Chat Control back on a procedural trick, four governments in court over NIS2, 281 leaking free VPNs, Meta taking your face by default, and an OS that watches unless you stop it.
In this edition
Get the next GRC Brief in your inbox.
Subscribe to The GRC BriefA majority of MEPs voted against it. It passed anyway.
Two labels, two very different things. Chat Control 1.0 is the voluntary derogation that lets platforms scan unencrypted messages for CSAM. It expired in April when Parliament refused to renew it. On July 2 the Council revived it and sent its position to Parliament under an emergency procedure, timed for the last session before the summer recess. On July 9, blocking it needed an absolute majority: 361 of 720 MEPs. The rejection got 314 votes against 276, so more members opposed it than backed it, yet it fell 47 short and the text stood. Parliament did pass separate amendments excluding end-to-end encrypted services, which now go back to the Council. The permanent, mandatory version, Chat Control 2.0, the one that could force client-side scanning on encrypted apps, is still stuck in trilogue, next round in September. Backers, including major US platforms, argue voluntary scanning is essential to keep detecting and reporting abuse.
Source: My full analysis · christophemazzola.fr
My take
This is the worst thing on the page, and it should make you angry. Strip away the procedure: more MEPs voted against reviving mass message scanning than for it, and it passed anyway. The bar to reject a Council position is a high one by design, an absolute majority, but the vote was rushed under an emergency procedure and scheduled for the last session before summer, when much of the chamber had already gone home. A majority said no. The calendar said yes.
Now the part most coverage gets wrong, and you should not. What came back is 1.0, the voluntary scanning of unencrypted messages, not the mandatory client-side scanning of encrypted apps. The encryption carve-out passed, so Signal, WhatsApp and iMessage are formally out of this one. The dangerous version, 2.0, is still alive in trilogue and lands in September. The win for encryption here is real but narrow, and the fight that matters is three months away.
If you advise anyone running an encrypted product, or a policy team tracking this, put September in the calendar now. The precedent set this week is procedural, not technical. But the appetite is obvious, and the people who want to scan everything just learned they can win a vote they lost.
Four governments skipped the cyber law. The EU took them to court.
On July 8 the European Commission referred Ireland, Spain, France and the Netherlands to the Court of Justice for failing to write NIS2, the EU's flagship cybersecurity directive, into national law. The transposition deadline was October 2024, so the four are more than twenty months late. The Commission is asking the Court to impose a lump sum plus daily penalties until each notifies full transposition. For a sense of how common this delay is: as of January 2025, only six of twenty-seven member states had transposed it. Some of the four are now moving, the Netherlands passed its law on July 7, the day before the referral, and Ireland expects to notify by year end. And the timing has an edge: Ireland took over the rotating EU Council presidency on July 1, one week before being taken to the EU's own top court.
Source: European Commission · Commission referral, 8 Jul 2026
My take
Read this next to the item above and the contrast is the whole newsletter. The one EU law that forces organisations to actually defend themselves, NIS2, has sat unimplemented in four countries for twenty months, mine included. Brussels can fast-track a scanning regime in a week, but the directive that protects hospitals and power grids waits two years and a court summons.
The practitioner point is blunt, and I make it in every class. Your government's delay is not your shield. The deadline passed in October 2024. The obligations, risk management, incident reporting, supply-chain duties, are where the field is going regardless of when Madrid or Paris finishes the paperwork. If you run a regulated entity and you have been waiting on national law as an excuse, you have been building debt, and the bill compresses the moment the text lands.
And savour the timing. Ireland took the EU Council presidency on July 1 and was hauled before the EU's own court on July 8. The people meant to lead on cyber could not implement the cyber law. If you needed proof that awareness and enforcement are different things, there it is.
281 free VPNs tested. The privacy was theatre.
Researchers ran 281 of the most popular free Android VPNs, together installed more than 2.4 billion times, through a new auditing framework called MVPNalyzer, built by teams at Michigan, New Mexico and IIT Delhi. The failures are basic. 29 apps leak traffic outside the tunnel, including the DNS lookups that reveal the sites you visit. 61 send some data in plaintext, and five of those fetch their configuration file in the clear, which lets an attacker on the same network reroute the connection to a server they control. More than 80 percent contacted known advertising and tracking servers, 76 sent the device advertising ID, and one shipped the phone's exact GPS coordinates. The point the researchers keep making: a VPN moves your trust from your internet provider to whoever built the app, and the Play Store's Verified badge behaves more like marketing than a security guarantee.
