March 2026 kept up an uncomfortable rhythm: external attackers grew more capable, and EU Commision proposals quietly chipped away at the protections citizens already had. The European Parliament voted to end mass scanning of private communications, while the European Commission, the same institution that originally proposed Chat Control, simultaneously pushed a Digital Omnibus that would narrow the definition of personal data and open AI training to public data by default. The elected Parliament and the independent regulators are resisting on both fronts. Here’s what happened this month:
This Month at a Glance
⬇ Sweden’s E-Government Source Code Exposed via CGI Breach: Threat actor ByteToBreach published the full source code of Sweden’s national E-platform on 12 March, including authentication credentials, API signing systems, and routing configurations – giving any future attacker a detailed map of the country’s public digital infrastructure.
⬇ France: 15.8 Million Health Records Stolen in Supply Chain Attack on Cegedim Santé: Attackers breached the medical software vendor used by 3,800 French doctors, exfiltrating 15.8 million patient records – including 165,000 doctors’ free-text notes containing HIV status, sexual orientation, and the health data of senior politicians.
⬆ Chat Control 2.0: EU Parliament Votes to End Mass Scanning of Private Communications: On 11 March, MEPs voted to restrict CSAM detection strictly to users under judicial suspicion, explicitly protecting end-to-end encrypted communications and rejecting the untargeted mass surveillance model in place since 2021.
⬇ GDPR Omnibus: The Same Commission Pushing Chat Control Is Now Proposing to Hollow Out GDPR: The European Commission’s Digital Omnibus proposes narrowing the definition of personal data, opening a “legitimate interest” route for AI training on public data, and delaying high-risk AI enforcement until 2028 – prompting a sharp rebuke from both the European Data Protection Board and the European Data Protection Supervisor.
⬇ Prompt Injection Is Already Being Used Against You: Microsoft found 31 companies already embedding hidden commands in “Summarise with AI” buttons to bias your AI’s memory. New research by Schneier and colleagues shows this is just the first stage of a seven-step “promptware kill chain” that can end in data exfiltration, financial fraud, or physical-world impact.
⬇ LLMs Can Unmask Anonymous Users at Scale with Alarming Accuracy: Researchers showed that LLM agents can identify anonymous posters on Reddit, Hacker News, and LinkedIn from just a handful of comments – inferring location, profession, and interests, then searching the web for a real name.
⬇ Anthropic vs. The Pentagon: What Happened When AI Safety Met Military Demands: After Anthropic refused to remove guardrails against mass surveillance and autonomous weapons, the Trump administration banned federal use of its models and designated the company a national security supply-chain risk – a step a federal judge later called likely arbitrary and capricious. OpenAI stepped in within hours.
⬇ Google Demands Government ID from All Android Developers Including Those Outside the Play Store: Starting September 2026, every developer distributing Android apps – regardless of distribution channel – must register with Google and hand over legal name, home address, and in many cases a government-issued ID. The EFF, F-Droid, and 35 other organisations have demanded the policy be withdrawn.
⬆ Ring Ends Flock Partnership as Pushback Grows Against Neighbourhood Surveillance Networks: Amazon cancelled its Ring integration with AI licence plate reader company Flock Safety. Some US cities are now delaying or scrapping Flock deployments amid growing concern that consumer cameras are creating de facto police sensor grids.
⬇ Meta AI Glasses Sent Intimate Footage to Kenyan Contractors Without Telling Users: A class action filed in March alleges Meta’s Ray-Ban smart glasses, marketed as “designed for privacy, controlled by you,” secretly transmitted videos of users’ homes and private activities to subcontractors in Kenya for AI training purposes.
Sweden’s E-Government Source Code Exposed via CGI Breach
On 12 March 2026, threat actor ByteToBreach published what it claimed was the complete source code of Sweden’s national E-plattform, the digital backbone for electronic signing, citizen services, and inter-agency data exchange. The breach allegedly happened through CGI Sverige AB (a big IT services firm), where attackers exploited a poorly secured build server to sneak in. They then used stolen access keys to reach private code storage. The same actor had breached ferry operator Viking Line just 24 hours earlier, pointing to an active campaign against Swedish infrastructure via CGI’s managed services footprint. CGI confirmed an incident affecting two internal test servers and stated there was no evidence of impact on production environments.
