2025 In Review
Each year, I like to run through the projects that I'm proud of or think others can benefit from. I hope it helps you learn something new, whether that's an idea you can take with you into 2026, a resource you're unaware of, or increased understanding of some part of our world.
U.S. Big Tech’s Role in China’s Digital Police State
This year I wrapped up a three-year investigation led by Associated Press (AP) journalist and Pulitzer Prize finalist Dake Kang, in collaboration with investigative researcher Myf Ma, with with visuals, interactives, digital production, sourcing, verification and editorial support across AP.
DAKE KANG
The article series focuses on China's use of American technology in policing and human rights abuses, finding that Chinese police and state-owned defense contractors partnered with American tech firms to design China’s surveillance system. At times, the companies even pitched their tech for surveillance.
Companies pulled down webpages in response to our reporting. Additionally, lawmakers and activists called on American tech firms to stop selling surveillance equipment to Chinese police and for Congress to examine the issue in response to this series, which also won an internal award at AP. It was featured in AP's Story Behind the Story, and it was cited by China Digital Times, LNGFRM, Politico Pro, Taiwan's Central News Agency, Tibetan Review, This Week in Security, and the Uyghur Reader.
I am attaching the pieces that I'm bylined, credited or cited in, though there are others in the series.
DAKE KANG
DAKE KANG
DAKE KANG
DAKE KANG
Consumer Cyber Readiness Report
The big news in this year's Consumer Cyber Readiness Report, which I wrote for Consumer Reports with assistance from Stacey Higginbotham and Jeff Landale, was the massive increase in texting and messaging scams. In addition to the report, I covered this in an article for Consumer Reports. It was also on Arizona Family News, Good Morning Cleveland/ABC News 5 Cleveland, KTLA-5 in Los Angeles, California, News Channel 5 in Nashville, Tennessee, WFMY-News 2 in Greensboro, North Carolina, WMUR 9 in New Hampshire, and WSOC-TV in Charlotte, North Carolina. It was cited in Bro Bible, Forbes, Help Net Security, Inside Cybersecurity, Mental Floss, Newsweek, Popular Science, Techdirt, and This Week in Security. (Last year's report was cited by New York Amsterdam News and USA Today.)
Treating Online Abuse Like Spam
For Consumer Reports, I teamed up with Deepak Kumar, assistant professor of Computer Science and Engineering at University of California San Diego, and Viktorya Vilk, director of digital safety and free expression at PEN America, on a report exploring whether it's feasible for social media companies to treat some types online abuse more like spam by empowering individual users with features or settings that allow them to proactively filter out and quarantine potentially abusive content. Current approaches are largely reactive, requiring users to address abuse by blocking or reporting it, often only after repeated exposure. The new approach we explored would equip users with more flexible and customizable tools to protect themselves from harassment while still protecting free expression. I wrote about the report in an article for Consumer Reports, and it was covered in Ms. Magazine in an op-ed by Viktorya Vilk along with Amanda Wells, and cited in the Trust & Safety Professional Association (TSPA) newsletter, as well as Be Spacific. We were also interviewed in a Patreon post on Inverted byAlyssa Mercante.
People Search Removal Services
I continue to update my big ass data broker opt out list (BADBOOL), a personal project that helps people remove their personal data from people search sites. This year I added a new page called FIG (Filling in the Gaps for People Search Removal Services) to help people using a paid service figure out where else they need to manually opt out.
I was included in a video about data brokers and people search sites for Privacy Guides. BADBOOL is also linked to in Privacy Guides, along with the report from last year. It's cited in a post on Freedom of the Press Foundation's website. I spoke with several legal clinics, nonprofit organizations, and state legislators about this issue. And last year's report was cited, albeit incompletely, in an academic paper by Brave.
Security Planner
Security Planner is cited as a resource in Stop Hacklore, a site with an open letter I signed which urges urge communicators and decision-makers to stop promoting “hacklore”—catchy but inaccurate digital security advice—and instead share guidance that meaningfully reduces harm.
We also participated in EFF's Opt-Out October series, providing guidance on deleting accounts you no longer use, on tightening account privacy settings, and minimizing risk while using digital payment apps. I spoke alongside some colleagues for a Parents story on baby monitor security. And SP was additionally cited by the Freedom of the Press Foundation in a post about protecting yourself and your information online.
Blog Posts
I wrote two posts for Consumer Reports' Innovation Lab, one about Apple's new iPhone memory protections, which safeguard devices against sophisticated digital attacks. The second was about a public interest research project called KeyDrop, which scans the web for publicly exposed API keys.
How Secure Are Journalists' Favorite Transcription Tools?
This article, which I wrote with Dr. Martin Shelton at the Freedom of the Press Foundation, was updated this year. It is cited in Resources for Journalists (RSF's) catalog of digital safety resources.
Dr. Martin Shelton
Conference Talks
I was thrilled to speak at the last ShmooCon about keeping our home addresses offline. The talk was cited in CySecurity News, IT Security News, and PCMag.
I gave a talk called Back to Basics: Building Resilient Cyber Defenses (But Make It Garden) at DEF CON's Crypto & Privacy Village. None of the projectors were working in the room I presented in that day, but the slides magically show up in the video. (This explains my visual description of each slide.) This talk was mentioned by Nonprofit Cyber.
I gave a similar, but longer talk at HOPE (Hackers on Planet Earth) as well.
