CalyxOS Is Officially Back!
E60

CalyxOS Is Officially Back!

CalyxOS is back in public releases,

some good news for privacy in the US,

and what would you do if a flock

microphone appeared in your yard

overnight?

All this and more coming up with This

Week in Privacy, so stay tuned.

Welcome back to This Week in Privacy,

our weekly series where we discuss the

latest updates with what we're working on

within the PrivacyGuides community and

this week's top stories in data privacy

and cybersecurity.

I'm Nate,

and with me this week is Jordan.

How are you doing, Jordan?

I'm doing great.

So excited to jump back into some more

privacy news this week.

Yeah, it was a busy week.

Thankfully, not super, super overwhelming,

but definitely no shortage of stories to

choose from.

And I think first up here,

we're going to go with some news from

CalixOS,

who is officially back in a public

release.

So some of you may remember,

to kind of give you the full drama,

let me go back to the beginning.

So I believe it was about...

Oh, God,

it was about this time last year.

Holy crap.

Maybe a little after this,

maybe closer to the fall.

But CalyxOS, which is a –

I know this is going to be controversial

just to say this,

but I think it would technically qualify

as a de-Googled Android in the vein of

something like Lineage or EOS,

arguably graphene,

just in the sense that it's like Android,

but they try to reduce some of the

Google bits that are in there by default.

We'll get into all that later, I'm sure.

But CalixOS,

they announced that a few of their key

members were leaving,

including their lead developer and

Nicholas Merrill,

who founded the organization.

And they also announced that coinciding

with that,

they were basically going to freeze

releases and completely redo their

backend.

And there was a lot of speculation because

it was really weird, right?

They were basically like, like a,

They were like,

we're going to rotate our keys.

We're going to come up with this new

key signing thing.

We're going to streamline our process.

Like,

we're just going to overhaul everything

from the ground up.

And there was a lot of speculation, like,

that's really weird.

Like, is there evidence of compromise?

Like,

did Nicholas take the keys with him when

he left?

Like, what happened here exactly?

And so they did put out a statement.

They were like, no, like,

there's no evidence of compromise.

But they still never really said why now.

Like, they didn't just say if it's like,

look,

we've been meaning to do this and now

is a good time or what the case

was.

But they said about four to six months.

And for the record, I'll admit my bias.

I like Kallax.

It was like one of the first...

I mean,

it was the first de-Googled OS that I

ran full-time.

So I have a soft spot for it.

But I do have to admit that they

really, really overshot that goal.

I think they finally...

um they finally released and here's what i

was gonna say some of you guys may

remember a couple months ago i think it

was around february or march uh maybe

january i'm bad with time they finally

announced um you know okay we have this

like beta release that you can go and

download um but they weren't fully back

yet like this so that's what this is

they are like we are back we have

a full release you can go download it

now you can use it um

Their communication could have been better

during this almost year long process.

They only issued like three or four status

updates.

And again,

they really never explained like,

why are we running behind?

Why is this taking so long?

What are the roadblocks?

Just a personal pet peeve of mine.

Like I'm, I know I'm kind of,

doing the analysis already.

But, like, I'm a really big fan of,

like,

if something is taking longer than

expected, tell people why.

Don't just be like, oh,

we're working on it.

We're working on it.

Like, tell people, like,

we ran into this issue.

This broke.

This turned out to be harder than we

expected.

Blah, blah, blah.

Just let people know, man.

But anyways.

So, yeah.

So, it's fully back.

There's version seven dot two dot two dot

zero,

which unfortunately is still based on

Android sixteen.

They have not upgraded to Android

seventeen yet.

But...

On the plus side,

they do say that there is,

they do support a new phone now.

Where did that go?

I can't find it.

I probably scrolled right past it.

But they are supporting a new phone now.

I think it's the Shift Phone six or

something like that.

So that's pretty cool.

They say that they are.

Oh, yes, there it is.

The Shift Phone eight.

They say that they are working on Android

seventeen.

So what they did is they switched to

HSM based open source signing solution,

which HSM, from what I understand,

I'm a little bit outside my expertise

here.

But from what I understand,

it's kind of like a

it's almost like a physical server that

handles the signing keys.

That's probably like a really grossly

oversimplified version,

but it's supposed to be like really super

secure.

So they've got this new,

like really secure way of handling the

signing process.

They did release the security audit and

the provisioning ceremony and everything.

Uh, they also did do some things and,

um, here's what I'll be interested to see.

So they say in response to Google's less

frequent AOSP source code releases,

which for anyone who missed that Google

used to release the Android open source

project, um,

I think once a month and now then

they switched to like once a quarter.

And I think now it's even gone down

to like twice a year.

Um, I could be wrong about that,

but it's definitely a lot less often.

So now all these, these, uh,

I don't want to call them derivatives.

These forks of Android that we like to

use in the privacy community now have to

do so much extra work to try and

get this.

And that's like the least of things that

Google did,

but that's a whole different story.

Anyway, sorry.

In response to Google's less frequent AOSP

source code releases,

our team developed scripts to reduce

overhead in applying monthly patches and

updates.

So that's pretty cool.

They say they have set up a cleaner

server structure to streamline each

release.

And currently,

our lead engineer is continuing

maintenance on the base device trees for

both Lineage and Calix to bridge the gap

created by the absence of Google Pixel

device trees, which is, again,

another thing that Google stopped

publishing that makes the job so much

harder.

So they said we'll share a timeline soon

for releasing Kallax VIII with Android

XVII.

And last but not least,

they did have some personnel changes

again.

Like I mentioned,

they said that their core developer

working on the Aurora store is leaving for

another opportunity.

I think they said...

I don't know if they've replaced him yet,

but they said they did welcome somebody to

replace someone else who does

infrastructure.

So yeah, it's definitely...

So I guess let me start by saying

that Calix is not officially recommended

by privacy guides just because we feel

like it doesn't really bring anything

meaningful to the table in terms of

privacy and security.

Like, I think it's not bad.

And I think the decisions,

at least in my opinion,

I know there's some people who argue that

it's a downgrade in security.

There's, I think...

Personal opinion,

I think the decisions they make make

sense.

Like for example, they say that,

I think it's the clock server still pings

Google because they're basically like,

well, it makes you blend in better.

But at the same time,

I think that's a matter of what do

you want out of a device?

Like that's kind of a personal opinion

thing.

Like,

do you wanna blend in with everybody or

do you want Google to not get your

IP address in the first place?

I don't think there's really a wrong

answer there necessarily,

but I guess my point is like,

I think their decisions make sense even if

they're not the right decisions.

but um i will be interested personally to

see i guess i i think one of

the big reasons again there's several

reasons but one of the big reasons that

we don't recommend calyx is they've

historically been very slow to provide

updates and uh they did kind of fix

that shortly before this reboot like a

year or two it was a couple years

um before this reboot they released the uh

what is it called,

the Security Express channel,

which is basically you can go into your

settings and you know how you can sign

up for like the beta releases,

the stable releases.

Well,

they added a third option called Security

Express,

which is only the security releases.

So you still have to wait for the

features to hit stable,

but you will get those security patches

usually within a couple days of when they

publicly released by Google.

So that was really cool to see.

But then there's this whole thing that,

like I said,

was supposed to take four to six months,

took almost a year,

not a lot of communication.

So personally,

I will be really interested to see with

all these infrastructure improvements and

the scripting that they've done.

And I'm really interested to see.

if this is going to make a difference

with their release schedule.

Because I think that will go a long

way to addressing at least some of the

biggest concerns with Calix.

Now, again,

they don't do the hardened memory

allocator.

I think we have a page somewhere on

the website that I'll go find while Jordan

gives their thoughts.

But they don't harden the memory.

They don't really introduce any additional

sandboxing.

They replace Google services with Micro G.

And unfortunately they do give micro G

elevated permissions in order to run

reliably for like notifications and stuff.

So that's kind of one of the examples

I talked about where some people will

argue that it's a step backwards because

now you're giving this third party

program, some extra permissions, whereas,

you know, graphene will like isolate the,

um,

the Google Play into its own sandbox,

which is really genius.

So it's definitely,

I think Eteru here said that even with

the recent update,

it's still a trade-off between security

and convenience.

Using MicroGene signature spoofing means

sacrificing core system security for

usability.

Exactly.

So yeah,

it's definitely not our top

recommendation,

but it's still a popular choice in the

community.

And the fact that it is back now

is definitely really big news.

so i think i have rambled on that

plenty um jordan did you have any thoughts

about this story

No,

I think you did a good job covering

like a lot of the main things.

Sorry, everyone,

I'm a little bit sick this week.

So if I sound a bit funny,

that's the reason why.

But so basically this is kind of the

reason why I'm covering this is because

obviously this is news in the privacy

community because I think this is

I think while CalixOS doesn't have,

you know,

it doesn't compare to GrapheneOS in terms

of security, I think, you know,

it's possible that, you know,

I think there's privacy benefits over

stock Android and, you know,

other operating systems.

But I think, you know, like Nate said,

like we kind of do push people more

towards GrapheneOS because that is just

like the pinnacle at this point of privacy

and security and,

you

I think it's also the gap has widened

even more because Grapheneus has the

sandbox Google Play services,

which offers a good level of privacy from

Google by not allowing it to be a

privileged app.

That is, you know,

a benefit of Graphene OS.