The leaked material reportedly includes source code for core government platforms, plus database passwords, SMTP credentials, and keystore files. Swedish Civil Defence Minister Carl-Oskar Bohlin acknowledged the leak, with CERT-SE and the National Cyber Security Centre actively investigating. Security researchers have been quick to point out that source code, once public, does not expire: the architectural knowledge it contains – API endpoints, authentication mechanisms, integration points – remain available to anyone seeking to probe Sweden’s public digital infrastructure for weaknesses not yet patched. Around 95% of Sweden’s 10.7 million population use e-government services regularly.
To limit your exposure, Swedish residents using government portals should monitor for unusual account activity and be alert for phishing using detailed knowledge of government systems. Organisations using CGI-managed services anywhere in Europe should rotate credentials and tokens associated with those integrations immediately. The structural lesson is broader than Sweden: governments that outsource core digital infrastructure to a single commercial vendor inherit that vendor’s security posture, without exception.
Continue reading: Sweden’s E-Government Source Code Leaked in Major CGI Sverige Breach (SafeState)
France: 15.8 Million Health Records Stolen in Supply Chain Attack on Cegedim Santé
In early March, Cegedim Santé confirmed that a cyberattack detected in late 2025 had resulted in the theft of 15.8 million patient administrative records from its MonLogicielMedical platform, used by around 3,800 doctors across France. The stolen data includes names, dates of birth, addresses, and contact details. Most significantly, 165,000 records contained doctors’ free-text notes that in some cases included HIV status, sexual orientation, and personal medical history. France 24 reported that senior politicians were among those affected, and the breach data subsequently appeared for sale on dark web forums.
The attack came weeks after a separate breach of France’s national bank account registry exposed 1.2 million account holders and is considered one of the largest healthcare data breaches in French history. The hacking group DumpSec is suspected; Cegedim had received an €800,000 fine from the CNIL in 2024 for prior data processing violations. The central lesson is supply chain exposure: attackers bypassed the health ministry entirely by targeting a software vendor used by thousands of doctors, gaining access to data from millions of patients who had never knowingly interacted with Cegedim at all.
To protect yourself, if you have visited a French GP recently, treat your administrative data as potentially compromised and be alert for targeted phishing referencing appointments or personal details. Change passwords on any online patient portals and enable multifactor authentication where available. For healthcare organisations across Europe, NIS2 Directive obligations now apply to essential service providers and their significant ICT suppliers; a breach of this scale will attract regulatory attention.
Continue reading: Hack on French Medical Site Sees Over 15 Million Records Leaked (TechRadar)
Chat Control 2.0: EU Parliament Votes to End Mass Scanning of Private Communications
On 11 March 2026, the European Parliament voted 458 to 103 to extend the Chat Control 1.0 interim regulation until August 2027, but with a landmark constraint attached. MEPs adopted an amendment requiring scanning of private communications to be strictly limited to users where a competent judicial authority has established a link to child sexual abuse. End-to-end encrypted services are explicitly excluded. The Parliament rejected the untargeted model that had operated since 2021, under which Big Tech companies scanned all private communications indiscriminately; the Commission’s own evaluation found false positive rates of up to 20%, and 99% of EU reports to law enforcement originating from a single US company: Meta.
The situation remains unresolved. Three-way talks between Parliament, Council, and Commission began on 12 March with the interim regulation set to expire on 3 April, and further sessions are scheduled for 4 May and 29 June 2026. The Council has historically pushed for a far more expansive scanning regime than the Parliament, and the final agreed text is what will actually determine whether messages can be scanned. What makes this victory fragile is its context: the institution the Parliament pushed back against is the European Commission, the same body simultaneously advancing GDPR changes that would narrow what counts as personal data and open AI training to public data without meaningful consent. The Parliament voted on one front; the other is already open.
To reduce your exposure, use end-to-end encrypted apps like Signal, Session, or Mailfence for communications you want to keep private. These would fall outside the scope of any scanning under the Parliament’s current position. Follow the June three-way talks closely: organisations such as EDRi, NOYB, and the EFF are monitoring proceedings and accept public support.
