CalyxOS Is Officially Back!
CalyxOS is back in public releases,
some good news for privacy in the US,
and what would you do if a flock
microphone appeared in your yard
overnight?
All this and more coming up with This
Week in Privacy, so stay tuned.
Welcome back to This Week in Privacy,
our weekly series where we discuss the
latest updates with what we're working on
within the PrivacyGuides community and
this week's top stories in data privacy
and cybersecurity.
I'm Nate,
and with me this week is Jordan.
How are you doing, Jordan?
I'm doing great.
So excited to jump back into some more
privacy news this week.
Yeah, it was a busy week.
Thankfully, not super, super overwhelming,
but definitely no shortage of stories to
choose from.
And I think first up here,
we're going to go with some news from
CalixOS,
who is officially back in a public
release.
So some of you may remember,
to kind of give you the full drama,
let me go back to the beginning.
So I believe it was about...
Oh, God,
it was about this time last year.
Holy crap.
Maybe a little after this,
maybe closer to the fall.
But CalyxOS, which is a –
I know this is going to be controversial
just to say this,
but I think it would technically qualify
as a de-Googled Android in the vein of
something like Lineage or EOS,
arguably graphene,
just in the sense that it's like Android,
but they try to reduce some of the
Google bits that are in there by default.
We'll get into all that later, I'm sure.
But CalixOS,
they announced that a few of their key
members were leaving,
including their lead developer and
Nicholas Merrill,
who founded the organization.
And they also announced that coinciding
with that,
they were basically going to freeze
releases and completely redo their
backend.
And there was a lot of speculation because
it was really weird, right?
They were basically like, like a,
They were like,
we're going to rotate our keys.
We're going to come up with this new
key signing thing.
We're going to streamline our process.
Like,
we're just going to overhaul everything
from the ground up.
And there was a lot of speculation, like,
that's really weird.
Like, is there evidence of compromise?
Like,
did Nicholas take the keys with him when
he left?
Like, what happened here exactly?
And so they did put out a statement.
They were like, no, like,
there's no evidence of compromise.
But they still never really said why now.
Like, they didn't just say if it's like,
look,
we've been meaning to do this and now
is a good time or what the case
was.
But they said about four to six months.
And for the record, I'll admit my bias.
I like Kallax.
It was like one of the first...
I mean,
it was the first de-Googled OS that I
ran full-time.
So I have a soft spot for it.
But I do have to admit that they
really, really overshot that goal.
I think they finally...
um they finally released and here's what i
was gonna say some of you guys may
remember a couple months ago i think it
was around february or march uh maybe
january i'm bad with time they finally
announced um you know okay we have this
like beta release that you can go and
download um but they weren't fully back
yet like this so that's what this is
they are like we are back we have
a full release you can go download it
now you can use it um
Their communication could have been better
during this almost year long process.
They only issued like three or four status
updates.
And again,
they really never explained like,
why are we running behind?
Why is this taking so long?
What are the roadblocks?
Just a personal pet peeve of mine.
Like I'm, I know I'm kind of,
doing the analysis already.
But, like, I'm a really big fan of,
like,
if something is taking longer than
expected, tell people why.
Don't just be like, oh,
we're working on it.
We're working on it.
Like, tell people, like,
we ran into this issue.
This broke.
This turned out to be harder than we
expected.
Blah, blah, blah.
Just let people know, man.
But anyways.
So, yeah.
So, it's fully back.
There's version seven dot two dot two dot
zero,
which unfortunately is still based on
Android sixteen.
They have not upgraded to Android
seventeen yet.
But...
On the plus side,
they do say that there is,
they do support a new phone now.
Where did that go?
I can't find it.
I probably scrolled right past it.
But they are supporting a new phone now.
I think it's the Shift Phone six or
something like that.
So that's pretty cool.
They say that they are.
Oh, yes, there it is.
The Shift Phone eight.
They say that they are working on Android
seventeen.
So what they did is they switched to
HSM based open source signing solution,
which HSM, from what I understand,
I'm a little bit outside my expertise
here.
But from what I understand,
it's kind of like a
it's almost like a physical server that
handles the signing keys.
