惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
Hacker News: Ask HN
Hacker News: Ask HN
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
MyScale Blog
MyScale Blog
月光博客
月光博客
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
Martin Fowler
Martin Fowler
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
The GitHub Blog
The GitHub Blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
F
Full Disclosure
U
Unit 42
Jina AI
Jina AI
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
腾讯CDC
T
Threatpost
H
Hacker News: Front Page
P
Palo Alto Networks Blog
博客园 - 聂微东
Last Week in AI
Last Week in AI
有赞技术团队
有赞技术团队
Help Net Security
Help Net Security
L
LINUX DO - 热门话题
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy

Help Net Security

Your work apps are quietly handing 19 data points to someone ChatGPT advanced account security adds passkeys and hardware keys Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for months Automating Pentest Delivery: A Step-by-Step Guide - PlexTrac Open-source privacy proxy masks PII before prompts reach external AI services Shadow AI risks deepen as 31% of users get no employer training Identity is the control plane for distributed infrastructure AI traffic is getting bigger, louder, and less predictable New infosec products of the month: April 2026 cPanel zero-day exploited for months before patch release (CVE-2026-41940) Cisco releases open-source toolkit for verifying AI model lineage Met Police face criticism for using AI to spy on their own officers Nine-year-old Linux kernel flaw enables reliable local privilege escalation (CVE-2026-31431) Hacker with a special interest in breaching sports institutions ends behind bars - Help Net Security IP Fabric MCP server adds governance and control to enterprise AIOps workflows - Help Net Security Aqua Compass MCP server enables real-time investigation and containment of runtime threats - Help Net Security Google brings instant email verification to Android, no OTP needed - Help Net Security If cyber espionage via HDMI worries you, NCSC built a device to stop it - Help Net Security Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950) - Help Net Security GopherWhisper APT group hides command and control traffic in Slack and Discord - Help Net Security OpenAI tackles a bad habit people have when interacting with AI - Help Net Security A year in, Zoom's CISO reflects on balancing security and business - Help Net Security Scenario: Open-source framework for automated AI app red-teaming - Help Net Security Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security Google’s Workspace Intelligence promises privacy while running on your data - Help Net Security Cyberattack on French government agency triggers phishing alert - Help Net Security Claude Mythos finds 271 Firefox flaws, Mozilla believes zero-days are numbered - Help Net Security Prove Identity Platform connects verification, authentication, and fraud prevention - Help Net Security New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security Acronis GenAI Protection gives MSPs control over AI usage and data risks - Help Net Security Elastic MCP Apps bring security and observability workflows into AI tools - Help Net Security Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876) - Help Net Security Tencent's QClaw AI agent app arrives on Windows and macOS - Help Net Security Phishing reclaims the top initial access spot, attackers experiment with AI tools - Help Net Security OneDrive updates focus on AI, access control, and compliance - Help Net Security PentAGI: Open-source autonomous AI penetration testing system - Help Net Security Apple Intelligence flaw kept stolen tokens reusable on another device - Help Net Security Shadow AI, deepfakes, and supply chain compromise are rewriting the financial sector threat playbook - Help Net Security Thunderbird 150 arrives with encrypted message search and OpenPGP improvements - Help Net Security VirtualBox 7.2.8 is out with Linux kernel 7.0 support and crash fixes - Help Net Security Ransomware negotiator admits role in attacks he was hired to resolve - Help Net Security Scattered Spider hacker pleads guilty to stealing $8 million in cryptocurrency Ivanti Neurons AI automates IT operations, reducing manual work and security risk Silobreaker Mimir adds agentic AI to intelligence workflows with governance and transparency - Help Net Security OpenAI’s Chronicle feature lets Codex read your screen, raising privacy concerns CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133) A single platform powers SIM farm proxy networks across 17 countries - Help Net Security NGate NFC malware targets Android users through trojanized payment app - Help Net Security Meta and PortSwigger drive offensive security further to find what others miss - Help Net Security EU pushes for stronger cloud sovereignty, awards €180 million to four providers - Help Net Security SmokedMeat: Open-source tool shows what attackers do inside CI/CD pipelines - Help Net Security How to spot a North Korean fake in a job interview - Help Net Security Product showcase: Syncthing for secure, private file synchronization - Help Net Security Week in review: Acrobat Reader flaw exploited, Claude Mythos offensive capabilities and limits Google wipes out 602 million scam ads with Gemini on duty Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild GitLab 18.11 brings agentic AI to security fixes, CI pipelines, and delivery analytics Liongard upgrades LiongardIQ with AI access, live asset data, and deeper discovery Mozilla challenges enterprise AI providers with Thunderbolt, open-source AI client under your control Codex can now operate between apps. Where are the boundaries? Android 17 Beta 4 arrives with post-quantum cryptography and new memory limits Apple AirTag tracking can be misled by replayed Bluetooth signals Social media bans might steer kids into riskier corners of the internet Workplace stress in 2026 is still worse than before the pandemic New infosec products of the week: April 17, 2026 - Help Net Security ImmuniWeb brings AI upgrades, post-quantum detection and more in Q1 2026 NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward Anthropic releases Claude Opus 4.7 with automated cybersecurity safeguards - Help Net Security Fortinet fixes critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808) - Help Net Security Google Play is changing how Android apps access your contacts and location Tails 7.6.2 patches vulnerability that could expose saved files Cargo theft malware actor spent a month inside a decoy network before researchers pulled the plug Two US nationals jailed over scheme that generated $5 million for the North Korean regime Product showcase: Ente Auth encrypts, backs up, and syncs 2FA Wi-Fi roaming security practices for access network providers and identity providers European AI spending set to hit $290 billion by 2029 Windows is getting stronger RDP file protections to fight phishing attacks Capsule Security debuts with $7 million funding to secure AI agent behavior Hackers hijacked CPUID downloads, served STX RAT to victims $12 million frozen, 20,000 victims identified in crypto scam crackdown Rockstar Games receives “pay or leak” warning after cyberattack Google makes it harder to exploit Pixel 10 modem firmware Siemens expands Industrial Automation DataCenter with edge AI and cybersecurity Adobe issues emergency fix for Acrobat Reader flaw exploited in the wild (CVE-2026-34621) Seized VerifTools servers expose 915,655 fake IDs, 8 arrested Fixing vulnerability data quality requires fixing the architecture first ZeroID: Open-source identity platform for autonomous AI agents MITRE releases a shared fraud-cyber framework built from real attack data The fully free Linux OS Trisquel gets a major update with version 12.0 Ecne Week in review: Windows zero-day exploit leaked, Patch Tuesday forecast ClickFix campaign delivers Mac malware via fake Apple page Poisoned “Office 365” search results lead to stolen paychecks Gmail’s end-to-end encryption comes to mobile, no extra apps required To counter cookie theft, Chrome ships device-bound session credentials Product showcase: Session, a messenger without phone numbers or metadata Little Snitch for Linux shows what your apps are connecting to - Help Net Security Apiiro CLI turns AI coding assistants into full-stack security engineers - Help Net Security April 2026 Patch Tuesday forecast: Spring-cleaning of a preview - Help Net Security What vibe hunting gets right about AI threat hunting, and where it breaks down - Help Net Security Health insurance lead sites sell personal data within seconds of form submission - Help Net Security
GDPR works, but only where someone enforces it - Help Net Security
Sinisa Marko · 2026-04-23 · via Help Net Security

