It’s a tone-deaf message coming out of the EU right now (pun not intended)

First, right-wing extremist politicians pushed a literal detention center campaign of 1940 Nazi Germany (Madagascar Plan to detain non-citizens in relocation hubs in Africa). Somehow this passed. A 1940 Nazi plan coming to be in 2026. The UN documented in Australia this mindset as a clear violation of international human rights and refugee law, and yet the EU just shouted “Deportation Camps are Great Again” from their bully pulpit.

Second, a very shadowy group of Swedish investors abruptly launched a closed-source fork of the BlueSky surveillance system that they named W (perhaps to joke it comes after fascist X and Z). CEO, Anna Zeiter, has been promoting this centralized top-down secret investor controlled form of public communication. Anyone claiming to know W’s full ownership is guessing, while W is pushing absolute identification as a requirement for participation in society.

At best we know from Svenska Dagbladet that a primary investor of W used Greta Thunberg’s name more than eleven times in promotional material for a November 2018 share issue that raised close to 10 million kronor, after putting her on a youth advisory board, with a prospectus telling investors the venture could be “extremely profitable” through viral climate content and digital ads, while channeling only 10 percent of profits to a charitable fund. Thunberg’s father said the family was never told her name would be used.

CEO, Anna Zeiter’s prior role? She oversaw data protection and artificial intelligence policy at the notoriously toxic eBay.

Perhaps you remember:

eBay lobbyists found to be writing EU data protection law in copy-paste legislation scandal

Or, then there was this announcement last year:

Levi & Korsinsky, LLP’s investigation indicatesthat legally protected data may have been unlawfully intercepted during visits to eBay’s website

If you haven’t heard the one about a wolf in sheep’s clothing, I’ll give you a big hint. Look for evidence like attending Stanford Law School with a Master of Law (LL.M.) in Law, Science & Technology. Or if you don’t want to scrutinize Stanford’s very toxic pipeline, look at her record-setting breach failure (May 21, 2014), followed by two distinct surveillance scandals on her watch as global chief, and then an active interception case.

That privacy 2014 breach was really bad, but the two Zeiter scandals are truly unbelievable.

First, remember her 2019 Steiner corporate-run cyberstalking? As global CPO, she oversaw eBay’s senior director of Safety and Security and six other staff targeting Ina and David Steiner, the editors of EcommerceBytes. Why? Independent coverage frustrated eBay executives. Surveillance and terror methods were used: live spiders and cockroaches, a funeral wreath, a bloody pig mask, and a book on surviving the loss of a spouse mailed to their home, their address posted online, plus physical following.

The Justice Department charged eBay with stalking, witness tampering and obstruction. eBay admitted the facts, paid a $3 million criminal penalty, the statutory maximum for six felony offenses, and accepted an independent corporate compliance monitor for three years. Seven employees and contractors were convicted; the eBay fall-guy drew 57 months. As privacy chief her own security apparatus ran covert surveillance to silence two journalists.

Second, in 2020 her command of privacy at eBay was implicated in port-scanning. Researchers found eBay’s site probing every visitor’s own machine over WebSocket, looking for remote-desktop and remote-access ports, via LexisNexis ThreatMetrix, with the script re-obfuscated on each page load and results exfiltrated to a lookalike domain, ebay-us.com. Security researcher Jeroen Opdenakker called it the default deployment without clear notice or opt-out, a serious infringement of privacy regulations, with CCPA, the Computer Fraud and Abuse Act and GDPR all cited as exposure.

Third, I know I said two, but her track record is seriously toxic. There are so many examples of personal and professional disaster, I can’t leave it at just two. She claims to be on Flo’s Privacy and Security Advisory Board since 2022.

Developer of Popular Women’s Fertility-Tracking App Settles FTC Allegations that It Misled Consumers About the Disclosure of their Health Data

She dropped her name onto the board of the app behind the most notorious femtech privacy enforcement in the US, a company that paid into a landmark 2025 health-data settlement. The violations were so severe, it was the first time the FTC ordered a company to notify consumers of a privacy action, and Commissioners Chopra and Slaughter argued the conduct also violated the Health Breach Notification Rule, which the complaint left out.