But then there's this comment here from

Dag Overhaul.

Does Kallax OS support a wider set of

devices than Graphene?

Exactly.

So that is, like,

the benefit of Kallax OS is, you know,

if you do have, like, a Motorola or,

like, Nate was saying, like,

a Shift Phone Eight or any of these

other, like, custom devices.

I know they support Fairphone as well.

So, you know,

if you do have one of these other

devices, then...

boom, that's your solution.

But I think we should all be very

cautiously cautious about this because as

we saw,

they haven't released a single release

because they had a whole restructuring and

everything, which, you know, it happens.

I think it's hard to

hard to keep managing a project for an

extended period of time there were you

know they had a very cemented workflow

that they had for probably you know four

or five years so i think it's reasonable

to uh to have to take a pause

on updates for a little bit um to

restructure that so i don't think that is

super concerning but i do think you know

it is extremely unfortunate especially

when it's like the threat landscape that

we're in is where you know people's

devices

are constantly under attack and if they're

not receiving updates then that is kind of

a that's kind of a massive problem

especially because you know there's

there's so many attacks that can that can

that can be

that can be exposed to if you don't

make sure your device is updated.

So I hope that, you know,

this is the first official update.

I hope they continue making sure they're

keeping on top of updates as well.

Graphene OS is already updated to Android,

whereas Kallax OS is still on Android.

So they've always been behind.

It's just always been,

it's the nature of it.

Graphene OS is also behind as well when

it comes to, you know,

big releases like Android, they took,

I think it was a couple of weeks,

maybe two weeks,

I think to have a stable,

a stable build out.

So, you know,

there's always going to be a delay.

Um, but I think, you know,

when we compare the projects graph,

you know, this is just such a,

it's a much bigger project.

They've got much, um,

much more developers working on it.

It's, it's just a bigger project.

So that kind of means that these,

these sort of maintenance tasks get

completed more quickly, which,

It's fine.

There was another comment from Dag here.

Can you run Google Play services slash

store on Kallax,

install and run banking apps, et cetera?

So I guess I think Nate, I believe,

has used Kallax OS quite a bit.

So maybe I can throw that back to

you and you can answer that question.

Yeah, sure thing.

So technically, no,

Google Play services does not work.

The Play Store, as far as I know,

does not work.

Usually they recommend using Aurora

instead.

Instead of Google Play services,

you'll use Micro G,

which in my experience works fine.

I'd say like ninety percent of the time

where you run into issues is so there

was there's one app that I use.

It's like a habit tracker.

And on Google,

because I was kind of bouncing back and

forth between the two for a minute to

kind of compare them.

On Graphene,

I would get notifications that it's like,

hey,

our premium version is fifty percent off

for the next week or whatever.

And then you click it and it takes

you to the Play Store and you can

sign up.

And it's one of those apps that I...

Actually,

I think maybe you could have gone straight

to the website.

I can't remember.

Um, but on Calix, for example, that,

that I think I would still get the

notification, but it wouldn't work.

Like I would click on it and it

would just be like, oh,

there's an error because, uh,

Aurora does not support and micro G do

not support, um, the,

the subscriptions like that.

Um,

Yeah,

I'm pretty sure I was able to pay

for it directly on the website and get

around that.

But sometimes you can't do that.

Some apps don't let you pay directly on

the website, which is unfortunate.

So there's little things like that that

don't work very well.

The banking apps, in my experience,

work pretty well because it still locks

the bootloader.

So it still gets that security feature

that it's looking for.

But also,

I know that Google is changing how Android

verifies stuff.

So we may have more issues in general

going forward.

that I would expect to see Graphene handle

a little better just because of the

compatibility layer thing.

So when I was using it,

banking apps worked good enough,

but there's always a possibility that they

don't work as well now because I

absolutely stopped using it when they

stopped getting updates.

Like right after they paused for this

whole thing, there was like a big...

there's like a big update for Android in

general that fixed a lot of like really

serious security vulnerabilities.

And people were like, yeah,

you should definitely get off Calix at

least until they fix this.

So, yeah.

I think we'll, you know,

we'll watch cautiously on this because...

It's an evolving situation,

but I don't think unless anything huge and

major changes,

there'll be any recommendation from

privacy guides.

Just because, like Nate said,

there's not really any significant benefit

to this over GrapheneOS,

which seems to have more focus on privacy

and security than CalixOS does.

I think it'll be interesting to see how

well the maintenance goes over time,

but we'll definitely make sure we're

testing this and seeing how it evolves

over time.

Yeah,

I think you really hit the nail on

the head.

It's really good if you don't have a

Pixel for whatever reason.

Personally,

I would recommend Calix over stock Android

because at least it will cut down on

some of the Google telemetry.

But yeah,

if you have the option for Graphene,

it's definitely the way to go.

And real quick,

I don't want to belabor it,

but I did find that article I mentioned.

I just want to throw it up on

screen real quick.

This is an article from twenty twenty two.

That's why I couldn't find it.

I thought it was an actual page,

but it's an article.

So it is a little old.

So some of the information was outdated,

but it kind of shows you graphene versus

calyx update frequency sandbox Google Play

versus micro G ESM activation extensions

profiles,

which that part might be outdated by now.

So yeah.

Definitely go check that out.

It'll at least give you a rough idea

of why we recommend graphene instead of

calyx.

I think you are muted.

There's been some updates to that article,

so...

It's not a hundred percent correct,

but it does have some general things that

should be still correct.

I believe the things that are not correct

is the privileged micro G and also the

privileged app extensions might've been

removed possibly, but.

I think micro G is still privileged.

I know they've said that they do want

to figure out a way around that because

that is a common criticism they get.

But last I checked,

they hadn't fixed that yet,

but I think the app extensions one,

you might be right.

Okay, yeah, I'm not sure,

but definitely that'll be something you

have to look into yourself.

But yeah,

so that's kind of everything we had to

cover on this story.

I guess we can move into the next

one here.

And this one is a story here from

Foraform Media.

Apple's hide my email vulnerability

reveals people's real email addresses.

hide my email users deserve to know that

it may be possible for attackers to

discover their hidden email addresses the

person who reported the issue said um so

basically if you okay this seems to be

paywalled so um that is a bit of

a problem uh

Here,

I'll hop in because I have a subscription.

I'll say that, to be honest,

that's kind of all there is to the

story because they said that...

So one thing that I will say was

interesting is apparently this came from

Tyler Murphy,

who is the co-founder of Easy Opt-Outs,

who we do recommend on Privacy Guides.

I've been using them for years,

very happy with them.

They were,

I don't know if they still are,

but they were sponsoring surveillance

support back when I was on surveillance

support.

Um, but apparently, yeah,

he discovered this vulnerability and they

have not disclosed it because they said

that Apple hasn't fixed it yet.

And I think that's kind of part of

what this article is,

is I think four Oh four is kind

of teaming up with Tyler to like pressure

Apple into fixing this,

because I think they said they reached out

like all the way back in may and

Apple was like, Oh, okay, thanks.

We'll fix this.

And then like stopped responding.

So, um,

we don't know exactly what this is or

how it works,

but I think this was an interesting story

to cover because, um,

Um, you know,

email aliasing is definitely getting a lot

more popular.

We're seeing more, um, like IVPN,

I think has an email aliasing service now

and AdGuard has an aliasing service.

And of course there's like Firefox relay,

simple login, Addy.io.

There's just,

it's becoming more and more common.

And I think Apple's introduction of this

really kind of shot it into a mainstream

attention.

Um, yeah.

So yeah,

it kind of defeats the whole purpose if

people can easily figure out a way around

this.

And I don't know,

I guess I've seen some discussions.

Do you happen to know, Jordan?

I mean, again,

we don't know the exact vulnerability,

but I know some of the people in

the comments of this article were

wondering, like,

do we think this might apply to some

of the services we do recommend,

like SimpleLogin or anything like that?

I have a feeling that the way that

this works

vulnerability works is somehow tied back

to the Apple account itself,

like the Apple ID,

because the way that the hide my email

aliases are created is tied to your iCloud

account.

I have a feeling it's something to do

with that, but I could be wrong,

obviously,

because they're not revealing

what it actually,

what actually is the problem here.

They're just saying that it's,

that it might be possible.

So yeah, it's not, we don't have,

I mean,

I can't see what's in this article,

but like,

it sounds like there isn't a whole lot

of information in addition to that.

Well, Joseph here in the comments,

I'm scrolling through the comments of the

article and Joseph Cox,

the author said that, uh,

it reveals the email link to the Apple

ID.

So I think you might be onto something

with that.

yeah um i think you know we've never

we've never recommended apple's hide my

email so you know it's not like this

is a direct threat to people in our

community but i can't i can say that

i've used hide my email stuff just because

it was convenient like signing up to a

new account with like my apple account and

stuff like that um

I've used it before.

So, you know,

maybe someone can find my real email

address or something, but I mean,

I don't think it's a huge issue,

but I can see how this would be

kind of a problem,

especially if you're like a whistleblower

or like someone doing something a little

bit, you know,

you don't want something tied back to your

identity.

So it's,

Yeah, it's not really great,

especially when that's kind of implied

with the service.

It's called hide my email.

It's literally in the name.

So if it can't do what's in the

name, then that's a bit of a problem.