That's probably like a really grossly
oversimplified version,
but it's supposed to be like really super
secure.
So they've got this new,
like really secure way of handling the
signing process.
They did release the security audit and
the provisioning ceremony and everything.
Uh, they also did do some things and,
um, here's what I'll be interested to see.
So they say in response to Google's less
frequent AOSP source code releases,
which for anyone who missed that Google
used to release the Android open source
project, um,
I think once a month and now then
they switched to like once a quarter.
And I think now it's even gone down
to like twice a year.
Um, I could be wrong about that,
but it's definitely a lot less often.
So now all these, these, uh,
I don't want to call them derivatives.
These forks of Android that we like to
use in the privacy community now have to
do so much extra work to try and
get this.
And that's like the least of things that
Google did,
but that's a whole different story.
Anyway, sorry.
In response to Google's less frequent AOSP
source code releases,
our team developed scripts to reduce
overhead in applying monthly patches and
updates.
So that's pretty cool.
They say they have set up a cleaner
server structure to streamline each
release.
And currently,
our lead engineer is continuing
maintenance on the base device trees for
both Lineage and Calix to bridge the gap
created by the absence of Google Pixel
device trees, which is, again,
another thing that Google stopped
publishing that makes the job so much
harder.
So they said we'll share a timeline soon
for releasing Kallax VIII with Android
XVII.
And last but not least,
they did have some personnel changes
again.
Like I mentioned,
they said that their core developer
working on the Aurora store is leaving for
another opportunity.
I think they said...
I don't know if they've replaced him yet,
but they said they did welcome somebody to
replace someone else who does
infrastructure.
So yeah, it's definitely...
So I guess let me start by saying
that Calix is not officially recommended
by privacy guides just because we feel
like it doesn't really bring anything
meaningful to the table in terms of
privacy and security.
Like, I think it's not bad.
And I think the decisions,
at least in my opinion,
I know there's some people who argue that
it's a downgrade in security.
There's, I think...
Personal opinion,
I think the decisions they make make
sense.
Like for example, they say that,
I think it's the clock server still pings
Google because they're basically like,
well, it makes you blend in better.
But at the same time,
I think that's a matter of what do
you want out of a device?
Like that's kind of a personal opinion
thing.
Like,
do you wanna blend in with everybody or
do you want Google to not get your
IP address in the first place?
I don't think there's really a wrong
answer there necessarily,
but I guess my point is like,
I think their decisions make sense even if
they're not the right decisions.
but um i will be interested personally to
see i guess i i think one of
the big reasons again there's several
reasons but one of the big reasons that
we don't recommend calyx is they've
historically been very slow to provide
updates and uh they did kind of fix
that shortly before this reboot like a
year or two it was a couple years
um before this reboot they released the uh
what is it called,
the Security Express channel,
which is basically you can go into your
settings and you know how you can sign
up for like the beta releases,
the stable releases.
Well,
they added a third option called Security
Express,
which is only the security releases.
So you still have to wait for the
features to hit stable,
but you will get those security patches
usually within a couple days of when they
publicly released by Google.
So that was really cool to see.
But then there's this whole thing that,
like I said,
was supposed to take four to six months,
took almost a year,
not a lot of communication.
So personally,
I will be really interested to see with
all these infrastructure improvements and
the scripting that they've done.
And I'm really interested to see.
if this is going to make a difference
with their release schedule.
Because I think that will go a long
way to addressing at least some of the
biggest concerns with Calix.
Now, again,
they don't do the hardened memory
allocator.
I think we have a page somewhere on
the website that I'll go find while Jordan
gives their thoughts.
But they don't harden the memory.
They don't really introduce any additional
sandboxing.
They replace Google services with Micro G.
And unfortunately they do give micro G
elevated permissions in order to run
reliably for like notifications and stuff.
So that's kind of one of the examples
I talked about where some people will
argue that it's a step backwards because
now you're giving this third party
program, some extra permissions, whereas,
you know, graphene will like isolate the,
um,
the Google Play into its own sandbox,
which is really genius.
