Stay tuned!

This week's Surveillance Report covers the truth about password manager vault privacy, Google's threat to the open Android ecosystem, Apple's global age verification rollout, Android mental health apps packed with security flaws, and a massive week of breaches and service updates.

Most ad blockers start by blocking everything—then you become tech support for friends & family when pages break. Henry interviewed JP Schmetz, founder of Brave Search and CEO of Ghostery, about making trackers visible, why there are only 3 search indexes in the world, reinventing the open web with AI, and how to avoid becoming "the family CTO."

https://youtu.be/vBTP8cSxIVc

Almost 40 organizations, including Techlore, published an open letter to Google opposing Android Developer Verification – a program that would require all developers to register with Google before distributing apps on Android. The widely-circulated narrative that Google already backed down from this is false. They didn't, and that misunderstanding may be the most dangerous part of the story right now.

Watch on Techlore.TV for an ad-free, surveillance-free viewing experience

You may think you're just being tracked by a handful of companies, but the reality is your data is sent to countless different trackers before you can finish reading a news headline. This video breaks down three layers of protection to keep yourself safe online.

Watch on Techlore.TV for an ad-free, surveillance-free viewing experience

No operating system is safe, and this week, Mac users got hit from three directions at once. We cover the attacks, Discord's messy age verification expansion, hidden hotel cameras in China, and everything else threatening your digital rights.

Most password managers use your master password as the encryption key—which means it can be phished and brute-forced. Passbolt uses a random private key instead. Henry interviewed co-founder Remy about why they optimized Passbolt for teams, how granular permissions prevent credential leaks, and why self-hosting matters for businesses.

Hey everyone, Henry here 👋 This is one of those important, rare announcements that goes to your email inbox (only 1-2x year as promised!)

I started Techlore over a decade ago because I believed people could make a real difference in their relationship with technology and push back against surveillance expansion. Fast forward to 2026: We reach hundreds of thousands of people monthly. We've covered everything from Chat Control votes to VPN bans to age verification mandates to the necessary resources required for you all to take better control of your technology. I firmly believe we've built one of the most approachable technology education resources on the internet.

And here's what's changing now: you get to directly influence what we cover, not just support from the sidelines.

What That Looks Like

You Help Decide What We Create

We're launching community content ideas. This is a living board where Techlorians submit what they want to see covered, and the public can keep track:

Community Content Ideas

This is where our community decides what content matters most. Techlorians (our members) submit ideas below that we add to the idea tracker below.

TechloreHenry Fisher

We still have our own internal schedule, but this is the beginning of offering formal ways for you all to influence what we cover.

Why are submissions limited to members? We reach hundreds of thousands monthly. Opening submissions to everyone would create an unmanageable flood. With this system, we can review every idea and maintain quality suggestions that shape our roadmap. Down the road, I'd like to open public voting. But...one thing at a time 😄

Weekly Stream To Answer Your Questions

Since our forum closure, I've been brainstorming new formats for a new weekly livestream where I can be available for you. So I'm happy to announce our newest weekly stream:

Every Friday, we're going live with the Techlore Office Hours Q&A. Submit questions about privacy, security, digital rights, or anything Techlore-related. Members get priority answers, but everyone can watch and participate! I encourage you to submit questions in-advance if you're unable to attend live, or are a Techlorian who wants priority. This week's stream is already scheduled, so make sure to set a reminder, and I'll see you soon:

Better Platforms With More Privacy & Independence

We're in the process of sunsetting our Patreon on December 31, 2026—consolidating memberships to Ghost. This allows us to:

• Enable private registrations. Patreon tends to block alias emails and Privacy.com cards. Whereas Ghost allows users to register with better privacy.
• Finally support Monero memberships. Pay with the most private cryptocurrency, with an additional 10% discount! You can become a Techlorian for 12 months at a time with Monero by submitting the form here.
• Have Better independence. Tying to the previous point, this allows us to be more independent and avoid weird shenanigans like how Apple is demanding an additional cut from Patreon subscriptions.
• And Easier Maintenance. We are only a team of two, centralizing to one platform makes delivering perks consistently much simpler to accomplish. And with less fees too!

Announcing Our Newest Perks

While we publish our resources entirely free for the world, many people still want more individualized help. In the past, we offered one-on-one coaching to try and offer this to people, but it was challenging to maintain at scale. So taking what we learned, we're formalizing new offerings as part of our membership tiers:

• Exclusive Signal community & my personally curated digital rights RSS Feed (Bronze+ | Real-time discussions with other Techlorians. And yes, direct access to the exact curated RSS feed I update daily to keep track of what's happening, so you don't have to)
• Re-introducing your name in video credits and shout-outs (Silver+ and Gold+)
• Monthly private calls with me + exclusive behind the scene updates (Diamond | Strategy, advice, deep-dive discussions)

Why All Of This Matters

Every week, we cover new threats: encryption backdoors, age verification expansion, VPN bans, browser extension schemes. It's easy to feel powerless against governments and corporations with infinite resources. But here's what I've learned in 10 years: we all can seriously make an impact!