So as we say in American, three strikes, she’s out. This is someone flogging identity-verified, privacy-first European speech centralized surveillance infrastructure, with a doctorate on free speech, who has been repeatedly intentionally overseeing the exact opposite of what is on the box.

Are you ready to sign up for her to use her mysterious “Nordic” framing about her investors to control your communications? Who wants her in charge of anything to do with privacy? Please tell me, seriously.

Her company choosing to build on top of the BlueSky ATproto in fact fits the troubled persona. She is standing up a choke-point model of total control, which is a repetition signal from every one of the above abuse findings.

Here’s the administrator manual that we should be handing out to any engineers identified as working for Zeiter:

In other words, something smells rotten in Denmark.

Who will the be first W-histleblower?

Already we see the fail unsafe mistakes bubbling up from under this CEO. When W scrubbed the Bluesky branding from its staging site to hide their forking plan, the login page lost its SSL certificate, so credentials typed into it would travel as plaintext. The platform whose entire pitch is verified identity and government ID upload. Cleartext.

The scrubbing was implicated in brand deception as well. A staging page still had the Bluesky login clone and a dev PDS page showing the AT Protocol logo. For a week the European press reported EU backing, until Euronews fact-checked it and a Commission spokesperson denied the EU was launching, funding or operating any platform. Supposedly no European-backed project called W exists, and yet everyone seems to see it as such, while W stays silent and issues no correction on the messaging they fed into the public.

That’s not the kind of mistake anyone with a basic clue could make. Tom Casavant doubled-down on the problem by reporting W’s Kubernetes management software used GitHub SSO without identity (lock to single org). For a company asking for state ID, they didn’t even turn on the most critical infrastructure identity themselves.

Zeiter says the ID check works like a club door, confirms human and over-18 through a third party, then deletes the data, and that she has no interest in holding ID data because it can only become a breach. Uh, no. The verification app is built by Neuro from Trust Anchor Group, and if nothing is retained, what stops one person from registering many accounts across devices, which implies some persistent identifier or hash is kept after all? Impersonation already has been demonstrated: Zeiter tagged advisor Yariv Adan, who had registered the username homersimpson, so a verified account can choose any display identity, including that of a head of state. Verified person? More like arbitrary persona.

Who is her homersimpson advisor really? He spent 17 years at Google, co-founding Google Assistant and Google Lens. He is surely why Zeiter says she will “maybe train European AI models with our data”.

I mean, should this rollout be called the EUWWWWWW? Who understands the technology, the branding, yet really wants this, other than the Palantir and Putin crowd?

I’ve written here before about the inherent “Room 641A” design mistakes of BlueSky. It’s simply put an insecure and unsafe protocol. Nothing is secret about the decisions to lower privacy. It seems likely that it was meant to be that way, because anyone doing secure protocol design since the 1970s knows how and why to avoid the centralized surveillance vulnerability using the data “migration hubs” that define BlueSky.

Speaking of which, the only thing WhatsApp really added to the Signal Protocol was a plaintext exposure Signal refused: pervasive metadata harvesting, and a reporting pipeline that ships flagged messages in the clear to a thousand-plus Meta moderators. Imagine being a spy agency and knowing you can get someone hired to read WhatsApp chats. Again, not a secret. The EU is for some reason big on people using WhatsApp, despite it being a foreign surveillance model. This has been repeatedly documented. And look at how well-heeled lobbyists were pushing misstatements/disinformation like this that do harm to public safety.

I guess, I expected better of the EU. They argue wine, cheese, beer… has to be high quality, authentic sourced integrity. And then tech is just this sloppy imitation of bad fascist code preying on hype cycles? But then again, elitist violent seizure of power was quite popular just two generations ago. Latent thirst for political garbage is manifesting.

Anyone promoting W today may as well drop in a Mussolini, Franco, Hitler, Szálasi, Mosley, Salgado… portrait to achieve the WTAF avatar. They would go with Szálasi to bridge with the EU return to a 1940 Madagascar Plan, since he led Hungary’s Arrow Cross and 1944 government that rushed to deport and murder Hungarian Jews before the Allies could liberate them.

