security | Steve Woods

EU Commission investigates Grok and X under DSA

26/01/2026 Steve WoodsAI, Politics, Security, Social Media, Tech
The European Commission has today announced a new formal investigation against X (the ~~conduit of hate~~ alleged social media platform formerly known as Twitter. Ed.) under the Digital Services Act (DSA). In parallel, the Commission extended its current investigation launched in December 2023 into X’s compliance with its recommender systems risk management obligations.

The new investigation will examine whether the company properly assessed and mitigated risks associated with the deployment of Grok’s functionalities into X in the EU, including risks related to the dissemination of illegal content in the EU, such as manipulated sexually explicit images, including child sexual abuse material.

These risks seem to have materialised, exposing EU citizens to serious harm. Consequently, the Commission will further investigate whether X complies with its DSA obligations to:
- Diligently assess and mitigate systemic risks, including of the dissemination of illegal content, negative effects in relation to gender-based violence and serious negative consequences to physical and mental well-being stemming from deployments of Grok’s functionalities on its platform;
- Conduct and transmit to the Commission an ad-hoc risk assessment report for Grok’s functionalities in the X service with a critical impact on X’s risk profile prior to their deployment.
Furthermore, the Commission has extended its continuing formal proceedings initiated against X in December 2023 to determine if X has properly assessed and mitigated all systemic risks (as defined in the DSA) associated with its recommender systems, including the impact of its recently announced switch to a Grok-based recommender system.

If proven, these failures would constitute infringements of Articles 34(1) and (2), 35(1) and 42(2) of the DSA. The Commission will now carry out an in-depth investigation as a matter of priority. The opening of formal proceedings does not prejudge its outcome.

In the run-up to this investigation, the Commission has closely collaborated with Coimisiún na Meán, the Irish Digital Services Coordinator. In addition, Coimisiún na Meán will be associated with this investigation pursuant to Article 66(3) as the national Digital Services Coordinator in the EU country where X is based.

The opening of formal proceedings empowers the Commission to take further enforcement steps, such as adopting a non-compliance decision. The Commission is also empowered to accept any commitment made by X to remedy the matters subject to the proceeding.
Security and wearable animals

15/01/2026 Steve WoodsLanguage, Oddities, Security, Social Media

A number of years ago, wearable technology looked set to become all the rage.

Mention of it has declined noticeably in recent years. When, for instance, was the last time you heard of or encountered, say, Google Glass?

On the other hand, wearable animals – or parts of animals – have a history that extends back into prehistory, in particular that epoch known as the Palaeolithic, the longest period in human history.

Nevertheless, the manners in which animals or their parts have been used have adapted over the millennia in response to technological changes and development.

A recent example of such an adaptation is shown below. It cropped up in your correspondent’s social media timeline today, although a reverse image search indicates it might have originated a couple of years ago.

Why Is The First Letter of Each Word Capitalised?

Are other identity animals available? Comment below.
Meta must grant EU users full access to their data

19/12/2025 Steve WoodsGDPR, Politics, Privacy, Tech

Austria’s Der Standard reports that Meta, the parent company of both Facebook and Instagram, must grant European Union users full access to all their personal data within 14 days. The Austrian Supreme Court (OGH) ruled so on Thursday 19th December, according to the Vienna-Based data protection organisation noyb. The lawsuit was filed in 2014 by noyb founder Max Schrems.

Schrems, an Austrian lawyer and data protection activist, started attempting to gain full access to his personal data stored by Meta in 2011. According to a press release from noyb, the company merely referred those affected to a “download tool” and its general privacy policy.

14 days term

According to a press release from the data protection authorities, the OGH has now ruled that Meta must disclose all personal data and provide information about this data, such as the source, recipients and purpose of the processing, within 14 days – i.e. by 31st December 2025.

The court also found that Meta had unlawfully collected data from third-party apps and websites, according to a press release. Personalised advertising may only be shown with the explicit consent of the individuals concerned. Meta must also ensure that sensitive data is not processed together with other data.

The case was heard three times before the OGH and twice before the European Court of Justice over the past eleven years. Schrems has been awarded €500 in compensation.

Situation has changed

Meta has told Reuters that it had taken note of the ruling. However, it referred to the situation as it existed at the time the lawsuit was filed. Meta stated that it no longer uses sensitive data for personalised advertising. EU users can now also use Facebook and Instagram for free with personalised or less personalised advertising or pay a subscription to prevent their data from being used for advertising purposes.

In December 2025 the EU competition authorities approved Meta’s proposal to use less personal data under this pay-or-consent model.
Spot the difference

27/06/2025 Steve WoodsLanguage, Oddities, Politics, Security, Social Media

From my social media timeline.