When thousands of people understand what Chat Control actually does, they contact their MEPs. When people know age verification is surveillance infrastructure, they push back locally. When our community shares educational content with family who "don't care about privacy," we expand the movement.

My goal is for Techlore to not just be a YouTube channel. I want us to help build the movement that's proving individuals can fight (and win!)

What's Next

We've offered perks we didn't deliver consistently. We've spread ourselves thin across too many platforms. We've fallen behind on larger projects. So we made hard choices the last several months: we closed the public forum (it needed dedicated employees, not part-time attention), we consolidated platforms (Ghost instead of multiple support platforms), and are building the systems we can actually maintain with a two-person team.

While this isn't the community we had. This is the community we can sustain and grow for the next decade.

If you're already supporting us: Thank you. Seriously. You've made everything we do possible. Don't forget to access your perks at techlore.tech/techlorian and claim them. (Patreon members: You're grandfathered through Dec 31, 2026. Details here)

If you've been thinking about supporting: There hasn't been a better time, especially now you can even do it with Monero!

If you can't support financially: That's completely fine! Just keeping yourself educated & sharing with people what's going on is still the most important thing we all can do. I'm excited to see you all for our weekly Office Hours and our other content! All of these changes will continue to make our standard content better + more polished + more consistent too 🫡

The fight isn't slowing down, and neither are we. Thank you all for your support, and I'll see you in our stream tomorrow, and our next digital rights newsletter.

— Henry & Team

• Join the community: https://techlore.tech/#/portal
• Vote on what we cover: https://techlore.tech/community-content-ideas
• Submit Office Hours questions: https://techlore.palform.app/ask
• Access all your perks: techlore.tech/techlorian

It's happening everywhere: Politicians screaming "big tech censorship" and "free speech" while simultaneously crafting legislation that gives governments unprecedented control over what you do online. They attack moderation, while pushing laws that would require platforms to verify your identity, scan your messages, and report you to authorities. This is because the goal was never about protecting speech, it was controlling it. And they're counting on you to not connect the dots.

The Setup: Weaponizing "Free Speech"

I'm a proud free speech supporter. So let me clear up the biggest misconception I see online: Free speech means the government can't prosecute you for what you say (with exceptions like threats or incitement). It was a revolutionary idea—criticize the king without losing your head, dissent without state violence. But it has never meant private platforms must host your content, amplify your views, or give you a microphone. The reality is you don't have a constitutional right to a Twitter account any more than you have a constitutional right to sit at a restaurant that kicked you out for screaming at staff.

And we saw this debate play out recently with the Supreme Court's decision in Free Speech Coalition v. Paxton. By upholding Texas’s right to demand ID for adult content, the court signaled that 'modest' surveillance is an acceptable price for speech. So politicians aren't just screaming at the restaurant manager, they’ve convinced the courts to let them station a guard who demands your papers before you can look at the menu.

This is all part of the grift. Millions have fallen for this idea that "free speech" is synonymous with "I should be able to say whatever I want on any platform without consequences." And this serves a distinct purpose: it positions platforms as the enemy and government intervention as the solution.

The Bait: Section 230 and the Platform Panic

Enter Section 230 of the Communications Decency Act, one of the most important laws protecting internet freedom. Section 230 says two critical things:

1. Platforms aren't liable for user-generated content (you can't sue YouTube because someone uploaded a defamatory video)
2. Platforms can moderate content in good faith without losing that protection (removing spam doesn't make you a publisher)

Without Section 230, platforms would either have to manually approve every post (impossible at scale) or host nothing to avoid liability. While imperfect, it enables the messy, chaotic, innovative internet we have. But lately, Section 230 has been attacked from all angles. Politicians from both parties blamed it for everything from "big tech censorship" to "misinformation" to "harmful content." The proposed solution? Gut Section 230.

The 'Sunset Section 230' bills make this explicit. By threatening to let the law expire entirely, lawmakers are holding a gun to the head of the internet. They know that no company will risk a billion-dollar, class-action lawsuit because a user posted something spicy. This is a forced retreat into a sanitized, corporate-approved version of the web where only 'safe' (read: government-compliant) speech is allowed.

Notice what's missing from all these debates? Your rights. Your privacy. Your actual freedom.