And if you’re wondering where Sweden fits, the answer may surprise you. Aside from “neutrally” enabling Hitler with iron ore, financial help, ball bearings and troop transit, Sweden ran a state institute for racial biology (founded 1922 in Uppsala), among the first national, state-funded race-science bodies anywhere. Their forced-sterilization program started, not coincidentally, from 1934 into the 1970s. That’s how they define democracy, because their racist thinking never needed a fascist coup.

The German government yesterday, along with the EU, announced that it was approving large “black sites” and “migration hubs” that disappear people for months, or perhaps forever if history is any guide.

…text notably enables nations to open deportation centers outside the EU’s borders, where migrants with no right to stay could be sent…

That means inhumane detention for “up to two years”, using home searches and seizure of belongings, with intentionally cruel and far away destinations under discussions that rhyme with Auschwitz.

A State party cannot escape its human rights responsibility when outsourcing asylum processing to another State… [where] minors have suffered from deterioration of physical and mental well-being, including self-harm, depression, kidney problems, insomnia, headaches, memory problems and weight loss.

January 1933, after months of collapsing public support, Hitler seized power by appointment and by March 1933 the first concentration camp opened at Dachau. It held political prisoners, ended opposition, and cleared the path to a one-party state within months. The deportation machinery of Nazis setup “migrant” processing hubs for anyone they deemed “stateless”, which is the exact sequence the EU now rebuilds as if everyone just forgot the Holocaust.

A German minister named Dobrindt, infamous for his hand stopping fiber in Germany until the country fell to the bottom in broadband speed, seems to be the man trying most to stop thought and drag his country backwards in time. In his attempt to “report” on “left-wing” extremism, he literally claimed the threat “increase” went all the way from 11,200 to 11,200.

He’s not being dumb. He’s very cynically and intelligently asking that everyone just NOT SEE.

His intentional blindness to human tragedy has become so obvious, even in German, I don’t know how or why the many national level failures of Dobrindt qualify him to any public office, let alone this latest concentration camp counselor role for the EU.

Meanwhile, another branch of government clearly wants us to see on Juneteenth 2026 that Germany has for 25 years been paying reparations for 26 million people forced into slavery.

…forced labor was used for the purpose of physical extermination: it was especially concentration camp prisoners, including many Jews, Sinti and Roma as well as Soviet prisoners of war and civilian laborers…

October 3, 1993. Most know it as “Black Hawk Down”. Now, a new report using the “Little Bird” Night Stalkers perspective sheds light on a long forgotten and missing After Action Report.

American forces launched rapidly in Somalia at 15:32, because the two target lieutenants had just been located an hour earlier at a known residence. This is how the daylight deployment window was set.

And then a deadly analytic mistake was made in the plan. During daylight in a dense city, the discrimination and survivability objectives were placed in direct opposition. To put fire down that spares noncombatants, aircraft must engage low and slow enough to see what they would be shooting at. Low and slow in a daytime Bakara Market is the maximally exposed profile, and the minimum of survivability. One orbit could never achieve both the civilian protective order and the soldier survival requirement.

This was especially true because, as was well known at the time, Mohamed Farrah Aidid’s forces were trained on RPG shots at low and slow moving helicopters. It’s a tragically obvious mix, and not just today in retrospect.

The MH-60 were the wrong platform, pushed into the wrong orbit ring. And daylight should have made the entire protection decision incoherent. Any shoot down of one converts any rapid extraction force into a prolonged urban battle and siege warfare subjecting hundreds of civilians to heavy automatic weapons, cannons and rockets. And that’s exactly what happened.

Ordering very discriminate fire eroded the conditions for survivability of those teams, which is how top professionals were forced into a mass casualty disaster. The high volume of indiscriminate fire, from surrounded forces trying to hold out for rescue, was the result. Estimates are that around 300 people were killed, with more than double that wounded. The exact opposite of task force doctrine, was created by a simple error made in task force doctrine.

The Little Bird perspective coming out now proves that the controlled raid should have been a fixed duration and a fixed footprint, nothing else. The Black Hawk deployment into clear skies filled with RPGs is what converted it to a crash recovery with open-ended battle that sprawled across blocks of housing and pulled crowds toward the wreckage, with an expanding urban firefight; generating the worst possible environment for civilian survival.