So I'm not really sure what the outcome

of this is going to be,

but we can kind of circle back to

our website here.

And we do recommend a couple of different

email aliasing services,

so

You can kind of take your pick,

I guess.

So I guess first off,

we recommend Addy.io and SimpleLogin.

There might be more added at some point,

but this is kind of what things are

looking like at the moment.

Addy.io is a free service,

same as SimpleLogin,

but they limit some of the requirements.

I think it's...

you get like ten domain aliases on Addy

and you get like ten on SimpleLogin as

well.

So, you know,

you've got some options definitely.

And I think, you know,

maybe it's time to switch away from

Apple's closed ecosystem.

I think usually they're pretty good on

privacy related stuff like this.

So I think they'll fix it.

But it could be a better time to

start looking at

better alternatives.

And I think one benefit of Addy.io and

simple login, at least the paid plans,

is you can send emails to any address

from any of your aliases,

which is something you can't do with

Apple's hide my email,

which I found really annoying.

So don't make that mistake.

But yeah,

so that's kind of what we recommend.

I would say

There's no need to panic at this point

because as far as we know,

it's not publicly disclosed or anything

like that.

Apple is usually pretty quick,

but we'll probably have an update for that

next week if Apple does actually decide to

change this.

Yeah, for sure.

We'll keep people updated.

But yeah,

I think we just wanted to include this

story because I know hide my is kind

of popular.

There are some people who still use Apple

for any number of reasons.

And they're like, well,

I'm already using Apple.

I'll go ahead and use the hide my

thing because it's so cheap.

So it's important to know that.

Um,

I will call out a couple of quick

comments.

Like Cisco here said,

I've been buying a custom domain and

having a catch all email address.

Honestly, I, I do the same thing.

I really like it.

I have a custom domain that I use

through simple login and, um, yeah,

I can just make things up on the

spot or, uh, whatever.

And personally,

I like that because if simple login ever

in shitifies,

I can go to Addy or I can

go to, you know, uh,

whatever the one from IVPN is called that

I keep forgetting.

Like I can, I can switch very,

very easily, which I think is cool.

Um,

And then Dag Overhaul here said,

use aliases for spam control,

not anonymity.

I don't... He says,

make them forward to an anonymous email

address.

I mean, yeah.

I mean,

I guess if you want to go hardcore,

I want to nitpick a little bit and

point out that anonymity is not privacy.

And the idea of privacy is to be

able to control who has access to your

data.

And that's the whole idea is like,

you're not supposed to be able to see...

the main email address.

Like, that is the one job.

That is the whole job of alias emails.

So, I mean, that's certainly a way,

a very advanced technique if you're super

concerned about it.

But, yeah.

MailX, thank you.

You just posted that in the chat.

And yeah, DuckDuckGo is also an option.

I found it difficult to use personally,

but

Yeah,

you kind of need a third party extension

to make DuckDuckGoesOne work well,

which probably is not a good sign.

But someone asked,

what's up with the floating head?

Privacy, I guess.

I don't know what to say.

This is the privacy channel.

You should know why.

But yeah, that's the reason.

Just don't want to show my face if

I can avoid it.

And yeah,

I don't really have much more to add

here,

unless you want to talk a little bit

more,

but could jump into this next story here.

Sure thing.

Do you want me to take this next

one?

Or would you prefer to take it?

How about I give the rundown quickly and

you can add some of your U.S.

perspective because I think you're going

to have a lot more to talk about

on this one.

Supreme Court ruling guts government's use

of geofence warrants.

SCOTUS falls short of deeming geofence

warrants unconstitutional, though.

The Fourth Amendment protects the user's

location history.

The Supreme Court ruled on Monday.

The same logic already applied to a cell

phone's tracking,

and the High Court found no good reason

exists to reach a different result for

location history collected by third

parties like Google.

Split six three,

the majority agreed that the government

needs a warrant and must show reasonable

cause to turn a phone's location tracking

services into a government surveillance

tool.

So the decision came in a case where

cops used a so-called geofence warrant to

track down an armed bank robber from a

list of all phones logged in the area.

Applying a three-part process,

cops worked with Google to narrow down the

list of suspects and eventually arrested

Akello Chatri,

who had opted in to share his location

with Google every few minutes.

Chatri was sentenced to twelve years in

prison but challenged the geofence warrant

as an unconstitutional search.

So the US tried and failed to argue

that no search was conducted under the

Fourth Amendment,

partly because they only searched a little

bit of Chowdhury's location data,

which the government considered too small

to warrant privacy protections.

They also claimed that Chowdhury was aware

that voluntarily sharing his location with

Google could mean that law enforcement

might get access

to the data and along similar lines the

government argued that Chatterjee's data

simply showed his movements in public

where he supposedly had no reasonable

expectation of privacy okay so I guess

that's like the main rundown of this um

Unless you have, like,

it definitely goes on a lot more.

So I don't know if you have more

to add on this.

I mean, of course you do.

So what are your thoughts on this?

Yeah, I do want to...

Real quick,

I do want to run through what the

judge said, because I think it was really,

it's one of those things where it's like,

oh, you're so close to getting the point.

She said that Google repeatedly prompts

users to turn on the service,

often warning that their devices will not

work correctly otherwise,

while not disclosing in that prompt how

frequently location information would be

recorded, how precise it would be,

or how it might be given to the

government.

She said that much like carrying a cell

phone is part of modern life,

sewing is allowing a third party to track

your movements,

and that doesn't diminish a person's right

to privacy.

And then Justice Sonia Sotomayor noted

that even short-term monitoring of a

person can reveal a wealth of details

about his family, political, professional,

religious, and sexual associations,

particularly if he's been visiting

sensitive locations like a clinic,

attorney's office, or strip club.

Yeah, so I mean, it's really like,

it's one of those, it's like, oh,

you get the point.

Come on, like, just take it further.

But yeah, it's, I mean,

that's kind of all it is right there,

I guess,

is the police tried to be like, oh,

but it's, you know,

he's moving around in public,

like that whole, you know,

no expectation of privacy thing.

And I think they even tried to make

the argument.

So like the police tried to make the

argument that it's like,

the phone itself has no expectation of

privacy.

or something like, no,

like the phone itself does,

but the apps don't or something like that.

And the Supreme court was basically like,

yeah, but let's be real.

We live in an age of smartphones.

Like who's not going to have apps on

their phone.

That's the stupidest argument I've ever

heard.

So, um, I'm not,

The Supreme Court surprises me in a good

way sometimes.

I'll just say that.

Yeah, I think my only other thought is,

you know, at the very beginning,

that little subheader, it said, like,

the Supreme Court falls short of deeming

geofence warrants unconstitutional.

And I think that is an important thing

to know, is, like,

this doesn't ban geofence warrants.

But I think this might almost be...

better I'm not a lawyer and I would

happily welcome any input from actual

lawyers on whether I'm right or wrong but

I feel like this is almost better because

like saying that geofence warrants are

unconstitutional I feel like would be

relatively limited like the way US law

works is you can always cite that as

precedent in other case and expand it and

stuff like that but I feel like like

that was still much more limited as

opposed to this where it applied to like

third party collection of location history

I feel like just is so much more

broadly applicable so I'm kind of hoping

This is almost like in the long run

an even bigger win because it can apply

to so many other things.

Again, not a lawyer.

Happy to hear from any lawyers out there

if I'm right or wrong.

But I think that was my only other

thought that I wanted to add.

I guess like this kind of makes me

think, does this apply to, you know,

other data collection?

Could this apply to Stingrays being used

to collect IMEI numbers?

Or could this affect Facebook or any other

company?

Or is this specifically about Google's

location tracking?

Or is this just like...

That's a great question.

I mean,

the article said third parties like

Google.

Um,

they said the fourth amendment protects

the user's location history and the same

logic applies to a cell phone's tracking

and no good reason exists to reach a

different result for location history.

Um, so my thought would be,

I don't know about the stingrays cause I

feel like that's probably like a law

enforcement exception kind of thing,

which I mean, granted,

I guess they didn't do here with the

geofence warrants, but my,

my guess would be if anything,

this will only apply to location data

until,

cause that's kind of the way that us

law works is like everything is built

based

by cases.

And, um, I mean,

I don't want to go on too long,

but basically that's why it's so

important.

It's so strategic to like,

see if we can get this in front

of the Supreme court.

I think, uh,

Cindy Cohen talks about this in her book,

actually privacy is defender.

Like you want to get a judge who's

sympathetic to your case because once they

hand out a ruling,

there's certain criteria that makes

something legal precedent that I learned

from her book.

And anyways, long story short, it's like,

basically it's not always enough to just

be like, well, here's what the law says.

The court has to interpret it and deliver

a

affirms or clarifies that law.

So I feel like it's one of those

things that like, okay,

location history is more or less settled

now,

but all the other things like messages,

metadata, timestamps,

like those things are probably not

protected until somebody comes along and

has a case, a precedent setting case.

That would be my guess.

Okay.

So like, you know,

all the other data that's collected by the

apps on your phone can be hoovered up

by this is what you're saying.

Exactly.

That would be my guess.

Again, not a lawyer,

but as I understand it,

that's probably how it's going to work,

at least until further notice.

Well, I think we take these wins.

This is a win, I think.

Definitely.

That's why I wanted to include this story.

We get so few wins.

It's like, you know what?

