In Brief

Virginia bans sale of geolocation data

Why this matters now: Virginia's amendment to its Consumer Data Protection Act bans the sale of geolocation data, changing how location brokers and apps can monetize precise location information for Virginia residents.

Virginia Governor Abigail Spanberger signed an amendment to the state's Consumer Data Protection Act that bans the "sale" of geolocation data, effective July 1, 2026 — reported in Hunton's privacy blog. The law uses a relatively narrow definition of sale (monetary exchange from a controller to a third party), so it focuses on commercial transactions rather than every kind of data sharing.

Practically, the ban is meaningful but not total: companies can still share coarser or “fuzzy” location data, first-party uses and intra-company transfers may escape the rule, and enforcement depends on the Virginia attorney general. Expect litigation and creative compliance workarounds — this is another incremental step in a patchwork of state rules (following Maryland and Oregon), not a complete end to location tracking.

Podman v6.0.0 arrives

Why this matters now: Podman 6.0.0 modernizes networking and security primitives making rootless container workflows and Docker-replacement migrations easier for operators and devs.

The Podman team published the release notes for Podman v6.0.0, a modernization release that moves networking from slirp4netns/iptables to Netavark/Pasta/nftables, introduces experimental Pesto rootless port forwarding, improves podman machine multi-provider support, and continues to tighten Docker compatibility. For teams leaving Docker Desktop or pursuing daemonless workflows, these changes close important gaps.

HN reactions emphasize smooth migrations for many users, but warn about packaging quirks on some distributions and remaining systemd dependencies. If you’re planning a switch, test your networked workloads and packaging path before a broad rollout.

CarPlay Is Additive (op-ed)

Why this matters now: Casey Newton’s critique of Rivian's rejection of Apple CarPlay reframes CarPlay as an optional, additive convenience that many buyers now expect when choosing a new vehicle.

Casey Newton pushed back on Rivian’s decision not to support Apple CarPlay in an opinion piece framed as a consumer demand and product-design critique. As Newton writes, “I literally will not buy a car that does not support CarPlay.” The argument: CarPlay can be additive rather than a screen takeover, and Apple is iterating features (like navigation handoff in iOS 27) that address previous automaker objections.

The broader debate is strategic: do automakers own the in-car experience, or do they accept the phone as the primary computing platform? For buyers who value continuity and regular updates, CarPlay remains table stakes; for manufacturers, resisting it can be a deliberate branding or control choice.

Deep Dive

Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory

Why this matters now: LUKS users relying on the luksSuspend workflow may have had their disk master keys left in RAM on machines running kernels since 6.9, exposing encrypted disks to seizure during suspend-to-RAM.

A kernel refactor in Linux 6.9 accidentally changed keyring lifetime semantics, and that interaction broke the intended behavior of the luksSuspend workflow: instead of wiping the LUKS master key from RAM on suspend (forcing a passphrase at resume), the key could remain resident and the system would resume without re-prompting. The issue was detailed by a researcher on Mathstodon and quickly drew alarm from security-minded users.

"There is something uniquely unsettling about trusting a security mechanism for years and learning it was never doing the thing."

That quote nails the practical surprise: many people configured luksSuspend expecting a guarantee they didn’t actually get. The immediate technical fix was small — reportedly a one-line change — and maintainers added a regression test plus warnings where the workflow might silently fail. But the fallout is about trust and testing. If you used luksSuspend as your policy for protecting a laptop during sleep, assume that kernels since 6.9 may be vulnerable until your distribution or cryptsetup packages include the fix.

What to do now:

  • Treat suspend-to-RAM as insecure on affected systems until you confirm a kernel/cryptsetup patch.
  • Prefer suspend-to-disk (hibernate) or require a passphrase on resume via methods that don't rely on the fragile codepath.
  • Update kernels and distro packages as patches arrive; check your distro’s security advisories.
  • For security teams: add regression tests for invariants (like key wiping) rather than only functional tests.

This bug is a compact case study in why security properties must be codified and tested across project boundaries — a one-line fix is fine, but the policy that relied on it needs verification.

An American Privacy Emergency (Commerce directive DAO‑216‑26)

Why this matters now: A Commerce Department directive, reportedly labeled DAO‑216‑26, would prohibit "noise infusion" techniques like differential privacy, potentially crippling how government agencies release useful but safe public statistics.

Scott Aaronson flagged a Commerce Department directive that reportedly bans methods that "involve modifying a dataset by adding random values, or noise" — language that would rule out common differential privacy approaches. You can read the blog post summarizing the directive. For people who use government statistics — researchers, planners, public-interest organizations — the stakes are immediate: either the agencies publish much coarser data, or they stop publishing sensitive datasets altogether.

Differential privacy is a practical tool that adds calibrated randomness to results so you can publish aggregate statistics while bounding the risk that someone can infer an individual's record. The 2020 Census used a variant (TopDown) specifically to prevent reconstruction attacks against microdata. The directive’s ban forces a blunt tradeoff: much coarser aggregates that lose utility, or releasing more raw information that increases re-identification risk.

Reactions are split. Some see this as a dangerous push for raw data access that could undermine confidentiality; others argue coarsening is an acceptable, if clumsy, alternative. Regardless, the directive would reshape how agencies balance data utility and privacy across countless programs.

If you care about public data:

  • Watch for official clarifications and legal review; directives are interpreted and challenged.
  • Data users should prepare for reduced resolution or altered release schedules.
  • Contact your representatives — many HN commenters urged civic engagement because the change affects planning, research and allocation decisions nationwide.

This is a policy-level decision with technical consequences: it's not only an argument about methods on paper, it could remove tools that practitioners rely on to preserve privacy without destroying dataset value.

Closing Thought

Two threads run through today’s stories: small technical or policy choices can produce outsized risks to privacy and security, and fixes — whether a kernel patch or a policy reversal — matter more than arguments about intent. If you care about encryption or public data, check for patches, validate assumptions, and make noise where policy decisions will shrink the data we all depend on.

Sources