The SFPD’s exposure of hours of videos from drone platform Skydio reveals how broadly it’s watching the city from above—and how the results can spill online.
Plus: The Pentagon is training amateurs to become part of its hacker army, a Flock license plate reader error led to cops surrounding a car reviewer, and more.

A stalkerware maker who was banned from the surveillance industry after a data breach that exposed the personal information of its customers, as well as the people they were spying on, will not be able to go back to selling the invasive software, according the U.S. Federal Trade Commission.
The FTC denied a request to cancel that ban made by Scott Zuckerman, the founder of consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor.
On Monday, the FTC announced the denial in a press release after Zuckerman petitioned the federal watchdog to rescind or modify the ban order in July of this year.
In 2021, the FTC banned Zuckerman from “offering, promoting, selling, or advertising any surveillance app, service, or business,” effectively preventing him from running another stalkerware business. The agency also ordered Zuckerman to delete all the data collected by SpyFone, as well as to undergo frequent audits and establish certain cybersecurity practices for his businesses.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, then acting director of the FTC’s Bureau of Consumer Protection. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.”
In his petition, Zuckerman claimed that the FTC order’s security requirements have made it harder for him to run his other businesses due to financial costs, despite the fact that Support King is no longer in operation and he now only runs a restaurant and plans other “tourism ventures” in Puerto Rico, according to the petition.
When reached via email, Zuckerman declined to comment and referred questions to his lawyer.
Techcrunch event
San Francisco
|
October 13-15, 2026
The FTC ban stemmed from an incident in 2018, when a security researcher found an Amazon S3 bucket belonging to SpyFone that left extremely sensitive data — including selfies, text messages, chat app messages, audio recordings, contacts, location, hashed passwords and logins, and more — exposed online for anyone to see and access.
The exposed data included 44,109 unique email addresses and, according to the researcher who found the breach, “at least 2,208 current ‘customers’ and hundreds or thousands of photos and audio in each folder” from 3,666 phones that had the SpyFone stalkerware installed on them.
Do you have more information about stalkerware makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
Less than a year after the 2021 FTC order, TechCrunch reported that Zuckerman appeared to be running another stalkerware company. In 2022, TechCrunch received a trove of breached data from stalkerware app SpyTrac. The data revealed that SpyTrac was run by freelance developers with direct ties to Support King, in what appeared to be an attempt to circumvent the FTC’s ban. Furthermore, the breached data included records from SpyFone, which Zuckerman was ordered to delete, and keys to access the cloud storage of OneClickMonitor, another one of his stalkerware apps.
Eva Galperin, a prominent expert on stalkerware, celebrated the news. “Mr. Zuckerman was clearly hoping that if he laid low for a few years, everyone would forget about the reasons why the FTC issued a ban not only against the company, but against him specifically,” Galperin told TechCrunch.
TechCrunch’s revelation in 2022 that Zuckerman apparently violated the FTC ban, “suggests that Zuckerman did not learn his lesson,” added Galperin, who is the director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation.
Stalkerware apps allow their customers to surreptitiously spy on the phones and devices of their loved ones. In addition to enabling potentially illegal activities, for the last eight years, there have been at least 26 stalkerware companies that have been hacked or left sensitive data exposed online, according to TechCrunch’s tally. These repeated incidents show these companies have repeatedly failed to protect the privacy of their customers, as well as the people they spy on.
Keep reading the article on Tech Crunch
An increasing number of browsers are experimenting with agentic features that will take actions on your behalf, such as booking tickets or shopping for different items. However, these agentic capabilities also come with security risks that could lead to loss of data or money.
Google detailed its approach to handling user security on Chrome using observer models and consent for user action. The company previewed agentic capabilities on Chrome in September and said these features will roll out in the coming months.
The company said it is using the help of a few models to keep agentic actions in check. Google said it built a User Alignment Critic using Gemini to scrutinize the action items built by the planner model for a particular task. If the critic model thinks that the planned tasks don’t serve the user’s goal, it asks the planner model to rethink the strategy. Google noted that the critic model only sees the metadata of the proposed action and not the actual web content.

What’s more, to prevent agents from accessing disallowed or untrustworthy sites, Google is using Agent Origin Sets, which restrict the model to access read-only origins and read-writeable origins. Read-only origin is data that Gemini is permitted to consume content from. For instance, on a shopping site, the listings are relevant to the task, but banner ads aren’t. Similarly, Google said the agent is only allowed to click or type on certain iframes of a page.
“This delineation enforces that only data from a limited set of origins is available to the agent, and this data can only be passed on to the writable origins. This bounds the threat vector of cross-origin data leaks. This also gives the browser the ability to enforce some of that separation, such as by not even sending to the model data that is outside the readable set,” the company said in a blog post.
Google is also keeping a check on page navigation by investigating URLs through another observer model. This can prevent navigation to harmful model-generated URLs, the company said.

The search giant said that it is also handing over the reins to users for sensitive tasks. For instance, when an agent tries to navigate to a sensitive site with information like banking or your medical data, it first asks the user. For sites that require sign-in, it’ll ask the user for permission to let Chrome use the password manager. Google said that the agent’s model doesn’t have exposure to password data. The company added that it will ask users before taking actions like making a purchase or sending a message.
Techcrunch event
San Francisco
|
October 13-15, 2026
Google said that, in addition to this, it also has a prompt-injection classifier to prevent unwanted actions and is also testing agentic capabilities against attacks created by researchers.
AI browser makers are also paying attention to security. Earlier this month, Perplexity released a new open-source content detection model to prevent prompt injection attacks against agents.
Keep reading the article on Tech Crunch

Last week, pet products and services giant Petco confirmed that it experienced a data breach involving customers’ personal information, without specifying what type of data was affected.
On Friday, in a legally required filing with Texas’ attorney general’s office, Petco reported that the affected data included: names, Social Security numbers, driver’s license numbers, financial information such as account numbers, credit or debit card numbers, and dates of birth.
Petco filed similar legally required notices in California, Massachusetts, and Montana. In the latter two states, Petco reported one and three affected residents respectively.
The company did not disclose the exact number of victims in California, where companies are required to disclose breaches involving at least 500 state residents, which suggests there are more victims than that number in the state.
Petco spokesperson Ventura Olvera did not respond to a series of questions sent on Monday, which included how many customers in total were affected by this incident; whether Petco has any technical means, including logs, to determine whether any cybercriminals had access and stole the customers’ exposed data; what and when was the specific issue identified; and what was the application involved in the incident.
For context, in 2022, Petco said it served more than 24 million customers.
On Friday, Petco spokesperson Ventura Olvera said in a statement to TechCrunch that the company had “provided further information to individuals whose information was involved.”
Techcrunch event
San Francisco
|
October 13-15, 2026
California’s attorney general published a sample letter that Petco is sending to its customers. The message said Petco discovered an issue with “a setting within one of our software applications that inadvertently allowed certain files to be accessible online,” that the company “immediately took steps to correct the issue and to remove the files from further online access,” and that it “corrected” the setting and implemented unspecified “additional security measures.”
The company is offering free credit and identity theft monitoring services to victims in California, California, Massachusetts, Montana. Under California law, for example, companies must provide these services if a data breach victim’s driver’s license number or Social Security number are compromised. It’s unclear if Petco is also offering these services to victims in Texas.
Keep reading the article on Tech Crunch