I'll take it.

This is a good one.

True.

Yeah, that's good.

So real quick,

want to point out a dag here said

robbing a bank while carrying a phone with

location sharing enabled smart guy.

I know, right?

Like everybody knows that phones, even,

even quote unquote,

normies know that your phone is constantly

spying on you.

Like what idiot brings their phone to rob

a bank?

That's insane.

Yeah.

They're basically like tracking devices at

this point.

So it's a bit, uh, I mean,

maybe it's a spur of the moment thing,

you know?

Maybe.

I've heard weirder things.

But I think that will take us into

site updates,

unless you have anything to add to this

story.

No, let's dive in.

Alrighty, yeah.

So in a little bit,

we're going to talk about surprise flock

devices,

which that's going to be a fun story.

But first, I mean,

so I'm going to level with you guys.

We actually forgot to talk about what our

site updates are this week.

But I know we've got a...

Let's see,

I know we put out a video recently

and I filmed, oh my gosh,

the weeks are starting to jumble together.

Oh, yes.

No,

I filmed a video last week about some

NSA history and the crypto wars.

And I think that is over with Jordan

now for the good editing.

I think I've told you guys this before.

I do like the rough edit where I

cut out all the long pauses and the

stutters.

But Jordan is the rock star who adds

all the special effects and the graphics.

And so I'm really excited to see how

that's going to turn out.

That's going to be super awesome.

Um, but honestly, it's been kind of a,

one of those slower weeks where it's all

stuff happening behind the scenes.

Um,

so I don't know if I have too

much more to add other than that.

Um, have you guys done anything, Jordan?

I think you and Jonah have been working

on a project,

but I don't know if it's published yet.

Yeah,

so Jonah did sit down with Rudy Wang,

who's the product manager at Cape,

Cape Mobile, which is like, I guess,

for people that are not super aware

because, you know,

we kind of wanted to make people aware

of it or at least answer a lot

of people's questions because I think

people are

rightfully so quite suspicious about this

sort of service you know you see like

this this so-called private and secure

mobile carrier it's like it looks kind of

sus so you know obviously we had some

questions and

Jonah did a really good job of asking

technical and also just general questions

about the service.

So hoping to get that interview out soon.

It's all edited.

It just needs some extra bits to make

it flow together a bit,

like an intro and outro and stuff like

that.

But otherwise, it's looking good.

So hopefully we can get that out to

people soon because I think that we've had

so many questions about this service,

especially on the forum.

Like there's been a lot of questions and

people being rightfully suspicious

because, you know,

I think when we see these new services,

it's hard to...

know whether they're legit or not.

And I can say after watching the interview

and seeing their responses to the

questions,

they truly do know what they're doing,

which is interesting.

It's not something that Privacy Guides

recommends at this point, obviously,

but maybe it could be at some point.

It's definitely an interesting service,

but

It's one of these really annoying things

that I think people outside the U.S.

always kind of get annoyed about is all

these cool privacy services.

They're all U.S.

only, like privacy.com, like this service,

all these sort of more niche things.

Voice over IP, yeah,

there's just like more of an appetite for

that thing in the US, which is good,

because, you know,

when things get popular in the US,

it basically means like it'll bleed over

everywhere else eventually.

So, yeah, there's...

That's kind of what I've been working on

this week, kind of been finishing up that.

I've not been super busy this week,

so not a huge amount to report on.

But it doesn't seem to be any site

updates this week either, really.

We definitely need to push through some

pull requests on the website.

So we'll be working on that soon.

But yeah,

I don't really have anything else to add.

Yeah.

I think last thing I can add is

just as always,

privacyguides.org slash news.

Fria was on fire this week.

We have articles about how there's a town

in Massachusetts that got their flock

contract canceled after public backlash.

So remember that stuff does work.

Um,

Google is trying to make recapture even

worse and something about like,

I don't think it's biometric hand

scanning,

but they want you to like move your

hands certain ways.

It's so dumb.

Um,

brave is adding containers to the browser

if you're a brave user.

So yeah, lots of, uh,

Really cool stuff.

Freya's been crushing it with the

articles.

But that is all I got.

I think on the flock cameras,

we talked about it last week,

but check out dflock.org.

That's how you can find local groups and

stuff.

So you can get flock kicked out of

your city.

So definitely check that out.

But yeah.

Cool.

Um, yeah,

so all this is made possible by our

supporters.

You can sign up for a membership or

donate at privacyguides.org slash donate,

or we still have the merch shop over

at shop.privacyguides.org,

which is where I got this awesome water

bottle, which, uh,

is really coming in clutch this, uh, I'm,

I'm on the East coast and we had

a nice little heat wave and, uh,

Yeah,

Privacy Guys is a nonprofit which

researches and shares privacy-related

information and facilitates a community on

our forum and matrix where people can ask

questions and get advice about staying

private online and preserving their

digital rights.

And now, some exciting news from WhatsApp.

Yeah,

so WhatsApp usernames are already raising

impersonation red flags.

So I guess if anyone here has been

using Signal,

which I kind of assume everyone here is

using it or has used it at some

point, Signal's kind of had usernames for,

I think, probably a good while now,

like maybe two years,

a year and a half.

I was going to say a couple of

years, yeah.

At this point,

so that was kind of a huge...

amazing feature because you could give

people a username instead of giving them

your phone number, which, you know,

it's nice to not have to give people

your phone number every time.

So that's...

That's kind of awesome.

But WhatsApp is rolling it out now.

And WhatsApp usernames are being used to

impersonate people.

So WhatsApp this week started rolling out

username reservations ahead of the broader

launch planned later this year.

The feature,

which lets people find and message each

other by handle instead of phone number,

is already raising impersonation concerns.

drawing scrutiny from security experts and

regulators in India,

the app's largest market,

with over five hundred million users.

The rollout marks a shift in how people

identify one another in WhatsApp.

Instead of relying on phone numbers as the

primary identifier,

users will increasingly interact through

platform managed usernames

a change that Meta says improves privacy,

but that critics argue could create new

opportunities for impersonation.

So I think one interesting thing about

this and how this relates to Signal is

with Signal,

it kind of removes the impersonation

concern because the usernames are actually

randomly generated.

So like

If you put your name as,

let's say I put my name as Jordan

in Signal,

it will automatically add two or three

numbers to the end.

So I'm not reserving a username

specifically.

There's extra numbers at the end to make

it more randomized.

And it allows more people to have a

nicer and easier to enter username, right?

But the way that I see this working

in WhatsApp is that it doesn't have that

extra number at the end.

It's just a handle,

which I think is what this is kind

of raising concerns about.

Because, you know, when you have

usernames like that especially when you

allow reservation of a username basically

a bunch of people can just it's basically

always been an issue right with any

platform if someone reserves a username

that you that you own or for your

brand or for your company then you're kind

of screwed right like you can't you can't

take that over unless they're using it to

impersonate you so

That's kind of what we're seeing with

this.

And this has already been, you know,

a concern where this article says the

concerns have already reached regulators

in India where cyber fraud schemes

frequently exploit messaging platforms to

impersonate police,

banks and government officials.

In a notice sent to WhatsApp on Wednesday,

reviewed by TechCrunch,

the Ministry of Electronics and

Information Technology said the feature

could materially increase the incidence of

online fraud, phishing,

digital arrest scams and impersonation

attacks by enabling bad actors to contact

users without exposing their phone

numbers.

So, yeah, this is...

I feel like this Ministry of Technology is

like taking this in the wrong direction.

They're almost saying like,

this is offering people too much privacy.

We should have everyone be identified by

their phone number.

I don't think that's the solution here.

I think the solution is to allow this,

but to add an extra number or to

not allow people to basically squat a

username.

I think allowing it to be,

basically ephemeral or something that you

use specifically to connect with someone

and that expires or something like that,

that could be a little bit better in

my, in my opinion.

Um, because yeah, like,

like this article says,

it can be kind of used to impersonate

companies and governments.

Um, but do you have anything,

you had any thoughts on this one, Nate,

or?

Yeah, it's interesting, because...

Let's see,

I'm actually double-checking here,

because, yeah, so Signal...

There's not a lot of details in...

I actually have two articles here,

and one was the initial WhatsApp is

rolling out usernames announcement.

But even that one really doesn't explain a

whole lot about how...

this actually works um the only thing they

said that i thought was interesting they

said users can optional users will be able

to set an optional key that others will

need to know before messaging them via the

new username so that's like one way to

cut down on spam and stuff but i

remember when signal usernames came out i

thought they were going to be abused and

then people pointed out it's like but

people can't see your username like people

can see your username if you share it

with somebody um but like let's say

let's say I give you my username and

you message me, I can't see your username.

So it's not like you can do an

impersonation, I mean,

any more than you could with like any

other messenger, right?

But it's not like, you know, where like,

like Twitter or Mastodon,

where you could make it, you know,

Nate B at whatever.

And it's like, oh,

now I'm impersonating Nate,

like you could change your display name,

but that's about it.

So that's kind of what I'm wondering here

is like,

is

Is this, are these usernames visible?

Like, is that what the concern is?

Is that people are going to see that

they're getting messages from some of the

examples they use here where like,

what is it?

India Modi is still not open or is

still open for registration,

which for those who don't know,

Narendra Modi is the prime minister of

India.