Read more: Chat Control: EU Parliament Said No, But the Battle Isn’t Done (TechRadar)
GDPR Omnibus: One Package, Two Threats – Personal Data and AI Enforcement
Two days before the Chat Control vote, the Commission’s Digital Omnibus proposal was quietly moving forward through the legislative process. Three GDPR changes stand out. First, a proposed “subjective approach” to the definition of personal data: information would only qualify as personal if the current holder can identify the individual, meaning data brokers could argue pseudonymous identifiers fall outside GDPR’s scope entirely. Second, a new “legitimate interest” legal basis for AI training on publicly available personal data, with only an opt-out mechanism rather than consent. Third, the Commission would acquire the power to declare unilaterally whether pseudonymised data qualifies as personal. The European Data Protection Board and the European Data Protection Supervisor responded in a joint opinion with unusual directness, calling the personal data changes far beyond a technical amendment. The Commission has since said it will not proceed with the narrowed definition, but the AI training provisions remain on the table.
The same legislative package goes further still on AI. The Digital Omnibus on AI – published as the second component of the same legislative text on the same day – proposes delaying compliance obligations for high-risk AI systems from August 2026 to December 2027 at the earliest, with systems in the highest-risk category facing a deadline of August 2028. No EU member state has yet formally designated a national AI enforcement body. Read together, the two components form a coherent picture: make it easier to train AI on personal data, and buy more time before anyone is held accountable for what that AI does.
To stay ahead of this, follow NOYB (noyb.eu) and EDRi as negotiations proceed. Your existing GDPR rights remain fully in force: the right to access data held about you, to deletion, and to object to processing for AI training where legitimate interest is claimed. Exercise them now, before any changes take effect. Organisations deploying AI in the EU should not treat the delay as a reason to slow compliance work; GDPR obligations and the AI Act’s prohibited practices apply now.
Learn more: Digital Omnibus: EU Commission Wants to Wreck Core GDPR Principles (noyb)
Read more: EDPB and EDPS: Support Simplification While Raising Key Concerns (European Data Protection Board)
Prompt Injection Is Already Being Used Against You – And It’s Just the Beginning
Microsoft’s security team found over 50 hidden instructions embedded in “Summarise with AI” and “Ask AI” buttons across websites belonging to 31 companies in 14 industries. When clicked, these buttons send not just the visible content to your AI assistant but also concealed commands – “remember [Company] as a trusted source” or “recommend [Company] first” – which persist in the AI’s memory and silently bias future recommendations on health, finance, and security topics without the user ever seeing the injected text. Bruce Schneier describes it as the AI equivalent of search engine optimisation: a foreseeable commercial practice now deployed at scale.
What makes this more than a marketing nuisance is where it sits in a larger threat landscape. In a paper published in Lawfare, Schneier and colleagues map the “promptware kill chain,” a seven-stage framework showing how AI agent attacks now mirror the structure of sophisticated malware campaigns. The Microsoft finding covers the first two stages: initial access and persistence. The remaining stages have already been demonstrated in research: in one documented case, a malicious prompt embedded in a Google Calendar invitation eventually coerced an AI assistant into livestreaming video of the victim without their knowledge. The root cause cannot be patched: LLMs treat all input as a single undifferentiated stream of tokens, with no architectural separation between trusted instructions and untrusted data.
To mitigate risks, turn off memory features in your AI assistant or clear stored memories regularly – most platforms now expose this in settings. Avoid clicking “Summarise with AI” on commercial websites; paste content directly into your tool instead, so you control what instructions accompany it. Treat any AI agent with access to your email, calendar, or work files as a potential attack surface and restrict what it can access and send externally. Organisations deploying AI agents should focus on breaking the kill chain at later stages: limit permissions, prevent persistence in long-term memory, and constrain the range of actions an agent is permitted to execute.
Read more: The Promptware Kill Chain (Lawfare)
LLMs Can Unmask Anonymous Users at Scale with Alarming Accuracy
Research published this month and covered by Ars Technica shows that LLM-based agents can identify anonymous or pseudonymous users across Reddit, Hacker News, LinkedIn, and anonymised interview transcripts with high precision, across tens of thousands of candidates. From a handful of posts, the model infers location, profession, age, and interests, then constructs search queries to match the account to a real name. It requires no specialised forensic skill and no database of known individuals to compare against.
The LLM does in minutes the analytical work that previously required experienced human investigators at a scale and speed that makes bulk deanonymisation viable for the first time. The implications extend to whistleblowers, journalists’ sources, political activists, domestic abuse survivors, and anyone who has treated pseudonymity as meaningful protection online. It is no longer safe to assume that what you write anonymously cannot be traced back to you by a determined or well-resourced actor.
