Jae's Blog

First, some context.
ANFR is France’s equivalent to the OFCOM (in the UK) or BNetzA (in Germany) for France.

Last year, they did a public consultation in relation to raising the threshold for “atypical points” from 6V/m to 9V/m. As with anything concerning radio waves, they had a slew of responses from conspiracy theorists, self-proclaimed “hyperelectrosenstive” people (the term coming back fairly often), but also approval from some entities such as SNFC (the national rail system).

All those responses are published on their website: https://www.anfr.fr/REPONSES/
Given that URL is publicly accessible, PII such as names, family names, phone numbers and addresses were redacted via black boxes on the documents.

While reading the responses in my web browser, Firefox, I noticed that I could click on some of those boxes, switch to edition mode, press DEL and completely de-obfuscate the PII.
I’m not a security expert by any means, and even I can say that’s pretty bad for an agency supposed to regulate frequencies.

So, what to do in this situation? I discovered this on Thursday 25 of December 2025.
On Friday 26 of December 2025, I decided to give them a call, as their website stated they would be open. Of course, no response at this point.

On Monday 29 of December 2025, I called once again, and this time, got someone over the phone. After explaining the issue, I was just told, “that sounds bad, I’m going to transfer you to someone else” (paraphrased).
After waiting for a bit, I ended up on someone who sounded confused and just thanked me for the report before quickly ending the call.

At this point, I wasn’t sure the issue would be even resolved from this phone call, so I waited for a bit, checking on the website now and then.

As of today, Friday 09 of January 2026, the issue has finally been fixed. While in a browser, the redaction boxes can’t be moved or deleted. When loading the PDF into Inkscape, you can move and remove the redaction boxes, but what’s under it is gone.

I’m also shooting a message to the CNIL (governmental data privacy agency) as ANFR didn’t publicly disclose that there was a possible leak of PII from their website, even if as simple as this.
In my opinion, this does reach the threshold to be a personal data breach, and as the European Commission themselves says, ANFR would have had to disclose it within 72 hours.

If you live in Finland, you have without a doubt interacted with Posti. Recently, they announced large changes in their user data processing policies, taking into effect on May 20th 2025.

Bottom of the line is:

• New targeted advertising (directly sending your data to Facebook, Google, Adform and many others)
• Profiling of your data

To avoid getting caught in this, visit the account settings page (on my.account.posti.fi), then on the left, select “settings”.

In there you will need to uncheck two options:

• “Use of customer data for targeted advertising (effective from 20 May)”
• “Profiling (effective from 20 May)”

Also feel free to clean up any options you might have forgotten to disable before.

As a friendly reminder: do not forget to press “save changes” on the bottom of the page when done with the unchecking part.

With this, you should be pretty safe to proceed, tho just in case, I’d still watch this page just in case Posti has a magical bug that would re-enable everything for everyone.

Personally, I find this whole thing kinda scummy given Posti is an essential public service. Forcing that kind of analytics on people can only go badly on the long term.