For those unaware of the actions of the racist US Immigration and Customs Enforcement agency under the less than benign presidency of the disgraced former 45th president and current disgraceful 47th president of the United States of America, insurrectionist, convicted felon, adjudicated sexual predator, business fraudster, congenital liar and golf cheat commonly known as Donald John Trump, the mock-up US road sign is on the right (naturally. Ed.).

The cruel actions of ICE are all part of The Felon’s chief mission to Make America Grate Again (or something like that. Ed.).
Gone quishing

17/06/2025 Steve WoodsLanguage, Media, Security, Tech

In recent times, QR codes have started to be exploited in phishing attacks, as reported and explained by The Daily Record. This has given rise to another neologism and such attacks are also known as ‘quishing’.

The phenomenon has been very prevalent in Cymru recently, as noticed by the Rhyl Journal.

Denbighshire County Council and Conwy County Borough Council has urged residents to take care, as neither use QR codes as a payment method at council-run car parks.

Similarly, more than 20 fake QR code reports have been made regarding parking meters across the promenade in Llandudno.

For comprehensive advice on fake QR codes and how to avoid them, plus other scams visit Stop Scams UK.

NB: The QR code at the top of this post contains a QR code to one of the links used in the piece.
LibreOffice advises don’t use OpenOffice!

07/05/2025 Steve WoodsOpen Source, Open Standards, Security, Social Media, Tech

The developers of LibreOffice, the most popular free and open source alternative to Microsoft’s ubiquitous office suite, are advising against the use of its OpenOffice progenitor due to security vulnerabilities and its lack of development, German news site heise reports.

In a post on Mastodon, they point to security vulnerabilities that have been known for years but still remain unfixed. According to minutes of the Apache board meeting in March 2025, there are three security vulnerabilities in OpenOffice that are more than a year old. This has been confirmed by a representative of the Apache Software Foundation (ASF) security team.

According to the record there are numerous other, previously unaddressed issues with OpenOffice software, including vulnerabilities have existed since at least November 2023. “We are making progress in identifying improvements to address these issues,” the ASF security team representative explains.
LibreOffice: Apache Foundation is harming open source

Furthermore, the LibreOffice developers accuse the ASF of not developing OpenOffice actively any more, but of feigning to do so with minor changes to HTML tags and blank lines. This harms the entire open source community. The ASF has not commented on these allegations. However, OpenOffice has an active project management committee and retains its status as a top-level project within the ASF, according to spokesperson Brian Proffitt. In fact, the recent commits in the OpenOffice GitHub repository have primarily consisted of correcting typographical errors and making minor amendments to translations.

The current version of OpenOffice, 4.1.15, was released in December 2023. It included several bug fixes and dictionary updates, whilst it last received new features with the release of version 4.1 in April 2014. In the light of this, the LibreOffice team recommends using alternatives and in particular its own office suite.
MP escapes Essex for some winter scum

19/01/2025 Steve WoodsPolitics, Security, Social Media

The dishonourable member for Clacton, one Nigel Paul Farage, has a reputation that stretches way back to his days as a member of the European Parliament of raking in his salary and not doing the work that supposedly comes with the job of being an assembly member in a representative democratic institution.

Indeed, as The Guardian noted over six years ago: “His voting record while a member of the influential European parliament fisheries committee is utterly dire – over three years, he turned up to one of 42 meetings“.

He is now treating the gullible burghers of Clacton with the same contempt. He has not so far organised a single surgery for constituents citing spurious “security” concerns, on which he later backtracked.

Furthermore, he seems to spend more time away from the House of Commons than actually in it, which might just be understandable given the frog-faced grifter earns far more money outside than his already generous MP’s salary of £91,346, according to both the press and his register of declared financial interests.

We are all aware too that the western shore of the North Sea can be a dismal place in the heart of winter; and Nigel definitely thinks so too, as he’s just decided to put the whole of the Atlantic between himself and his constituency, as he has posted the photo below on his on-off pal Elon Musk’s apology for a social platform.

Toto, I don’t think we’re in Clacton anymore!

Farage is not the only right-wing British politician clogging the streets of Washington DC with their malign presence at the moment. The former MP for West Norfolk, one Mary Elizabeth Truss, whose term of office as prime minister was shorter than the shelf life of a lettuce, is also there, taking a break from sending cease and desist letters to one Keir Rodney Starmer via her lawyers.

Make America Grate Again

The reason for this outflow of talentless right-wing (ex-)politicians? The inauguration in Washington tomorrow of the disgraced 47th president-elect of the United States, the disgraced former 45th president, insurrectionist, convicted felon, adjudicated sexual predator, business fraudster, congenital liar and golf cheat, one Donald John Trump.