So it's like,

are people going to think that they're

getting messages from India?

Narendra Modi, the Binance founder,

Chepang Zhao,

said that he couldn't reserve CZ

underscore Binance,

which is the handle he already uses on

Twitter.

So it's like somebody's probably already

using that, and it's just really weird.

And WhatsApp says that there's certain

handles that they're reserving to verify

that they're legitimate users,

but they didn't explain...

what those handles are or like how they're

deciding.

Cause you know, they're,

they're meta and they're never super open.

So yeah,

there's just like a ton of questions here

about like, how does this work?

How are you going to protect people from,

from impersonations like this?

I'm seeing here,

I'm doing some additional research and it

could be wrong.

Usernames must be three to thirty five

characters long.

Let's see.

You can,

You can change or delete your username at

any time,

though deletion reveals the phone number

again for fourteen days.

Oh, and when you delete a username,

it can be reclaimed,

which I think is true of Signal as

well, but it's also just like, again,

if somebody's squatting on a username,

it's, I don't know,

it sounds like this was not rolled out

as thoughtfully as Signal,

which is probably not surprising coming

from Facebook.

But the only other thing I will say,

Cisco here said it sounds like another way

for them to sell verification

subscriptions like Instagram.

That's entirely possible because this

article from TechCrunch did note that they

did say, oh, where'd it go?

I know I had to scroll pretty far

down for it.

It will let users claim their existing

Instagram or Facebook usernames by linking

their accounts,

saying that the option is intended to help

creators, businesses,

and organizations maintain a consistent

identity across Meta's platforms while

reducing impersonation.

So,

Yeah.

I don't know.

They'll probably charge for that down the

road because why not, right?

But yeah,

I think those are kind of all my

thoughts.

It's just I don't understand how this is

supposed to work and why didn't they just

copy Signal?

It was already there.

I mean, okay,

so I'm just reading an article about how

this works and you did mention like the

WhatsApp username key and it looks like

it's a four-digit code that's linked to

your username.

So it sounds pretty similar to how Signal

does it with like a number at the

end of your username.

So...

That does make sense,

but that doesn't seem to really...

I don't think people are going to use

that.

People just use the default thing.

They're not going to use this extra

privacy feature, I don't think.

Yeah, this is kind of a problem,

I think.

But which, you know, meta never really...

With meta,

they always don't take the right path.

They always go the wrong direction with

stuff.

Like we saw,

they removed end-to-end encryption from

Instagram DMs.

All sorts of bad decisions on their part.

So this is going to affect a lot

of people,

like a ridiculous amount of people.

So I hope that they do fix this

or make it a little bit better because

so many people use this app.

So to clarify, yes,

if my research is correct,

if you do not have the person's phone

number saved in your contacts,

they will see your username instead of

phone number.

But if they do have the phone number

saved,

they will see your phone number instead of

username.

So that's what the issue is here,

is if I message you and my username

is Indy Amodi,

I can pretend to be Narendra Modi.

That was...

Sorry,

every once in a while my brain needs

to reboot because I'm like,

why do people make so much money to

be this irresponsibly stupid?

And it makes me so mad.

Yeah, text Eddie here.

People talking about the Instagram DM

thing you said.

People weren't using the encryption

feature that we had disabled by default

and hidden deep in the settings,

so we removed it.

Yes, yes, exactly.

God, that was so annoying.

I feel like this is not like a

– I feel like meta sort of does

this thing where they're like,

here's this feature, and then, like,

here's the added protection that, like,

literally no one is going to use because

it's, like, hidden deep in, like,

the settings.

It's like, okay.

Like,

the default setting on Facebook is to,

like,

share your phone number and contact list

by default.

It's like, well, yeah,

but you shouldn't do that.

But it's like by default it does that.

So –

yeah anyway we can we can uh we

can be mad at meta all day sorry

oh yes i can i certainly can but

uh let's be mad at flock for a

minute instead so we'll uh we'll move on

to the story here about um a woman

was surprised when a flock surveillance

tower appears in her yard without warning

um so there's

I'm going to say there's a silver lining

here, but it just raises more questions.

So this woman, Kat Vaughn of Roanoke,

went to the park

Like, that's how quick this happened.

I mean,

I don't know how long she was at

the park.

It says she returned home from a brief

trip to a nearby park.

So maybe she was there for thirty minutes.

Maybe she was there all day.

I don't know.

But either way,

it's not like she was gone for a

week or something.

And when she came back,

she discovered that there was a freshly

installed device sitting in the parkway

strip,

which is a section of public land between

her lawn and the street.

So to be fair,

this is the first caveat.

It wasn't technically her lawn,

but it was right in front of her

house,

which is one of those things where it's

like...

if you put a camera right in front

of my house, like what gives dude?

Um, so it actually wasn't a camera.

It was a flock Raven audio detection unit,

which is flocks knockoff of shot spotter,

which is, um,

basically a microphone that they stick on

a pole that is supposed to tell if

there's a gunshot nearby, but it is, uh,

what's, what's the word I'm looking for?

Um,

cartoonish, uh,

shout out stuff they don't want you to

know.

Uh, it is cartoonishly inaccurate and bad.

It constantly, uh, gives false positives.

It constantly remembers or not remembers,

um,

it constantly flags things like the manual

oversight.

People are just like, ah, that's like,

whatever, just dismiss it.

That's not a gunshot.

It's just, it's so bad.

It's so bad.

Um, but you know, Hey,

somebody is making money.

So why not the psychopath running flock?

So anyways, they installed this thing.

Um, here's,

here's where I say there's a bit of

a silver lining,

but it just raises more questions.

Um, so, uh, Vaughn called the police and,

uh,

the cops came out to take a look

at it.

And even they were just like,

Like she said, OK,

so when the officer got out here,

he wasn't sure what it was either.

So we went and got a tall ladder

to be able to get up to take

a picture of it closer.

And he said, yeah, I think you're right.

It's a gun surveillance device.

And they weren't supposed to be installed

until July.

By the way,

it is July third for anyone listening

after July.

after time um so this was god what

was this article written june twenty

eighth so they're ahead of schedule and

then on top of it so uh they

went and checked the city records they

said that the city council had approved

the deployment of seventy five of these

sensors at various locations throughout

the city and the patch of land in

front of von's house wasn't on the list

so that's why i'm like this raises further

questions like okay on the one hand

I mean, first of all,

these things shouldn't exist in the first

place.

Like I said, they don't work.

They're garbage.

They're just somebody's get-rich-quick

scheme because somebody has no moral code.

But putting all that aside,

it wasn't supposed to be in front of

her house, which is good because, again,

what the hell is setting up a surveillance

device in front of somebody's house?

But how did it get there?

Who put it there?

Why did they put it in early?

I have so many more questions,

but I don't know.

This was just such a wild story when

I read this one.

I was like,

I really want to share this story,

but I don't know if there's any real

takeaways here.

Just a very insane story.

Yeah, that's incredibly wild.

I guess one question that I do have

is, like, what is this?

So wait,

it says Flock Raven Audio Detection Unit.

So is this,

am I understanding correctly that it's,

like,

listening for the sound of a gunshot and

then it's going to, like,

do something with that?

So the idea is that it's supposed to

detect sounds

And I mean,

I'm sure it goes without saying,

but you're supposed to put it in like

rougher neighborhoods where gun crime

actually happens.

But the idea is that it detects a

gunshot and then alerts the police.

So we don't have to wait for a

nine one one call or, you know,

especially in,

I'm not trying to stereotype here,

but in some of these poorer neighborhoods,

it's like, you mind your own business,

right?

Like you heard a gunshot.

No, you didn't.

Not if nobody got hurt,

you'd mind your own business.

So the idea is even with,

With ones that don't get called in,

it'll alert the police and they can come

by.

But like I said, they're proven.

You can look these up online.

I can't remember who covered it,

but somebody did a really deep dive.

It wasn't four or four because this would

be four or four.

Actually,

four or four may have covered this too.

But it's been proven that they have like

this ridiculous false positive rate that

they detect like...

like car backfires or fireworks,

like things that any human would hear and

be like, that is not a gun.

And it thinks it's a gun.

And then on top of it,

there's always the privacy concerns too of

the slippery slope, right?

Like, okay, sure, today it's a gun.

What happens tomorrow when it's like

speech?

And you're like, well,

we're just listening for violent crime.

You know,

we're listening for the two people on the

corner doing a drug deal or like planning

a crime.

And it's like, okay, today,

what happens when tomorrow they're

planning a protest?

Or, you know, it's just...

it's no yeah these things are there's

literally no redeeming quality about these

things except to make somebody at the top

rich i i'm gonna say that full stop

but yeah i mean i my question with

this though is like what if you just

like want to fire your gun on your

own property like what what what about

that like what are you not i thought

you're allowed to do that oh no

Yeah, or like Dag said,

don't watch any action movies with the

window open.

Yeah, I mean, it depends.

I would imagine that in a city,

it's probably not cool to be firing a

gun in your property.

But I don't know.

I mean, that is certainly a good question.

Like, yeah,

there's all kinds of scenarios I could see

where it's like,

I'm not doing anything wrong.

Why is, I don't know.

Yeah, that's crazy.

Yeah, it's wild.

But yeah, that's a pretty short one.

I don't think I have much more to

add to that one personally.

Yeah, fair enough.

