Europe Tightens Social Media Controls While Russia Pulls the Plug
Control of digital life is getting more centralized at the exact moment the systems that hold our identities keep getting breached. In just a few days, Europe moved closer to enforceable age-gating for social media, Russia fully blocked WhatsApp while promoting a state-backed replacement, and two separate incidents showed how much leverage attackers gain when they compromise telecom and device-management infrastructure.
Portugal’s “Parental Consent” Social Media Rule Comes With a Built-In ID Layer
Portugal’s parliament approved a bill (first reading) that would require explicit parental consent for children aged 13 to 16 to access social media, positioning it as a child-safety measure against cyberbullying, harmful content, and predatory contact. The proposal frames itself as closing a gap where major platforms effectively set the rules for youth online without clear local constraints.
The enforcement mechanism is the real story: consent would run through a state system called the Digital Mobile Key (DMK), and platforms would need age verification compatible with DMK. Supporters cast this as “giving power back to parents,” while the bill also includes potential fines for noncompliant companies of up to a percentage of global revenue. This is an incentive structure designed to make platforms actually implement the checks, not just gesture at them.
Russia Blocks WhatsApp and Points Users to a “National Messenger”
Russia has now fully blocked WhatsApp, with the Kremlin citing the app’s failure to comply with local law and urging citizens to switch to MAX, a state-backed messenger. The move caps months of tightening restrictions and fits a broader wartime push to build a more “sovereign” communications environment where foreign platforms either comply on Russian terms or disappear.
WhatsApp said it would try to keep users connected and warned that cutting off private and secure communication would reduce safety. In practice, the block appears to have been reinforced by domain and routing controls that leave many users relying on VPNs to access the service while authorities promote MAX despite criticism that it could function as a surveillance tool (a claim officials deny). On the street, reactions ranged from resignation to anger over loss of choice.
Dutch Telecom Odido Leak Exposes a Full Identity Toolkit for Millions
Dutch telecom giant Odido disclosed a cyberattack affecting a contact system used for customer communications, exposing data tied to about 6.2 million customers. The leaked fields are unusually comprehensive: names, addresses, phone numbers, customer numbers, emails, bank account identifiers, dates of birth, and government ID numbers (with validity. This is the kind of dataset attackers can use not just for phishing, but for identity verification, account takeover, and SIM-swap style escalation.
Odido said passwords, call records, location data, billing details, and ID scans weren’t exposed, and service availability was unaffected and suggesting this wasn’t ransomware. The company says it cut off attacker access quickly, notified the Dutch regulator, and contacted affected customers within two days. Even so, this is a reminder that telecoms aren’t just connectivity providers; they’re identity brokers by default, and breaches here tend to have long tails because the exposed details don’t expire.
EU Commission Mobile-Device Management Breach Shows Why “Backend” Attacks Scale Fast
The European Commission confirmed a breach of its centralized backend used to manage staff mobile devices, with possible access to staff names, mobile numbers, and business email addresses. The Commission said it contained the incident within hours and found no evidence devices themselves were compromised, but the exposed contact details are precisely what attackers need to run high-credibility phishing and impersonation campaigns against officials and their networks.
The Commission didn’t name an attack vector, but the incident is being discussed in the context of vulnerabilities affecting widely used mobile device management tooling—systems that sit in a uniquely privileged layer, capable of enforcing policy and controlling devices at scale. Even when the “direct” impact looks limited, compromise at the management plane changes the risk profile: it’s the difference between attacking endpoints one by one and attacking the control room.