Also at HOPE, I spoke alongside Micah Lee and redshiftzero about our work at the Lockdown Systems collective, which I joined this year. Straight Arrow News covered one of our projects, the interactive ICE Detention Map, which shows using the government's own data that 71% of detainees have no criminal record. (Incidentally, Micah and I have worked together for years, and our Zoom reporting from March 2020 is now cited in a new site called FTC Reverse Engineering that measures how often the Federal Trade Commission relies on the work of independent researchers when regulating consumer privacy and security.)
I was on a panel at Privacy Enhancing Technologies Symposium (PETS) moderated by Roya Ensafi (Associate Professor, University of Michigan), alongside Amir Houmansadr (Associate Professor, UMass Amherst), Chris Taylor (VP of Technology Programs, Open Technology Fund) and Jason Pielemeier (Executive Director, Global Network Initiative). We spoke about the risks and returns of anti-censorship and anti-surveillance in defense of a global and open internet. (The panel was not recorded.)
In what has become an annual tradition (and obviously in my personal capacity), I gave a talk at CactusCon with David Huerta about the Worst of Cybersecurity Reporting for the year prior. We'll be speaking about 2025 in February 2026, and hope you can join us either in person or remotely.
Remotely, I gave a guest lecture at the Reynolds School of Journalism (UNV) about bad cybersecurity reporting. And I helped out with a session for the American Bar Association.
And I spoke on an EFF/WISP panel alongside Rory Mir (EFF Associate Director of Community Organizing), Lena Cohen (EFF Staff Technologist), and Mitch Stoltz (EFF IP Litigation Director) about how we arrived at a point where a handful of major tech companies dictate so much of our digital rights, how these monopolies erode privacy, and what real-world consequences come from constant data collection—and most importantly, what you can do to fight back.
Podcasts
I did a Q&A about Security Planner for Common Good Cyber, and spoke about it for episode 416 on the podcast Firewalls Don't Stop Dragons, hosted by Carey Parker. An excerpt also made it onto the show's Best of 2025 podcast. I also participated in a special Best and Worst Gifts For 2025 episode along with Stacey Higginbotham and Jeff Landale.
Another podcast I did was Hackers on the Rocks, where I made an Empress Southside and then talked about data collection with Evan Dornbush. I love the concept behind this podcast, and I hope you enjoy it! (Also, since he doesn't like gin, I added extra simple syrup, which is why my drink turned from purple to pink rather than pink to blue... but it's super cool either way!)
Professional Development
I hear a lot of discussion from people looking for ways to get continuing education credits or to meet personal or professional goals. Some workplaces even have budget for this.
This year I kicked off with Google's Cybersecurity Certificate program. I finished the second phase of the Ford Foundation's Digital Safety School, led by the experts at Collective Security Group. Through the Knight Center, I took the Global Investigative Journalism Network's online course, Digital Security for Journalists in Times of Crisis. I took a quick training on AI Skills for Nonprofits by the CyberPeace Institute. And, in my biggest challenge, I successfully passed the exam for IAPP's Certified Information Privacy Professional - United States (CIPP/US) certification.
I was also lucky enough to attend LABScon, the best threat intel conference on the planet. I also went to DC for the Cyber Civil Defense Summit, where I saw a talk by Signal's Udbhav Tiwari--something I highly recommend. And I attended the Global Privacy Summit, also in DC.
Fuzz Life
Like last year, I almost skipped this section to try to keep this post purely professional, but then remembered just how often people brought up things they read in my “Sparkle Quest” section last year. This year I transitioned from sparkle to fuzzy, trying to make the year feel like warm blankets and a nice cup of hot tea.
I embodied fuzziness by spending as much time as possible in my Lola blanket and taking advantage of their sales. (The blankets are amazing, but please do not pay full price!) Even my dog got a blanket. Although I'm addicted to my Chacos (I even talked about them in CR's Buy It For Life article), I traded them for fuzzy socks and slippers from time to time. I spent a lot of time with friends. It was a year for self-care, taking a lot of baths (and sound baths!), drinking tea, doing yoga, crafting, cooking, and baking. I even got color analysis done, which felt incredibly fuzzy (especially because of how much time it saves trying to look one's best).
And it was an amazing year of entertainment. I went to Flagstaff not once, but twice, to hang out in a Nordic spa and to see Coriolanus and King Lear and the Complete Works of William Shakespeare (Revised, Abridged, Again). I went to San Diego to see House of India, an amazing play. In Phoenix, I saw Wicked and Klingon Hamlet. I went to Otsikumi, the Japanese moon-gazing festival. I saw Lauren Mayberry play, which was amazing. I saw Jake Shimabukuro along with Justin Kawika Young and Jackson Waldhoff, in what's become a joyous annual tradition. I got books signed by Dave Maass, Nicholas Hamilton, and Krysten Ritter, and finally met Seth Godin (for a few minutes as he was being swarmed after a talk, but still.) And I did some stargazing.
I did some open mics. Not always well, but I did them! I weirdly had a better experience singing What It Sounds Like a cappella while standing and engaging with the audience than the actual singing and guitaring I spent months practicing. It is hard to sit on a chair and look at the sheet music and the chords and the audience and then... I'm hoping for more experimentation in 2026 to figure out what I want to do musically, keeping in mind that this is supposed to be fun.
When I did my Sparkle Quest, I thought no word would ever outdo sparkle. Then when I picked Fuzz Life, I didn't think anything would outdo sparkle and fuzz. I'm not sure if I picked a better word, but I did pick a good word! Next year I’ll be focusing on all things crafted, interpreted as broadly as possible, and will hopefully have something interesting to share. Catch you on the flip side!