I guess we can dive into some forum

updates here.

So in a minute,

we'll start taking viewer questions.

So if you've been holding on to any

questions about any of the stories we've

been talking about so far,

go ahead and leave them on our forum

thread or in the comment section on the

live stream.

For now,

let's check in with our community forum.

There's always a lot of activity.

And here's a few of this week's most

interesting discussions happening there.

So I'm going to take this second one

here.

This one is about Reddit.

So if anyone here has ever had the

displeasure of visiting the Reddit

website,

then you'll know that it's frequently

become harder and harder to access Reddit.

information on Reddit,

especially if you're using a VPN,

especially if you're using

it logged out,

especially if you're using any sort of

privacy protection.

And one way to get around a lot

of these restrictions was to use the

old.reddit.com website instead.

So basically, instead of reddit.com,

you would use old.reddit.com instead.

And that would basically load the old

less JavaScript heavy version of the

website.

And that bypassed a lot of the issues

that the newer version of the website has.

But this reporting here from Ars Technica

says that Reddit will require you to log

in to use old.reddit.com.

So logged out old Reddit access is a

significant source of abusive scraping.

So Reddit will start

Requiring people to be logged into Reddit

to use old.reddit.com,

the new requirement will take effect over

the next month.

A Reddit employee going by the username

BoatBotany announced on the social media

platform today.

The person claimed that the change is part

of an ongoing effort to tighten how

automated systems access Reddit.

So basically the excuse that they're using

is this is basically becoming a source

for, I think,

let's read in between the lines.

This is an issue with AI scrapers.

It's kind of always been a concern,

but I feel like a lot of like

large language models are basically

training a lot of data off Reddit because

it's so openly accessible.

So this is kind of just a move

by them to

restrict the access.

And I guess by having people log in,

then, you know,

you kind of can track activity.

So you can see that someone's visiting

every single subreddit,

every single post on every subreddit.

You can see that they're scraping and

block their access.

So by logging in,

we get a lot more signal that allows

us to detect whether an account is

breaking the rules,

and then we can block that traffic or

enforce those accounts, both Botany said.

As of writing,

Ars Technica was still able to use

old.reddit.com without logging in.

And the news is likely to upset some

longtime Reddit users who've relied on

old.reddit.com for a familiar look that

they find easier to navigate and digest,

and who also want to view Reddit without

logging in for convenience and or privacy.

So...

Yeah.

Anyway,

this old.reddit.com website is kind of a

source of scraping.

So, you know,

there's also in this article,

they also said that old.reddit.com might

not exist forever.

So it might almost be time to retire.

That's what they said.

So it's,

they said they can't promise it'll be

around forever.

So that'll be interesting to see.

But Nate,

do you have anything you wanted to add

to this story here?

Not too much.

I think I just wanted to share this

story because I know that old.reddit.com

is a very popular thing in the privacy

community.

Like they said in the article here,

it doesn't really contain any less

trackers per se, as far as I know.

But...

if you can do it without logging in

and you're using a privacy respecting

browser like brave or Firefox, um, then,

you know,

it's still a better privacy thing.

Cause like you said, yeah,

I've noticed it too.

It's not as bad as it used to

be,

but there was a period where Reddit was

like really being a stickler for like,

if you had a VPN on like nope,

instant login page with their stupid

little trying to be cute mascot that I

swear to God,

I wanted to punch it every time.

But, um,

Yeah,

it's getting harder and harder to use.

And also they make a point about a

familiar interface because I just noticed

I'm not super active.

I go through ups and downs if I'm

being totally honest.

I don't think I'm super active on Reddit,

but every once in a while I'll be

super active for like a week and then

stop using it for like three months.

But I've noticed this week I've been on

Reddit a little more and I logged in

and now they're doing that same crap that

everybody else is doing.

It's not bad enough that they had...

an algorithmic timeline,

now they have a suggested timeline and

your actual following timeline.

And of course, by default,

every time you log in,

it goes back to the suggested timeline.

So it's not just the subreddits you

subscribe to,

it's also a bunch of other crap you're

not subscribed to that's popular,

like AskReddit or r slash what is this

or whatever.

And it's like, I don't care.

If I cared, I would subscribe.

Stop trying to show me more subreddits.

So it's just...

you know, the,

the eternal problem of in shitification,

right?

Like it's just, it's frustrating.

And it's,

it's sad that cause Reddit does have

objectively,

I think it does have some value in

the sense that a lot of the time

when you look up something,

even without the AI summaries,

a lot of the time you look something

up and especially if it's something more

niche, like, Hey,

what are the reviews on these shoes?

Or like, um, you know,

I'm having trouble with this, uh,

I'm trying to think of something I'm

actually having trouble with recently,

but you know,

I'm having trouble with a thing.

Like I'm looking for a little life hack.

Like Reddit is really good for that kind

of stuff.

And it would be really nice to not

have to log in to use Reddit just

to check somebody's thread.

Um, so it's,

it's really a shame and it's really

annoying.

Although, to be fair,

Reddit is so astroturfed,

I'm not sure how much I trust a

lot of those answers anyways.

But yeah, so just I guess, again,

I just wanted to share because I know

that is a really popular trick to use

in the privacy community.

So you guys should be aware that it

is going away, unfortunately.

Yeah,

I think one thing that I saw an

interesting comment on this article,

actually,

someone was saying they don't really need

to require a login.

Like there's other ways that we can,

we can detect humanity, right?

There's like, oh, Anubis, like using,

yeah, exactly.

So Dag said,

you can do that tracking or bot prevention

measures without forcing a login.

Smells more like preparation for age

verification.

Yeah.

And I think a lot of third-party apps

actually rely on old.reddit.com to like

basically scrape it.

And it's not scraping, but it's like,

I don't know what you would call that,

but it's like...

Are you talking about a lot of the

front ends?

No, just like apps like Infinity.

There's an app for Reddit which is called

Infinity and there's another one on iOS.

But I believe they just...

scrape old.reddit.com and then just use

that to display the content to bypass some

of the,

because there was API restrictions.

They don't use the API.

I was wondering what happened to that

because I remember there was a big deal

about it and then Reddit said they were

going to work with some of the more

popular apps like Apollo and then just

never went anywhere with that.

I was curious what happened to that story.

Everyone just went and didn't want to give

Reddit money.

So, yeah.

That's everything I had on that story

there.

Okay.

And in that case,

we'll jump over to our other...

forum thread,

which is the kids act has passed the

house.

So again,

this is just like a really quick signal

booth boost.

If you live in the U S um,

definitely please check the newsletter for

a link.

Uh,

so this person links to the text of

the bill and how each representative voted

and how to find your representative at

house.gov, which is awesome.

um, excuse me.

So I think this still has to go

through the, uh, let me see here.

Yeah.

It still has to go to the Senate

and then the president has to sign it.

Um,

but this is basically an age verification

law.

You know, it's, it's, uh, I think correct.

I could be wrong.

Um,

but I think it's kind of just like

an amalgamation of a bunch of bad bills

that have not passed.

Um, but you know,

it requires specified online platforms to

establish safeguards for minors,

such as limiting access to sexual

material, um,

providing parental controls and requiring

AI chatbots to disclose information to

users who are minors.

And, you know,

that's the first thing is like,

how's the chatbot going to know if you're

a minor, they have to age verify you.

Right.

And, you know,

the whole like limiting access to

specified sexual material.

Sure.

That's great.

Until just general,

like sexual education becomes specified

material.

It's just,

these things are just a slippery slope and

will not end well.

So if you are American, um,

find your senators because, um,

No offense to this person.

Thank you so much for sharing this.

But like your representative already

voted.

I guess you can feel free to vote

him out.

We actually I think we have a primary

coming up.

I should do some research, but.

find your senators I would say because

it's already past the house like you can

call them and yell at them but it's

not going to change their vote so what

we need now is to call the senators

and say do not vote for this or

I don't know if this actually works but

my thing is I tell them I'm like

if you vote for this I will actively

campaign against you like if I'm being

real I probably don't have the time for

that but like I will happily tell everyone

why they should not vote for you so

yeah call your senators if you live in

the US because this is this is not

good

Yeah.

They should provide parental controls and

leave it to the parents.

We've, I mean, we've,

we've covered this topic like five or six

times now.

And yeah,

that's definitely a thing we say all the

time is like, at least in other countries,

when you start a new phone,

like an iPhone or whatever,

the first thing it asks you is like,

is this,

does this phone belong to a minor?

And if you say yes,

it walks you through all the parental

controls.

And I don't understand why they can't just

do something like that, but.

Whatever.

I guess one interesting,

I guess to talk about this a bit

more, is this whole act,

is this something that is bipartisan?

Is this some certain part of the

government that's pushing for this?

Is this something like that?

That's a good question here.

Let me see this link.

So it was a Republican who introduced it.

But, no, it's pretty bipartisan.

A hundred and sixty-two yeses from the

Republicans, thirty-two noes,

twenty-four not voting.

Democrat, a hundred and four yes,

eighty-five no, twenty-three not voting,

one independent yes, everything else zero.

Oh, that must have been Bernie Sanders.

I think he's an independent.

Is he a senator?

I don't know.

We don't have a lot of independents.

But, yeah,

two hundred and sixty-seven for,

a hundred and seventeen against,

forty-seven not voting.