The Switch: From Platform Rights to Government Control

This is where the deception crystalizes in what almost sounds like hypocrisy. The same politicians screaming about "free speech" and "government overreach" are also the same ones pushing:

• Age Verification: Over half of US states have passed or are pushing age verification laws. Some are even pushing to age-verify entire app stores—meaning you might soon have to upload a government ID to the cloud just to download a calculator or a weather app. This:
  • Creates a comprehensive database of what you read, watch, and browse
  • Normalizes government ID requirements for internet access
  • Massive privacy violations and identity theft risks
  • Creates the precedent for deciding who gets access to what content (as deemed by the government)
• Message Scanning Mandates: The EU's Chat Control proposal would require platforms to scan your private messages for illegal content. The UK's Online Safety Bill includes similar provisions. This means:
  • End-to-end encryption becomes illegal or useless
  • Your private conversations are screened by AI
  • Governments decide what content triggers reporting
  • The infrastructure for mass surveillance is built permanently

The pattern is quite clear: Use "free speech" and "moderation" rhetoric to demand government control over platforms, then use that control to mandate surveillance, verification, and content restrictions that is reminiscent of 1984 with better UX and a subscription. If this were actually about protecting children + adults, we'd see comprehensive data privacy laws, mandatory security standards, and actual consequences for platforms that exploit people for engagement. Instead, we get a national ID checkpoint for the internet, while refusing to deal with any systemic problems that got us here in the first place.

What They're Ignoring: Actual Rights For Citizens

While politicians push age verification and message scanning, they're silent on regulations that would actually help users:

• Transparency Requirements: Platforms should disclose their moderation criteria, algorithm mechanics, and data collection practices.
• Data Privacy Minimization: Platforms should be required to collect only necessary data, delete it when no longer needed, and give users actual control over their information.
• Security Baselines: Platforms should meet minimum security standards to protect user data from breaches.
• Interoperability Rights: Users should be able to communicate across platforms without lock-in.
• Algorithmic Transparency and Choice: Users should understand how algorithms rank and recommend content, and have alternatives.
• More User Control: Users should have the legal right to use platforms in ways that guarantee more control for both themselves and their families. Rather than having the government decide what is and isn't safe for children to access online, more tools should be available for parents to help choose what they want their own children to access. (yes, this is a radical idea called making parents parent their own children—not the government)

Notice what all these have in common? They empower users rather than governments. They increase freedom rather than control.

What Platforms Should Be Allowed to Do

Here's what I think will make both sides angry: I think platforms should generally be allowed to moderate however they want. Not because moderation is always good, but because the alternative, government-mandated speech rules, is catastrophically worse.

We’ve reached a point where everyone wants to use the State as their personal content manager.

• The Left is persistently angry that platforms don't do more to moderate
• The Right is persistently angry that platforms have rules at all

In my opinion, if a platform wants to be a free-for-all with minimal moderation, users can choose to use it. Alternatively, if a platform wants strict community guidelines, users can choose that instead. On our forum, we opted for the latter; we took moderation quite seriously and took immediate action if someone wasn't following our rules. But I believe if someone else hosted a forum with almost no rules—they should have the right to do that! (obviously barring illegal content!)

The question to ask is: who gets to decide which trade-offs you have to accept when you register for a service? You, or a politician who’s never used the platform?

If we want to fix big tech we need to build alternatives and create an ecosystem that allows others to compete. We need to support decentralization. Enable interoperability. Make it so easy to switch providers that platforms have to actually compete for your time and attention instead of lobbying for greater control over your life.

The Path Forward: Demand Actual Rights

The moderation deception only works if we accept the framing. Real regulation, the kind that actually helps users, would look nothing like what's being proposed. It would:

• Protect user privacy and security
• Require transparency without mandating outcomes
• Enable competition and interoperability
• Empower users with real choice and control
• Apply universally without picking winners

Bad regulation, the kind being pushed, does the opposite. It mandates surveillance, restricts alternatives, empowers governments, and eliminates user choice. The question isn't whether platforms should be regulated. The question is who regulation serves: users seeking freedom and privacy, or governments seeking control and surveillance.

The grifters are counting on you not connecting the dots. They're betting you'll accept surveillance as long as it's wrapped in 'safety' rhetoric.

Don't fall for it.

After 10+ years covering privacy tools, I finally understand the role privacy plays in my life, and it's not what I thought. This realization changed how I think about digital rights, threat modeling, and what we're all really fighting for. If you've ever felt like you're chasing privacy for the sake of privacy, this one's for you.

Watch on Techlore.TV for an ad-free, surveillance-free viewing experience

Ad blockers have broad permissions to intercept all your web traffic—which means you need to know which ones to trust. Henry interviewed the CTO and co-founded of AdGuard about why they pivoted from data collection to privacy protection, how DNS filtering differs from local ad blocking, and Apple's revolutionary new API that lets ad blockers work system-wide on iOS without ever seeing your traffic.

This week's Surveillance Report covers Apple's security features actually stopping the FBI from accessing a journalist's iPhone, a global wave of age verification hitting Austria, Spain, and Greece, Chat Control 1.0's extension after the Commission admits negotiations failed, Microsoft backing away from Recall as AI fatigue grows, and more!

A Minnesota state representative was assassinated after someone found her home address on people search websites. A new report reveals that even state privacy laws fail to protect public servants from data brokers. But here's the bigger problem: this affects everyone, not just politicians. I'll break down why current solutions are reactive, show you how to actually prevent this data from being collected in the first place, and explain what systemic changes we need to push for. Links to data removal tools, opt-out resources, and action steps are below.

Watch on Techlore.TV for an ad-free, surveillance-free viewing experience