A new measurement study of web tracking across ten countries offers a reality check for anyone working on privacy compliance.

Researchers crawled the same set of globally popular websites from virtual machines located in Australia, Brazil, Canada, Germany, India, Singapore, South Africa, South Korea, Spain, and California. The results show that European privacy law does reduce tracking, and that most of the reduction happens in the two jurisdictions where regulators bring cases.

GDPR enforcement

The headline numbers

Visitors from Germany and Spain see less tracking than visitors from elsewhere on the identical set of global sites. On a shared list of 525 globally popular sites, users in EU countries encountered 50.5% fewer tracker connections on average than users in non-EU countries. German users saw the lowest exposure at 4.2 average tracker connections per site. Spanish users saw 5.3. California users saw 11.7, and Australian users saw 11.2.

A smaller experiment on 36 of those global sites produced an even sharper result. In Germany, a user who simply ignored the cookie banner saw 48.5% fewer tracker connections than a user who clicked accept. In California, the same behavior produced only a 21.1% reduction, which aligns with the opt-out design of the California Consumer Privacy Act.

On locally popular sites, the range widens considerably. Only 44.6% of the most popular German country-coded sites made any tracker connection at all. In Australia, 96% did.

Enforcement is the variable

Seven of the ten studied jurisdictions require opt-in consent for tracking cookies. Three permit tracking until the user opts out. On paper, Brazil, India, Singapore, South Korea, and South Africa all have opt-in regimes comparable to the GDPR. In the data, their tracking levels sit much closer to the opt-out jurisdictions than to Germany and Spain.

The authors categorize only Germany and Spain as high-enforcement jurisdictions. German data protection authorities have been active since the 1970s, and the Spanish authority recently fined SEAT for placing non-essential cookies without consent. Across the EU, regulators have issued 833 fines totaling €3.01 billion for insufficient legal basis for data processing.