So it's...

unfortunately kind of bipartisan why do

our politicians work together on the worst

loss why can't you guys unite on something

good they'll squabble about like really

silly stuff and then they'll just like all

unite to like do the most dystopian like

ninteen eighty four stuff like what it's

so bad um

Yeah, it's I mean, Dag is right.

I've said this before, too.

No one can say no to protecting the

kids.

They do this on purpose because then if

you don't protect the kids or if you

vote against it,

then people are just like, oh,

you hate children.

Like it's a rhetorical device and it's

absolutely awful.

So.

Yeah, kind of off topic,

but Cisco is like Bernie's independent.

I think he's independent.

I could be right.

I know he was independent.

No, he's independent.

Nineteen seventy eight till present,

according to Wikipedia.

So, yeah, Bernie's independent.

I think when he ran for president,

he ran on the Democratic ticket because we

live in a two party country and like

he has a better chance of living to

walk on Jupiter than winning as an

independent.

But other than that,

I think he's always been independent.

Interesting.

Okay.

At least what I'm seeing is, well,

I guess to kind of ask this,

I mean,

I'm seeing there's predictions of whether

this bill will pass.

But do you think this is something that

will pass?

Like,

is this something that is most likely to

not have any issues passing through the

Senate and the President or...?

Honestly, I don't know.

I'm not politically aware and educated

enough to really be able to speculate

reliably.

Although I will say like two thirds of

the people voted yes.

So I mean, that's a pretty big margin.

It does say on this website that I

found govtrack.us that there's a thirty

four percent chance of being enacted.

So I don't know really what that means.

in that.

It means we should still call our

representatives and not trust that to be

the case.

Because all I'll say is the Eurovision

odds that I read every year are

hilariously wrong and off.

So I don't know if I trust the

odds on anything at this point.

Yeah.

So I guess how can people access a

list?

How can they find who their senators are?

Because you said it doesn't really matter

because it's past the House at this point.

So

Um, so yeah, no, good question.

So there is senate.gov.

And honestly,

if you just type into any search engine,

um, if you just type in like,

who is my representative,

there are so many websites that, uh,

you will have to put in an address.

I'm telling you people that right now,

because they need to know what district

you're in.

But to be fair,

when we're talking about the national

level,

probably doesn't have to be like your

exact address.

Maybe it can be the house across the

street.

I don't know.

But, um, there are so like, okay,

so I just typed it into brave search.

Who is my representative?

Okay.

First result, House of Representatives,

house.gov.

Second result, congress.gov.

Third result, commoncause.org.

This one's for New York City specifically.

This one's for California specifically.

USA.gov, senate.gov, Texas, Pennsylvania.

So, I mean, yeah,

there's no wealth or no shortage of

websites that will help you.

Ballotpedia, I've seen them around a lot.

Some of them, like...

house.gov and senate.gov and congress.gov

focus on the federal level but i've seen

some websites i think it's common cause

will literally go all the way down to

like here is your local school board

superintendent like some of them get

really really deep down there so um yeah

you definitely don't have to dig too hard

to find the national ones for sure yeah

it's interesting i've seen uh quite a lot

of coverage about this like kids act thing

and i've actually been seeing like stuff

about people saying it doesn't go far

enough

it needs to go further.

Please, please, please, please,

please don't make this happen.

Cause I think once this passes in the

U S I think it's, it is,

it's such a massive precedent for

everywhere else.

It's like, Oh,

it's in the U S you know,

like it's,

if it's good enough for the U S

it's good enough for everywhere else.

Like,

Um,

so hopefully we can avoid that happening.

Um,

and that it doesn't get even worse than

what it already is.

Can it change?

Can the bill change once it gets,

or does it have to re go through

the house again?

I think it would have to go through

the house again.

I could be wrong,

but I think it can change.

Yes.

They,

it can get to the Senate and somebody

could be like, no,

we need to amend this part.

But I think if they make changes,

it has to go back to the beginning,

but I could be wrong about that.

Okay.

So we still have, there's still hope.

Okay.

Yeah, that's, that's,

the US has got nothing on the EU

plans,

like chat control and age verification for

all the things.

Um, yeah,

I think there's different problems.

There's different problems in different

countries, right?

Like,

I think there's the US has a massive

problem with data brokers,

which is not really the case in Europe.

A lot of data is public in the

US.

So that's another issue.

You know,

every country has different concerns,

I think.

And I think it's not super smart to

just, you know,

start a ranking contest about which

country is better and all this silliness

because, you know,

it doesn't really get us anywhere.

I think we can be critical of every

bad law that every country wants to put

in place.

And there's definitely some terrible stuff

going on in the EU as well,

which we've talked about extensively as

well.

It's not like we're only focusing on the

US in this case too.

Yeah.

another comment here from cisco i don't

know if you've seen but bill c-thirty-six

in canada it's banning social media for

people under sixteen yes we've been kind

of following that there's c-two and

c-twenty-two and c-thirty-six um they're

all pretty

pretty terrible stuff.

I did see that currently the Canadian

parliament is on break.

So there's a bit of time to contact

people, your representatives about that.

Dag Overholt said,

EU protects you from corpos as long as

the government has complete control.

Okay.

It's definitely a different way of running

a country.

Let's just say that.

Yeah,

so that's kind of all we've got on

this,

unless you had anything else to add on?

Yeah, not really.

Yeah,

I guess we can move into the Q&A

section.

So we'll start by...

Excuse me.

We'll start by taking questions on the

forum from our paying members.

And as a reminder,

you can become a member by going to

privacyguides.org slash donate or anywhere

on privacyguides.org.

You can click the red heart icon in

the top right corner.

Um,

so we had one reminder on the thread

to consider adding XMR chat.

Um, Jonah is actually off this week.

So, uh, again,

he handles a lot of the higher level

decisions like that.

I know he's expressed interest in adding

XMR chat.

It's just, um, again, yeah, it's, uh,

there's a lot going on here.

You know,

he did the Cape interview and there's

just, uh,

I don't know where it is on the

list,

but I'm pretty sure it is on the

list.

And, uh,

Again,

reminder that you can just donate Monero

directly.

I know it's not quite the same as

XMR chat, but it is there.

Yeah.

Any donation is always appreciated.

There's also a comment here from...

Cisco five, five, six,

one who said I'm planning on contacting my

rep,

but I don't really know what to say.

Okay.

So for people in Canada,

there is open media is who you probably

want to look at.

They have been running a really good

campaign against basically every privacy

invasive thing.

I think they've, yeah,

they've got a press release already out

about the,

um bills c-thirty-four bills c-sixty-three

so a whole bunch of them there um

so check out open media openmedia.org um

they've got a lot of good resources and

I think they also have yeah they have

other related stuff as well not just like

privacy related stuff there's stuff

related to other um

I guess consumer protection stuff.

So it's worth checking out that as well.

It's probably stuff that you'd also

support.

So they're a great organization.

Um,

I don't know of any more in Canada.

That's the only one that I know.

Um, but I know they do good work.

So if you need, if you need some,

I guess, extra info on what to say,

they've got, I've got you covered.

So I thought of the American route and

I,

my first thought

Hot take,

let me finish to the people in the

audience.

My first thought is this could be a

good use for an LLM,

like Leo or Lumo,

like one of the privacy respecting ones.

But like, hey,

I want to oppose this act.

I don't know what to say and it'll

walk you through it.

Alternately, if you prefer not to use AI,

which I totally don't blame you,

I literally just typed in oppose the kids

act into Brave.

And okay,

I don't know anything about this

organization,

but the very first result that popped up

was a website called fivecalls.org.

And it has,

if you click that link and scroll down

to the bottom, it has a script.

Hi,

my name is blank and I'm a constituent

from city and zip code.

They will ask for your zip code in

my experience.

That's like the thing they care about.

I'm calling to demand that representative

slash Senator who oppose HR seven, seven,

five, seven,

the house pass kids act and any other

legislative package that includes COSA and

age verification requirements.

Broad legislation like this does nothing

to protect anyone.

Instead it blocks state's level laws and

shield big tech companies from

accountability.

It must be opposed.

Thank you for your time.

Pretty straightforward.

Sorry,

I know I read that kind of fast.

But, you know, just, I mean,

maybe post in the forum,

like on this actual topic,

like you could get some opinions from

other people.

Or honestly,

what I've done in the past is,

because I was opposing,

I think it was like the,

was it called like the LEAD Act?

Like the Lawful Law Enforcement Access to

Data or something.

I don't know, it was a backdoor act.

But I would literally call them,

because I had like three federal or state

level organizations

state level, federal level.

I had three like federal level reps I

had to call.

And so I would literally just call them

on my lunch break,

every single one of them.

And I would say that like, hi,

I'm calling from this zip code.

I'm a voter.

I oppose this thing.

And they would just take it down,

write it down and go, okay, thank you.

And that's it.

Like,

I don't know if it's less effective than

giving them a why,

but you don't have to say much is

what I'm getting at.

Just expressing any opposition.

Just the thing I always tell people,

please be sane.

Don't tell them they're evil.

Don't tell them they're stupid.

Be polite.

Just like I oppose this.

This is not the right way to solve

this issue.

I do see we actually just got a

question in the forum thread.

Oh, sorry.

That says,

how important is threat modeling for

privacy?

I've put that off for the longest time,

which has led to a lot of underprotecting

or overprotecting.