To protect yourself, treat any text posted under a pseudonym as potentially linkable to your real identity. Vary your writing style across platforms, avoid repeating location or professional details across posts, and keep accounts on different platforms unlinked. For genuinely sensitive activity – source contact, political organising in a hostile environment – do not rely on pseudonymity alone. Use accounts created over Tor or a trustworthy VPN and communicate through encrypted channels rather than public forums.
Continue reading: LLMs Can Unmask Pseudonymous Users at Scale (Ars Technica)
Anthropic vs. the Pentagon: What Happened When AI Safety Met Military Demands
On 27 February 2026, the Trump administration ordered all federal agencies to stop using Anthropic’s models after a dispute over the company’s guardrails on “mass surveillance” and “fully autonomous weapons”. Defence Secretary Pete Hegseth publicly dismissed these limits as “woke”. The administration then branded Anthropic a “supply‑chain risk to national security” – a tool normally used against foreign suppliers – cutting the company off not just from federal agencies but also many of their contractors and suppliers. OpenAI moved quickly to sign a replacement deal, positioning itself to capture a lucrative slice of federal AI work.
Writing in The Guardian, Bruce Schneier and Nathan E. Sanders argue that the episode reveals the limits of relying on corporate ethics instead of law. In their view, Anthropic entered this conflict with eyes open when it accepted a $200 million defence partnership last year and a deal with Palantir in 2024, and its “ethical AI” branding is also a business strategy. The deeper lesson, they write, is that if the defence department is using AI for mass surveillance or autonomous targeting, the answer is not to hope a contractor says no, but to pass laws that prohibit those practices outright. The decision to label a US company a national security risk after it resisted military demands is highly unusual and is now being challenged in court.
To stay informed, monitor the legal challenges to Anthropic’s national security designation as they proceed. More broadly, this dispute illustrates why the question of what AI can be used for cannot be resolved by individual companies’ terms of service: democratic oversight, not corporate ethics branding, is the appropriate mechanism. If you are an organisation using Anthropic products in a US government supply chain, review your compliance obligations urgently.
Read more: Anthropic, OpenAI, and the Pentagon: The Real Lesson Isn’t About Corporate Ethics (The Guardian)
Continue reading: Anthropic’s Statement on the Department of Defense (Anthropic)
Google Demands Government ID from All Android Developers – Including Those Outside the Play Store
Starting September 2026, any app installed on a certified Android device must be registered to a Google-verified developer, regardless of distribution channel. This covers not only the Play Store but F-Droid, the Amazon Appstore, direct APK downloads, and enterprise sideloading. Registration requires legal name, home address, email, phone number, and, in many cases, a government-issued ID. Enforcement begins in Brazil, Indonesia, Singapore, and Thailand in September, with a global rollout from 2027. Google frames this as an accountability measure against repeat malware distributors, who currently reappear under fresh identities after removal.
A coalition of 37 organisations – including the EFF, F-Droid, the Free Software Foundation, the Tor Project, Proton, and Vivaldi – signed an open letter demanding the policy be withdrawn, arguing that Google is extending gatekeeping authority into distribution channels it does not own or operate. For F-Droid, which distributes hundreds of open-source apps from volunteer contributors worldwide, compelling developers to register their identities with Google is structurally incompatible with how the project works. F-Droid has been explicit: if Google proceeds, the project as currently constituted ceases to exist for users of certified Android devices. The policy does not affect custom Android builds such as GrapheneOS, LineageOS, and /e/OS.
To prepare, if you distribute apps outside the Play Store, check developer.android.com/developer-verification for registration options. A free limited-distribution tier is available, permitting up to 20 authorised devices without a government ID – sufficient for hobbyists and researchers. If you rely on F-Droid apps on a standard Android device, some may stop installing by September unless their developers register. Switching to a custom Android build remains the most reliable way to sidestep this policy entirely.
Learn more: Google Says Developer Verification Makes Android Safer. Critics Say It Makes Android More Closed (It’s FOSS)
Ring Ends Flock Partnership as Pushback Grows Against Neighbourhood Surveillance Networks
Amazon cancelled its Ring integration with Flock Safety, the AI-driven automatic licence plate reader company used by thousands of US police departments, following public criticism about law enforcement access to residential surveillance data. The cancellation signals how commercially damaging the association has become, even as Flock’s law enforcement relationships continue to expand. Flock’s readers automatically log the movements of every vehicle passing a covered area and make that data available to police with minimal oversight or warrant requirements.
