Blog — That Privacy Guy!

22 May 2026 · 14 min read

CIPA and the Environmental Crimes Directive: why forensic web evidence just became the most contested thing in privacy litigation

CIPA wiretapping claims and the new EU Environmental Crimes Directive have one thing in common: they are won and lost on forensic evidence of what a website actually does at runtime. Inbound demand for that evidence has outrun us, so WebSentinel orders are now queued. Here is why both regimes turn on evidence, what that evidence has to prove, and why cookie-banner tooling cannot produce it.

9 May 2026 · 22 min read

Malta is in breach of the EU Treaties — the IDPC has confirmed in writing that no Maltese citizen is protected under the ePrivacy Directive against any tech company not established in Malta

On 27 April 2026 I lodged a formal complaint with Malta's Information and Data Protection Commissioner against Anthropic. The IDPC has now confirmed in writing that no Maltese citizen has any protection under the ePrivacy Directive against any tech company not established in Malta. That is a direct breach of Articles 7 and 47 of the EU Charter, of Article 19(1) TEU, and of Malta's obligations under Directive 2002/58/EC. This piece walks through the IDPC's correspondence in full, the 2009 Phorm precedent in which the European Commission opened infringement proceedings against the United Kingdom for an analogous failure, and why Malta has now made an Article 258 TFEU complaint to the Commission unavoidable.

ePrivacy GDPR Charter Malta IDPC Anthropic Phorm law Compliance

8 May 2026 · 9 min read

Google quietly removes the on-device AI privacy assurance from Chrome's Settings UI

Google has quietly removed the privacy assurance from Chrome's on-device AI Settings UI. The sentence promising that the model runs locally without sending data to Google's servers has been deleted, and the toggle moved out of the System block to reduce the chance the change is noticed. There are three plausible reasons for that, and each is a serious problem for users. This piece walks through the legal exposure under the EU Unfair Commercial Practices Directive, Section 5 of the FTC Act, and Articles 13(4) and 5(2) of the Digital Markets Act, and asks Parisa Tabriz directly why the assurance was withdrawn.

AI Chrome Consent Compliance ePrivacy GDPR Google

7 May 2026 · 9 min read

The problem with Consent Management Platforms is they are unlawful by design

Every CMP I have looked at in fifteen years sets a cookie before the user has consented to anything. That is a direct breach of Article 5(3) of the ePrivacy Directive, restated by the CJEU in Planet49 (C-673/17), and reinforced by the Belgian decision against the IAB TCF. This piece explains, step by step, what a lawful consent flow actually looks like and why every cookie banner you have ever seen is wrong.

privacy ePrivacy GDPR Compliance Consent CMP Cookies law

7 May 2026 · 3 min read

Google's "Boss" of Chrome gaslights on unlawful Nano push

Google's Chrome boss Parisa Tabriz tells the press that users can simply opt out of the unsolicited Gemini Nano install. Google's own Chrome manifest proves the opposite. Chrome reached into the device, flipped the flag, downloaded the 4 GB model and only then surfaced the settings UI after the fact. Opt-out is not the legal standard here — opt-in is. This piece walks through why the public PR statements are demonstrably false against Google's own logs, and why a half-truth response to evidence is its own kind of harm.

AI Chrome Consent Compliance ePrivacy Google

4 May 2026 · 27 min read

Google Chrome silently installs a 4 GB AI model on your device without consent. At a billion-device scale the climate costs are insane.

Google Chrome is downloading a 4 GB Gemini Nano model onto users' machines without consent, with no opt-in, no opt-out short of enterprise tooling, and an automatic re-download every time the user deletes it. The pattern is identical to the Anthropic Claude Desktop case I wrote about last month, but the scale is between two and three orders of magnitude larger. This article does the legal analysis and, for the first time, the environmental analysis. The numbers are not small.

AI privacy ePrivacy Compliance GDPR Google Chrome Gemini ESG Environment Sustainability Climate law

27 April 2026 · 9 min read

Bolt's ChatBot Runs Amok

Bolt's customer support chatbot acknowledged a missing food item and twice refused a refund, swapping personas to dress automated denial as human review. A GDPR Article 22 case waiting to happen.

AI Compliance Technology ChatBots Customer-Services GDPR Consumer-Rights AI-Act

21 April 2026 · 4 min read

Anthropic issued with a Cease and Desist

Anthropic ignored the Claude Desktop spyware findings. A formal Cease and Desist has now been issued, with 72 hours before criminal and civil complaints follow.

AI Anthropic Claude Compliance ePrivacy InfoSec law GDPR privacy forensics

18 April 2026 · 19 min read

Anthropic secretly installs spyware when you install Claude Desktop

Anthropic's Claude Desktop silently installs a Native Messaging bridge into seven Chromium browsers, including browsers Anthropic's own documentation says it does not support, and browsers the user has not even installed.

AI privacy ePrivacy Compliance InfoSec GDPR law Cyber Security Anthropic Claude

14 April 2026 · 30 min read

The Beast behind the Browser: Every Privacy Vulnerability in Chrome and How to Catch It

A forensic reference to every client-side privacy vulnerability in Google Chrome — fingerprinting, storage tracking, header leaks — and how to detect each.

surveillance-capitalism AdTech MarTech Cookies privacy ePrivacy law forensics

13 April 2026 · 4 min read

Data Sovereignty in light of US uncertainty

EU and businesses are abandoning US tech giants for open source and self-hosted alternatives. Why data sovereignty matters now more than ever.

Data-Sovereignty Technology Self-Hosted FOSS GDPR Compliance privacy surveillance-capitalism InfoSec Cyber Security

9 April 2026 · 2 min read

Welcome to my Blog

Introducing the That Privacy Guy! blog — expert insights on privacy, data protection, GDPR, AI governance, and cyber security from Alexander Hanff.

privacy announcement

9 April 2026 · 13 min read

Digital Psychology: Why Privacy is so important for Self Determination

Psychographic profiling and surveillance capitalism erode our autonomy. Why privacy is fundamental to self-determination, free thought, and democracy.

privacy surveillance-capitalism psychology manipulation psychographics