my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

When 'No' Means Nothing: Privacy Erosion from DHS Surveillance to Duolingo Tracking

John Z Black Mar 11, 2026 Privacy #privacy #surveillance #dhs #duolingo #bytedance #gdpr #tracking

Privacy in 2026 works like this: there’s a button that says “no,” and nobody on the other side is listening.

Two completely different stories landed this week and arrived at the same ugly conclusion.

DHS Fired the People Who Said “That’s Illegal”

WIRED reported that DHS removed Customs and Border Protection privacy officers who raised concerns about surveillance orders they believed were illegal. These aren’t random bureaucrats. Privacy officers exist specifically to serve as an internal check on government surveillance.

So when the people whose entire job is to flag illegal surveillance get fired for doing exactly that, the oversight mechanism isn’t weakened. It’s gone.

And here’s the kicker. CBP has separately been confirmed to use commercial ad data, the location info generated by apps on your phone, to track individuals. No warrant needed because the data is “commercially available.” The privacy officers who might’ve pushed back on that interpretation? No longer in the room.

When internal oversight gets gutted at one agency, it signals to every other agency that asking hard questions about surveillance is a career risk. That chilling effect is harder to measure than a single policy change, but it’s arguably more damaging.

Duolingo: Your Opt-Out Is a Placebo

On the consumer side, independent security research found that Duolingo’s iOS and Android apps continue sending device fingerprinting data to Pangle (ByteDance’s ad network) even after users toggle off tracking permissions.

Read that again. You open settings. You find the privacy option. You say no. Duolingo sends your data anyway. To ByteDance. The same parent company as TikTok.

Device fingerprinting is particularly nasty because it works without cookies or explicit identifiers. It builds a profile from your device’s characteristics, screen resolution, installed fonts, behavioral patterns, that can track you across apps even when you’ve done everything the platform told you to do to prevent it.

If the research holds up (and the methodology looks solid), this is potentially a violation of both GDPR and CCPA. An opt-out toggle that doesn’t stop data collection isn’t a privacy control. It’s a prop.

Duolingo has hundreds of millions of users. Many of them are children.

The Pattern

Government agencies have oversight officers. Apps have opt-out toggles. Regulations have enforcement provisions. And at every level, the controls can be hollow. The officer gets fired. The toggle gets ignored. The regulation goes unenforced.

You think your data is protected because someone told you it was. The actual protection depends entirely on whether the entity collecting your data chooses to honor the mechanism. Or is forced to.

On your devices: Check Duolingo’s permissions. Consider whether you even need the app, or if a web-based alternative reduces your exposure. Use a DNS-level ad blocker like NextDNS or Pi-hole that can block Pangle domains at the network level regardless of what the app does.

On the institutional side: Support organizations that litigate privacy violations (EFF, ACLU, EPIC). Pay attention to which legislators want stronger enforcement versus weaker oversight.

Stop assuming your “no” works. Verify it. The uncomfortable truth is that privacy in 2026 requires active defense, not passive trust.

Read the full post on gNerdSEC