I don't feel like it's talked about

enough.

That's funny, because I...

I harp on threat modeling constantly,

and I still feel like there was a

point where I was like, okay,

I think we've talked about this enough.

But in general,

so I mean it's – I think it's

personally – I think it's really important

because like you said,

without threat modeling,

you don't know if you're doing too much

or doing too little.

And especially I think a lot of people

in the privacy community have a habit of

doing too much.

And not realizing, you know,

to the point where it starts to impact

like mental health or, you know,

relationships with friends and family.

And it's like, OK,

you can pull back like you're you're not

you're not a spy operating in North Korea.

You don't need to be that hardcore.

But alternately, yeah,

it could lead to a lot of like,

oh,

I'm using Linux with – I'm using cubes

and graphene and all this super secure

blah, blah, blah, blah, blah.

And it's like, okay, cool.

Have you taken your data down from the

internet from before you got into privacy?

So I think it is really important,

although I will say that I don't think

it –

Um, number one,

I don't think it necessarily has to be

a formal process.

Like,

I don't think you need to sit down,

like you're making a budget at the dinner

table.

And the other thing that I haven't found

a good way how to explain this yet,

but I think something that doesn't get

talked about enough is the fact that a

threat model is less of like a specific

thing, like a specific consistent thing.

And it's more of like,

I guess I would say it's more of

a philosophy for how you approach data

because in the sense of like, um,

Like,

I'm trying to think of an example here.

So, okay, no, so this is an example.

I don't know if this is a good

example, but I...

In non-privacy online spaces,

because I do hang out on those sometimes,

I typically don't post photos of myself

because I don't want,

even though it's very unlikely,

I know Privacy Guides is not that famous

and neither is the new oil or anything,

but I don't want the off chance of

somebody like, oh my God, you're Nate,

like I recognize you.

But I mean, like offline, you know,

if my wife is like, hey,

can I take a selfie of us doing,

you know,

this this Christmas event together?

Like, yeah, of course.

I don't care.

Like it's it's it's not about a consistent

like no photos of me ever.

Right.

It's it's contextual.

It's like, where is this photo going?

What is it used for?

Who's it being shared with?

what are the risks of this photo?

My wife might send it to the group

chat, the family group chat,

but who cares?

Everyone there knows what I look like.

And I don't know,

maybe that wasn't the best example.

I'm working live here off the cuff.

But my point being is like,

it doesn't have to be the same level

of protection across the board because it

can be very contextual on like,

what are the risks?

What are the likelihoods?

That's all part of threat modeling and it

will vary from situation to situation.

I don't know if that made sense.

No, I think you're,

you brought up some good points.

Yeah.

I mean, I don't think it's, uh,

I don't think you have to, uh,

do anything super quickly as well.

Cause I do feel like some people they've,

they were like, oh my goodness,

I found out like how my data's being

used for all these like terrible things.

And now I've got to like update every

password and like,

secure every account,

delete hundreds of accounts today.

It's like, no,

like you got to slow down a little

bit.

Like don't, don't, don't go too fast.

You know, don't, um,

think things through and yeah, it's,

it can definitely,

you can definitely go too far.

I think, um, yeah, I don't,

I don't really know.

I mean,

I don't personally share a whole lot about

stuff that I do on the internet with

people in real life.

Um, so it's always just a nebulous,

I work on internet things and that's kind

of it.

Um, but I think, you know, it's,

it's good to think about like what your,

uh,

what your threats are because you know,

me and Nate,

cause we're on this public podcast are

going to have different,

a different threat model than you as a

person just participating in our forum,

I guess.

Um, not drastically different, but like,

you know, obviously we're sharing names,

Nate's sharing his face,

I'm sharing my voice.

Um, so, you know,

you have different threats to consider.

Um,

and I definitely think don't rush into

things because um yeah you can make you

can make decisions that you can't undo

like for instance if you show your face

well you kind of have to show your

face forever right like you know um so

you know just take that with uh

take that as something as a warning,

I guess.

I've definitely made mistakes.

I've definitely fumbled along things,

but yeah,

we're trying to work on more educational

stuff to help people make their threat

models and stuff like that.

We did have a threat model series that

we're working on at some point.

It's just a lot because every week we

have like a new video coming out or

like, you know,

stuff that we're working on and like,

Other projects that we feel are more

timely or whatever.

So things kind of get swept down a

bit sometimes.

But it's something we do want to try

and push to get done at some point

to help people with that.

Because it is like one of the most

common questions that we do get about

privacy related stuff.

We should talk about that in the next

staff meeting.

Maybe now's a good time to do the

threat modeling video.

Yeah.

Yeah,

just to back up what you said at

first,

like the phrase I like to use is

Rome wasn't built in a day, you know?

And it's like,

a lot of people will say that in

like personal finance, right?

Like if you wake up and you're like

tens of thousands of dollars in debt and,

you know, screaming towards bankruptcy,

a lot of personal finance people will

point out like, well,

you probably didn't get there once, right?

Like you probably didn't just go out and

buy like,

a mansion in the Beverly Hills and now

you're screwed.

Like it was probably a lot of really

bad decisions that added up.

And so you're not going to fix it

overnight.

And it's the same thing with privacy.

Like you, you didn't,

you didn't just wake up one day and

like mainline all your ID straight to like

a ransomware gang.

It's happened over years of data breaches

and sharing too much on social media and

this and that.

So yeah,

definitely like pacing yourself going

slow.

I do agree with your last part,

but it's, it's,

I want to say yes and no,

because there are certain things that,

like you said,

like you put your face out there.

I wouldn't say you have to keep doing

it, but it's certainly harder,

especially the more you do it.

Like at this point,

my face will probably never be off the

internet, but you know,

if you do it once,

like you could probably take it offline,

but you do have to acknowledge that you

might not,

maybe somebody screenshotted it,

maybe somebody archived it, whatever.

Um,

but also there's a lot of other things

in privacy that I think are reversible.

Like, um,

I think I've shared this before.

When I first got into privacy,

I deleted Steam because I was like, oh,

I'm going to be into privacy.

I'm not going to use Steam.

And then over time,

as I kind of adjusted and got a

better feel for it, I'm like, actually,

I'm willing to take the hit and keep

using Steam.

And I know in retrospect,

I probably should have gone with some

other platforms that are less problematic

in terms of DRM.

But from a privacy perspective,

I was like,

I'm willing to take the hit because these

are games that bring me value and I

enjoy playing them and

And now I have to like repurchase all

those games that I had over all those

years.

So instead,

what I wish I had done is like,

okay,

just log out of Steam for like six

months, you know, or, you know,

you can always, if you delete Facebook,

you can always sign back up.

Like some decisions are reversible.

And so I think there's,

Um, it's just a balance.

Like, yeah,

some decisions are not easily reversible

and you should put a lot of thought

into them and not act right away.

But then other ones are also like, eh,

you know, you can always delete that app.

You can always read, read,

download that app.

Like,

so I can't really give you like a

hard and fast rule, obviously,

but just something to think about,

I think.

You are.

Okay.

There you go.

Yeah.

I think it's,

I think the thing is definitely be careful

with like email accounts and stuff like

that.

That's like probably one of the biggest

mistakes that I made was like,

Having a Gmail account and I was like,

oh, I want to nuke it so bad.

And I just nuked it like too quickly.

And there was stuff that was... Oh, no.

So it becomes a nightmare.

So I would say keep it around for

a couple of years.

You can delete it.

It'll feel a lot better once you finally

are at a point where you're like,

I can actually delete this.

Because I guarantee you, you'll be like...

Oh, wait,

I remember I've got that account that I

made on that website from like ten years

ago.

Oh,

it's with my old email that I deleted.

It's like, oh.

You'll be able to sort it.

For sure.

Yeah, definitely.

I feel like I had another quick thought

on that one, but I can't remember it,

so it must not have been that important.

Yeah,

I guess if nobody else has any questions,

that's all I'm seeing on the forum.

I guess we can close out here.

Sounds good.

Yeah, let's do it.

Alrighty.

All right.

Well, thanks everyone for watching.

All the updates from this week in privacy

are shared on the blog every week.

So sign up for the newsletter or subscribe

with your favorite RSS reader if you want

to stay tuned.

As always,

a reminder that we send it right when

we start streaming.

So it also serves as a good little

notification that the stream has started.

For people who prefer audio,

we have a podcast available on all podcast

platforms and RSS.

And this video will be synced to PeerTube.

Privacy Guides is an impartial nonprofit

organization that is focused on building a

strong privacy advocacy community and

delivering the best digital privacy and

consumer technology rights advice on the

internet.

If you want to support our mission,

you can make a donation on our website,

privacyguides.org slash donate.

Or again, on any page of the website,

you can click the red heart icon located

in the top right corner of the page.

You can contribute using standard fiat

currency via debit or credit card,

or you can donate anonymously using Monero

or your favorite cryptocurrency.

Becoming a paid member unlocks exclusive

perks like early access to video content,

priority during the live stream Q&A,

early access to the show notes, actually,

so you can see what stories we're

considering.

You'll also get a cool badge on your

profile in the Privacy Guides forum and

the warm,

fuzzy feeling of supporting independent

media.

So thank you all for watching,

and we'll be back next week.

See you next week.

Episode Video

Creators and Guests