The impossible choice that was pushed on troops, clearly meant to spare civilians, instead only raised the probability of the one event that guaranteed mass civilian death. Self-defeating at the second order.

Wer in Berlin ‘n Reisepass beantragt, seine Steuer über ELSTER abjibt, sich ‘n Termin im Bürgeramt erkämpft oder sich bei seine Krankenkasse einloggt, macht det allet inne Rendering-Engine, die er nich kontrolliert, nich prüfen kann un die sich über Nacht von ‘nem Server an de amerikanische Westküste neu schreibt. Die Browser-Engine is det meistverbreitete Stück ausländische Software im janzen öffentlichen Leben von Deutschland. Un uff keener einzijen Liste für kritische Infrastruktur steht se druff. Komisch, wa?

Det Ding, det keener uff de Liste setzt

KRITIS, det deutsche Regelwerk für kritische Infrastruktur, det det BSI beaufsichtigt, zählt allet uff: Strom, Wasser, Essen, Telefon, Jesundheit, Jeld un Verkehr. NIS2 hat den Kram europaweit noch breiter jemacht. Un die Browser-Engine? Die is der Türöffner zu jedem von die Sektoren — die Schicht, über die der Bürjer an die janzen Dienste überhaupt rankommt — un se steht außerhalb von allet, wat wir je injestuft ham. Na, dufte.

Drei Engines fahren det offene Web. Googles Blink schleppt rund drei Viertel vom janzen Verkehr, über Chrome, Edge un fast den janzen Rest. Apples WebKit hat iOS feste inne Hand. Mozillas Gecko, det Herz von Firefox, dümpelt inzwischen unter fünf Prozent rum. Alle drei werden aus de USA jesteuert. Det Tech-Souveränitätspaket von de EU-Kommission vom Juni 2026 jibt selba zu: Bei de wichtijen digitalen Sachen hängt die Union zu über achtzig Prozent an Quellen außerhalb von Europa. Achtzig Prozent! Det is keene Abhängigkeit mehr, det is ‘ne Beziehung.

Un nu kommt’s: Det is keene Eigentumsangst. Det is ‘n offenet Scheunentor inne Governance. ‘Ne Engine, die sich selba aktualisiert, is ‘n ferngesteuerter Schreibkanal in jeden öffentlichen Rechner, der se laufen lässt: Wer den Update-Server hat, entscheidet, wat heute Nacht uff die Kisten draufkommt. Beim Stromzähler oder de Telefonvermittlung würdn wa det nie un nimma dulden. Aba bei de Schicht, über die der janze Staat seine Bürjer trifft, da drücken wa beede Oogn zu — weil et ja „läuft”. Genau so sieht jede vereinnahmte Infrastruktur aus. Bis zu den Tach, wo se nich mehr läuft.

Drei Engines — zwee baust de nie selba

Nimm die Romantik aus det Wort raus, denn is ‘ne Engine ‘n Haufen aus sieben Teilen in eener Schleife: Netzwerk, HTML-Parsing, det DOM, die CSS-Kaskade mitsamt Style-Berechnung, det Layout, Rendering un Compositing, un die Bindings, die JavaScript an den Baum koppeln. Der Trick is, zu kapieren: Die tiefsten un teuersten von die Teile sind Stangenware. ‘Ne JavaScript-Engine, ‘n Stack für Textshaping un Font-Rasterung un die GPU-Primitiven unterm Rendering — det sind jeweils Jahrtausende Arbeit, un se nachzubauen bringt dir exakt null Souveränität. Keener kontrolliert det Web, bloß weil er ‘n Font-Rasterizer besitzt. Quatsch.

Wat dir wirklich jehört — det souveräne Tafelsilber — det is die Layout-Engine, die Rendering-Pipeline un die Sicherheitsjrenze drumrum. Det is der Teil, für den sich Kohle lohnt, un den baust de nich uff de jrüne Wiese neu. Servo jibt’s nämlich schon: ‘ne speichersichere Engine in Rust, verwaltet von de Linux Foundation Europe, von ‘nem fünfköpfijen Team bei Igalia von 41 uff 62 Prozent inne Web Platform Tests jehievt, mit ihrem ersten jetaggten Release 2026. ‘Ne deutsche Engine is also ‘n Problem von forken un bezahlen — uff europäischem Fundament, nich uff’m leeren Blatt. Die janze Rechnung, inklusive de Kosten weiter unten, steht in diesem richtig juten Realitätscheck zu Browsern un Souveränität.