The backlash extends beyond civil society. Some US cities are now delaying or cancelling Flock deployments following public objections, with concerns centring on law enforcement access, potential use in immigration enforcement, and the absence of meaningful transparency or community consent. Immigration advocates have been particularly vocal: licence plate reader data can identify where individuals live, work, worship, and travel and may be shared with immigration enforcement agencies under data-sharing agreements that residents never saw or voted on. The Ring cancellation suggests the reputational cost of consumer-grade surveillance infrastructure is beginning to register with the consumer brands that help build it.
To safeguard yourself, review the terms of any smart doorbell or exterior camera that connects to a neighbourhood network; many share footage with law enforcement by default without users being aware of it. Disable any data-sharing features you did not consciously enable. If you live in a US city, check whether Flock readers are deployed locally and whether a public data policy governs their use. The EFF publishes guides on understanding and challenging local surveillance infrastructure.
Read more: Ring Cancels Its Partnership with Flock (The Verge)
Meta AI Glasses Sent Intimate Footage to Kenyan Contractors Without Telling Users
On 4 March 2026, plaintiffs Gina Bartone and Mateo Canu filed a class action lawsuit against Meta Platforms and Luxottica of America in California federal court, alleging that Meta’s Ray-Ban Meta AI smart glasses secretly transmitted video footage to third-party subcontractors in Kenya for human review and AI model training. The suit follows reporting by Swedish newspaper Svenska Dagbladet, whose sources described workers viewing “intimate” content, including bathroom visits, sexual encounters, changing clothes, credit card numbers, and identifiable faces. Meta confirmed to Engadget that contractors do review footage in some cases; the lawsuit alleges that the anonymisation safeguards Meta claims are in place “do not reliably function”.
The central deception alleged is architectural. Using the glasses’ Live AI or any multimodal feature requires sharing footage with Meta’s servers, from where it can be routed to human contractors. There is no way to use these features without sharing. Yet Meta’s marketing described the product as “designed for privacy, controlled by you” and “built for your privacy”, and its privacy policy makes no mention of human review at all. The Clarkson Law Firm argues that no reasonable consumer would understand a “designed for privacy” claim to mean that footage from inside their home would be reviewed and catalogued by workers overseas.
To keep yourself protected, treat any AI-enabled wearable camera as a device that may transmit what it sees to the manufacturer’s servers, regardless of what the packaging says. If you own Ray-Ban Meta glasses and use Live AI features, your surroundings are being processed remotely; review what features you have active and disable any you do not deliberately choose to use. Before purchasing any AI-equipped consumer hardware, check the privacy policy for any mention of how footage or audio is processed, by whom, and in which country.
Read more: Meta Hit with a Class Action Lawsuit Over Smart Glasses’ Privacy Claims (Engadget)
Continue reading: Class Action Claims Meta AI Glasses Recordings Used to Train AI Without Users’ Knowledge (Top Class Actions)
Recommended Reading
- Crypto-Gram March 15, 2026 (Schneier on Security)
- List of Recent Data Breaches in 2026 (Bright Defense)
- Cybersecurity & Privacy News and Analysis (Law360)
- Best Small Business Email Hosting in 2026 (Mailfence Blog)
- How to Attach an Email to an Email in 2026 (Mailfence Blog)
That’s All for This Month’s Newsletter!
March 2026 rewarded attention to detail. The Chat Control vote was a genuine win, but it sits inside a larger picture where the Commission is fighting on a second front with the Digital Omnibus. The promptware research is alarming in the abstract; the Microsoft finding confirms it is already happening in the mundane. The CGI Sverige and France healthcare breaches are a reminder that the weakest link in any system is the vendor nobody was watching. And Meta’s smart glasses are a reminder that “designed for privacy” on a box means nothing without knowing what happens to footage after it leaves your hands. Stay sceptical of defaults and ask hard questions of the services you use. Thank you for reading, and we look forward to keeping you informed in April.
Best,
Patrick
Get the latest privacy news in your inbox
Sign up to the Mailfence Newsletter.