Medium-enforcement jurisdictions include Australia, Canada, South Korea, and California. These regulators pursue individual high-profile cases. The California Attorney General recently settled with Disney for $2.75 million over failures to honor opt-out signals. The new California Privacy Protection Agency has brought actions against PlayOn Sports and Ford.

Low-enforcement jurisdictions include Brazil, India, Singapore, and South Africa. Brazil’s LGPD closely mirrors the GDPR, and its first enforcement actions have focused on data breaches in the public sector. India’s DPDP Act is too new for meaningful enforcement. Singapore and South Africa have had laws on the books for more than a decade without strong action on consent.

South Korea illustrates the gap. Its Personal Information Protection Act requires opt-in consent comparable to the GDPR. Among the most popular Korean sites, 75.9% connect to at least one tracker, and 1.8% deploy a cookie banner of any kind.

The Brussels shield

The study’s more original contribution is its framing of a “Brussels shield” effect. The widely discussed Brussels effect predicts that EU rules export themselves globally because multinational companies find it cheaper to apply the strictest standard everywhere. The data shows something more limited.

When operators of the globally popular sites decide where to deploy cookie banners, their behavior falls into three groups. About a quarter deploy banners in every country studied. A roughly equal share deploy banners nowhere. The remaining sites deploy banners selectively, and when they do, the selection is almost always Germany and Spain, sometimes paired with Brazil or California. The EU-only pattern is the dominant selective strategy by a wide margin.

The 28% that deploy everywhere do reflect a genuine Brussels effect. For the larger population of sites that geofence their compliance to EU visitors, the law functions as a shield for Europeans without improving matters for users elsewhere.

What the tracking layer looks like

Advertising is the dominant category of tracking on the web, accounting for about two-thirds of recorded connections. Analytics and social trackers make up the rest. The advertising category has a long tail of vendors, and the social category is concentrated in four companies: Facebook, LinkedIn, X, and Reddit. Across every country in the study, the same handful of parent companies sit at the top of the rankings: Google, Facebook, LinkedIn, Microsoft, Adobe, and X.

The consent management layer is consolidating around a small number of platforms, with OneTrust appearing on a large share of sites the crawler visited. For security and compliance teams, this means the behavior of a few vendors largely determines whether a given site’s banner is compliant and whether trackers fire before consent is captured.

One finding deserves attention from anyone auditing their own properties. On the globally popular list, sites without a visible cookie banner carried more trackers on average than sites with one. The quieter user experience was the more tracker-heavy one. A missing banner is a stronger signal of non-compliance than a present one.

Caveats worth keeping in mind

The study measures tracker connections, which is a proxy for potential data sharing. A connection is a necessary condition for third-party data collection. It is not a sufficient one. Some recipients may discard data server-side. The study also cannot capture tracking that happens through server-to-server channels, fingerprinting techniques outside the Disconnect block lists, or other mechanisms that leave no network trace on the client. The tracker categorization depends on the accuracy of the Disconnect Tracker Protection lists.

The “US” jurisdiction in this study is specifically California under the CCPA. Results would differ in states with weaker or no comprehensive privacy law. The country-specific site lists rely on country-code top-level domains, which under-represent sites that operate locally on .com addresses. The interaction sub-study covered 36 sites.

What to take from this

For compliance leaders, the study supports a few working conclusions. A privacy law without active regulators produces tracking behavior close to having no law at all. The gap between Brazil’s LGPD text and Brazilian tracker exposure is the clearest example in the dataset. Opt-in legal regimes do produce lower tracker exposure when enforced, and the combination of the GDPR and the ePrivacy Directive is the only combination in the study that produces a large gap between consenting and ignoring a banner.

For architects, the concentration of the ad and analytics markets around roughly six parent companies means that privacy improvements at the platform layer propagate widely. The consolidation around a small number of consent management platforms has a similar effect. Decisions made at OneTrust or its competitors now determine baseline compliance for a large share of the web.

For anyone operating across jurisdictions, the trimodal deployment pattern reflects the dominant strategy in practice. Apply GDPR-grade controls in the EU, lighter controls elsewhere, and accept the resulting complexity. The study suggests this approach will grow harder as more countries adopt opt-in laws with local variations, and as California and its sister states push opt-out preference signals like Global Privacy Control into broader use.

Web tracking exists because the ad-financed content model requires it. Privacy law can shape the terms of that exchange, and the evidence from this study indicates that it does so where regulators follow through.

Secure by Design: Building security in at the beginning