Die Einkoofsliste, allet uff Rust

Hier is der Stack, den ‘n Jeldjeber wirklich bezahln soll — ausjesucht nach eener einzijen Regel: keen amerikanischer Plattform-Gatekeeper in keenem tragenden Teil.

Teilsystem	Souveräne Wahl	Wat et ersetzt
Sprache	Rust	Speichersicherheit als Basis — un det janze Ökosystem druntern
JavaScript-Engine	Boa	V8 (Google), JavaScriptCore (Apple), SpiderMonkey (US)
GPU-Rendering un Compositing	WebRender + wgpu	Skia un plattformeijene Grafik-Stacks
TLS	rustls	Googles BoringSSL, OpenSSL
Layout	selba jebaut, uff’m Taffy-Jerüst für Flexbox/Grid	det eene Teil, det dir keener verkooft
Text un i18n	rustybuzz, fontations, ICU4X	HarfBuzz, FreeType, ICU (die alten C-Klamotten)
Barrierefreiheit	AccessKit	die Accessibility-APIs von de Plattform
Basis-Codebasis	Servo	‘ne Neuentwicklung von janz unten

Die eene Komponente, die entscheidet, ob det Wort „souverän” den Realitätscheck übersteht, is die JavaScript-Engine. Bettste Googles V8 oder Apples JavaScriptCore ein, denn haste die Abhängigkeit bloß mit ‘nem netteren Logo neu uffjebaut — schöner Unsinn. Mozillas SpiderMonkey is die ehrliche Brücke — offen, einbettbar, der schnellste Weg zu ‘nem laufenden Browser —, aba et bleibt Code aus de USA. Boa is det Ziel: ‘ne einbettbare Engine in Rust, MIT-lizenziert, von ‘ner Community jepflegt, un schon bei rund 94 Prozent Konformität in Test262, der offiziellen ECMAScript-Suite. Die is weiter, als ihr keener zutraut — ihre Temporal-Bibliothek für Datum un Zeit is so jut, dass V8 selba se inzwischen benutzt. Stell dir det ma vor. Der Abstand zu V8 un SpiderMonkey is echt, aba der liegt inne reine Jeschwindigkeit un in den tausend Sonderfällen, nich inne Korrektheit. Un jenau son Abstand is die Art Arbeit, die ‘ne staatliche Initiative jut hinkriegt: bejrenzt, bezahlbar, keen Hexenwerk. Bezahl Boa uff Web-Niveau hoch, un de JavaScript-Schicht vom europäischen Stack hat überhaupt keenen fremdjesteuerten Code mehr drin. Fertig.

Wo die Kohle wirklich hinjeht

Det ehrliche Bild vom Engineering is det Jejenteil von beängstijend. Fast allet uff der Liste is entweda Stangenware, die de eenmal einbaust, oder ‘n bejrenztet Problem, det de eenmal löst. Et jibt jenau eene Hürde, die sich nur langsam mit Jeld wejkoofen lässt, un det is die Web-Kompatibilität — konkret: et muss laufen wie Chrome. Layout is an de Ränder schlampig spezifiziert, un so heißt „korrekt” inne Praxis: „benimmt sich wie Blink, ooch da, wo Blink von de Norm abweicht” — weil die Websites von de janzen Welt jejen Chrome jetestet werden un nich jejen die Spezifikation. Da jibt’s keene elejante Abkürzung. Det is langes, sturet Jejentesten jejen die Web Platform Tests, un da wird uff Dauer der Löwenanteil von de Arbeit drinstecken. Punkt.

Zwee andere Probleme sind wirklich knifflig, un beede sind Sicherheitsprobleme, wo ‘ne Rust-Engine besser sein kann als die etablierten Dinger, statt nur hinterherzurennen: die Renderer-Sandbox un die Vertrauensjrenze zwischen ihr un dem privilejierten Prozess — un die Lebensdauer von de DOM-Objekte, die der JavaScript-Garbage-Collector verfolgt, die klassische Quelle von ausnutzbaren Use-after-free-Fehlern, jejen die Speichersicherheit überhaupt erst erfunden wurde.