Source: The Hacker News · MVPNalyzer study, 10 Jul 2026
My take
Same lesson as the ad blocker a few weeks back, new costume. People install these to be safer and hand their traffic to whoever wrote the app. 2.4 billion installs, and the basics are broken: DNS leaking, config files in cleartext, trackers everywhere, one app phoning home your GPS. The Verified badge did nothing, because a badge is a marketing label, not a control.
For your organisation this is not a consumer footnote. It is shadow IT on the endpoints that touch your data. Someone on your team installs a free VPN on the phone that reads company mail, and now your traffic runs through an operator you never vetted, possibly in cleartext. Free VPNs are not a privacy tool. They are a business model, and you are the inventory.
The only real filter is provenance. A recent independent audit, clear ownership, a business paid with money rather than with your data. Everything else, no-logs claims included, is a starting point, not proof.
Meta will turn your public photos into AI images by default.
Meta launched Muse Image, a new AI model that lets people @-mention a public Instagram account and generate images from that person's public photos, videos and reels. It is on by default. Anyone can tag a public profile to build content reusing part or all of its published media, and depending on settings that AI-made content can surface in search results. People are not notified when their images are remixed this way. Switching your account to private for more than a day deletes reels and posts others made from your content, but anything already generated with the AI features stays. Meta says users have full control and can disable it, buried under Settings, then Sharing and reuse. It is the same opt-out-by-default pattern Google just used to start feeding signed-in users' media into its AI models.
Source: The Hacker News · Meta Muse Image, 9 Jul 2026
My take
On by default, and you are not even told when it happens. Sit with that. Meta will take your public photos, let a stranger @-mention you, and generate images of you, and the first you hear of it is never. Control, in Meta's telling, means a switch you did not know existed, buried three menus deep, that does not delete anything already made.
This is the consent problem the whole industry is speeding past. Opt-out by default is not consent, it is consent theatre, and in the EU that is not a UX debate, it is a GDPR one. Google did the same this month with your media and its AI. The pattern is the tell: take first, offer a buried toggle second, notify never.
Two minutes of housekeeping if you use Instagram: Settings, Sharing and reuse, turn off posts and reels. Do it for the public accounts you manage too. And remember it only stops the next remix, not the ones already out there.
The Windows ID you can't turn off just caught a hacker.
A US federal complaint just made public a Windows identifier most people had never heard of: the Global Device Identifier, or GDID. It is a persistent, device-level ID that Microsoft assigns when you sign in with a Microsoft account, it ties the activity your PC reports back to Microsoft to a single identity, and it survives Windows updates. There is no consent screen and no real off switch: you cannot stop Windows generating it without breaking activation, and reinstalling only gives you a new number Microsoft can link back through the same account. Until this case, Microsoft had documented it in a single sentence, in an enterprise Azure reference table. The case itself: a 19-year-old alleged Scattered Spider member breached a US jeweller by social-engineering its help desk, then worked behind VPN proxies. Those proxy IPs were dead ends, but Microsoft's logs placed his machine's GDID at the attacker's signup and the victim's site at the same minutes, and investigators then matched that same ID to his personal accounts across four countries over eight months. The VPN rotated. The GDID did not.
Source: Windows Latest · GDID / FBI complaint, 10 Jul 2026
My take
Two items up, free VPNs were leaking you. Here is the harder version of the same lesson: even a VPN that works perfectly does nothing if your own operating system stamps a permanent ID on everything you do. The hacker used proxies. They were dead ends. The Windows ID underneath was not. Anonymity is not one tool, it is the weakest link in the whole stack, and the OS is usually it.
Nobody is crying for a Scattered Spider member, and this identifier is also how Microsoft handles licensing and fraud, which are reasonable things. The part that should bother you is the asymmetry. Apple and Google gate their device IDs behind a consent prompt and a reset. Microsoft ships one with no prompt, no reset, one sentence of public documentation, tied to your account rather than to you, and the public only learned it existed because a court filing spelled it out.
For your threat model, be precise about what a VPN buys you: it hides your network path, not your machine's identity. If identity itself is the risk, journalism, activism, an at-risk person, that is a local-account, Linux, or Tails conversation, not a VPN one. For a managed fleet, it is one more reason your endpoint identity strategy cannot stop at the network layer.