The actions of both fake man of the people Farage and Lettuce Liz remind your ‘umble scribe of moths circling a lit candle… 😀

In other news, Farage’s party colleague, the perma-tanned Richard James Sunley Tice, the ‘businessman‘ whose smile would be gleaming as he stole your granny’s savings, is now splitting his time between his original constituency of Boston and Skegness and his new bailiwick of Dubai.
Irish Data Protection Commission fines Meta €251 million

18/12/2024 Steve WoodsGDPR, Privacy, Security, Tech
Yesterday the Irish Data Protection Commission (DPC) announced its final decisions following two inquiries into Meta Platforms Ireland Limited (‘MPIL’). These inquiries were launched by the DPC following a personal data breach which was reported by MPIL in September 2018.

This data breach involved some 29 million Facebook accounts around the world, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data. The breach arose from the exploitation by unauthorised third parties of user tokens – i.e. coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and to personal data of the user and their contacts – on the Facebook platform. The breach was remedied by MPIL and its US parent company shortly after its discovery.

The DPC submitted a draft decision to the GDPR cooperation mechanism in September 2024, as required under the GDPR’s Article 60. No objections to the DPC’s draft decision were raised.

The DPC’s final decisions list the following infringements of the GDPR:
1. Decision 1
  1. Article 33(3) GDPR – By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
  2. Article 33(5) GDPR – By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.
2. Decision 2
  1. Article 25(1) GDPR – By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL and ordered it to pay administrative fines of €130 million.
  2. Article 25(2) – By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.
DPC Deputy Commissioner Graham Doyle commented as follows:

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
US firm fined by Dutch for illegal facial recognition data gathering

03/09/2024 Steve WoodsGDPR, Privacy, Security, Tech

The Dutch Autoriteit Persoonsgegevens (Personal Data Protection Authority) has announced today that it has imposed a fine of €30.5 mn. on the US company Clearwiew AI, as well as a non-compliance penalty in excess of €5 mn.

Clearview is an American company that offers facial recognition services, which has, inter alia, built up an illegal database with billions of photos of faces, including those of Dutch citizens. Furthermore, the authority has warned that using the services of Clearview is also prohibited.

Clearview offers facial recognition services to intelligence and investigative services. Moreover, Clearview customers can provide camera images to find out the identity of people shown in the images. To this end, Clearview has a database with more than 30 billion photos of people, which it has scraped automatically from the internet and then converted into a unique biometric code per face, all without the knowledge and consent of its victims.

According to the authority’s chair Aleid Wolfsen, “Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world. If there is a photo of you on the internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China. This really shouldn’t go any further. We have to draw a very clear line at incorrect use of this sort of technology.’

Clearview says that it provides services to intelligence and investigative services outside the European Union (EU) only.

Clearwiew’s services illegal and in breach of the the GDPR

Clearview has seriously violated the privacy law General Data Protection Regulation (GDPR) on several points: the company should never have built the database and is insufficiently transparent. It should never have built the database with photos, the unique biometric codes and other information linked to them. This especially applies to the codes. Like fingerprints, these are biometric data. Collecting and using them is prohibited. There are some statutory exceptions to this prohibition, but Clearview cannot rely on them.

Clearview is an American company without an established presence n Europe. Other data protection authorities have already fined Clearview on various earlier occasions, but the company has not changed its conduct. For this reason the Dutch regulator is investigating ways to ensure the violations stop, including whether the company’s directors can be held personally liable for data protection violations.

Wolfsen: ‘Such [a] company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations. That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.’

Clearview has not objected to the decision and is therefore unable to appeal against the fine.
Crowdstrike and Microsoft – culprit identified

19/07/2024 Steve WoodsOddities, Politics, Security, Social Media, Tech

The BBC reports that a massive IT outage is causing chaos around the world, affecting airports, railways, broadcasters and untold companies..

Cyber-security firm CrowdStrike Holdings has admitted that the problem was caused by a dodgy update to its software which is allegedly designed to protect Microsoft Windows devices from hacking.

At the same time, Microsoft has said it is taking “mitigation action” to deal with “the lingering impact” of the outage.

Although Crowdstrike has admitted liability, social media had long since decided who was to blame and where.

This is Alan Ferrier on Mastodon, who wins the prize for the best attribution of blame.

The disaster known as Mary Elizabeth Truss was ousted from her comfy job misrepresenting the long-suffering burghers of Norfolk at the 4th July election. She was recently seen at the extreme right-wing Republican National Convention in Milwaukee, where the perpetual victim, one Donald John Trump, has been anointed its presidential candidate despite his being a convicted felon 34 times over, confirmed business fraudster, document thief, adjudicated sexual predator, congenital liar, oath breaker and golf cheat.

14 days term

Situation has changed

LibreOffice: Apache Foundation is harming open source

Clearwiew’s services illegal and in breach of the the GDPR

Posts navigation