Die Kohle für den janzen Spaß? Wird uff grob 50 bis 70 Millionen Euro im Jahr jeschätzt — für Entwickler, Tests, Sicherheitsaudits un Standardarbeit. Stell det neben det 7,8-Milliarden-Budget von de Europäischen Weltraumorjanisation oder die 300 Milliarden, die det EuroStack-Vorhaben in digitale Infrastruktur stecken will — denn is ‘ne Browser-Engine ‘n Rundungsfehler. Anne Kohle hat’s nie jelejen. Et liejt anne Dauerhaftigkeit: ‘ne Engine is keen Projekt, det fertig wird, sondern ‘ne Verpflichtung, die det Ministerium überleben muss, det se bezahlt hat.

Inne öffentliche Hand — un zwar föderal

Deutschland baut schon souveräne öffentliche Software, un zwar schon föderal. ZenDiS, det Zentrum für Digitale Souveränität der Öffentlichen Verwaltung — ‘ne bundeseijene Jesellschaft, Ende 2022 jejründet un ausdrücklich uffm Weg zu ‘ner jemeinsamen Bund-Länder-Körperschaft — fährt openCode, die Code-Schmiede vom öffentlichen Sektor, un openDesk, die souveräne Alternative zu Microsoft 365. Als die Chefs von alle sechzehn Länder zur Ministerpräsidentenkonferenz zusammenkamen, ham se openDesk benutzt — ‘ne Woche nachm Start. Un uff EU-Ebene formt sich der Apparat ooch schon: ‘n EU-Konsortium für digitale Infrastruktur un digitale Jemeinjüter, wo ZenDiS un die deutsche Sovereign Tech Agency die ersten Projekte stemmen solln. Det Chassis, det ‘ne Browser-Engine bräuchte, is halb jebaut, bevor eener ‘ne Zeile Layout-Code jeschrieben hat. Is doch wat.

Also stell die Engine dahin, wo der Rest vom souveränen Stack sowieso wohnt: een Upstream, sechzehn Verwalter. Eene einzije föderale Browser-Behörde würde jenau det wiederherstellen, wovor man wejrennt — eenen einzijen Punkt, wo se politisch zujreifen können, un eenen einzijen Explosionsradius für jede Sicherheitslücke. ‘N föderalet Modell, uff Länderebene jepflegt, verteilt die Sicherheitsprüfung, passt zu de Subsidiarität, uff der der deutsche Staat jebaut is, un sorgt dafür, dass keen einzelnet Ministerium un keen einzelnet Unternehmen die Schlüssel hält. Engines sammeln sich nich bei Google, weil’s für alle andern unmöglich wäre. Sondern weil sonst keener bereit war, für Dauerhaftigkeit zu blechen. ‘N föderaler öffentlicher Auftrag is die eene Struktur, die Dauerhaftigkeit bezahlen kann, ohne ‘n neuet Monopol unter europäischer Flagge hochzuziehn.

Un nu Butter bei die Fische, wat det wahre Risiko anjeht: Det is nich technisch. Deutschlands eijene Open-Source-Versuche sind schon ausjebremst worden, weil Bundesressorts ihre alten Verträge jeschützt ham — netzpolitik hat dokumentiert, wie jenau dieser Behörde der Rotstift anjesetzt wurde. Die Jefahr für ‘ne deutsche Engine is die Vergabepolitik im eijenen Laden. Rust war’s nie.

‘Ne Republik, die ihre eijene Regierung nich in ‘nem Browser darstellen kann, den se selba kontrolliert, hat den Vordereingang schon längst ‘nem andern inne Hand jedrückt. Die Standards sind offen, die Sprache is Rust, det Fundament is Servo, die JavaScript-Engine is Boa, un det Chassis zum Verwalten steht ooch schon da. Forkt det Ding. Bezahlt et. Schreibt et inne KRITIS. Un die Schlüssel — die kriejn die Länder.

Für meinen Großonkel Lutz und seine Familie, 1941 – die wir nicht mehr aus Berlin herausholen konnten, bevor sie wegen der Angaben in ihren Papieren getötet wurden.