So it's definitely,
I think Eteru here said that even with
the recent update,
it's still a trade-off between security
and convenience.
Using MicroGene signature spoofing means
sacrificing core system security for
usability.
Exactly.
So yeah,
it's definitely not our top
recommendation,
but it's still a popular choice in the
community.
And the fact that it is back now
is definitely really big news.
so i think i have rambled on that
plenty um jordan did you have any thoughts
about this story
No,
I think you did a good job covering
like a lot of the main things.
Sorry, everyone,
I'm a little bit sick this week.
So if I sound a bit funny,
that's the reason why.
But so basically this is kind of the
reason why I'm covering this is because
obviously this is news in the privacy
community because I think this is
I think while CalixOS doesn't have,
you know,
it doesn't compare to GrapheneOS in terms
of security, I think, you know,
it's possible that, you know,
I think there's privacy benefits over
stock Android and, you know,
other operating systems.
But I think, you know, like Nate said,
like we kind of do push people more
towards GrapheneOS because that is just
like the pinnacle at this point of privacy
and security and,
you
I think it's also the gap has widened
even more because Grapheneus has the
sandbox Google Play services,
which offers a good level of privacy from
Google by not allowing it to be a
privileged app.
That is, you know,
a benefit of Graphene OS.
But then there's this comment here from
Dag Overhaul.
Does Kallax OS support a wider set of
devices than Graphene?
Exactly.
So that is, like,
the benefit of Kallax OS is, you know,
if you do have, like, a Motorola or,
like, Nate was saying, like,
a Shift Phone Eight or any of these
other, like, custom devices.
I know they support Fairphone as well.
So, you know,
if you do have one of these other
devices, then...
boom, that's your solution.
But I think we should all be very
cautiously cautious about this because as
we saw,
they haven't released a single release
because they had a whole restructuring and
everything, which, you know, it happens.
I think it's hard to
hard to keep managing a project for an
extended period of time there were you
know they had a very cemented workflow
that they had for probably you know four
or five years so i think it's reasonable
to uh to have to take a pause
on updates for a little bit um to
restructure that so i don't think that is
super concerning but i do think you know
it is extremely unfortunate especially
when it's like the threat landscape that
we're in is where you know people's
devices
are constantly under attack and if they're
not receiving updates then that is kind of
a that's kind of a massive problem
especially because you know there's
there's so many attacks that can that can
that can be
that can be exposed to if you don't
make sure your device is updated.
So I hope that, you know,
this is the first official update.
I hope they continue making sure they're
keeping on top of updates as well.
Graphene OS is already updated to Android,
whereas Kallax OS is still on Android.
So they've always been behind.
It's just always been,
it's the nature of it.
Graphene OS is also behind as well when
it comes to, you know,
big releases like Android, they took,
I think it was a couple of weeks,
maybe two weeks,
I think to have a stable,
a stable build out.
So, you know,
there's always going to be a delay.
Um, but I think, you know,
when we compare the projects graph,
you know, this is just such a,
it's a much bigger project.
They've got much, um,
much more developers working on it.
It's, it's just a bigger project.
So that kind of means that these,
these sort of maintenance tasks get
completed more quickly, which,
It's fine.
There was another comment from Dag here.
Can you run Google Play services slash
store on Kallax,
install and run banking apps, et cetera?
So I guess I think Nate, I believe,
has used Kallax OS quite a bit.
So maybe I can throw that back to
you and you can answer that question.
Yeah, sure thing.
So technically, no,
Google Play services does not work.
The Play Store, as far as I know,
does not work.
Usually they recommend using Aurora
instead.
Instead of Google Play services,
you'll use Micro G,
which in my experience works fine.
I'd say like ninety percent of the time
where you run into issues is so there
was there's one app that I use.
It's like a habit tracker.
And on Google,
because I was kind of bouncing back and
forth between the two for a minute to
kind of compare them.
On Graphene,
I would get notifications that it's like,
hey,
our premium version is fifty percent off
for the next week or whatever.
And then you click it and it takes
you to the Play Store and you can
sign up.
And it's one of those apps that I...
Actually,
I think maybe you could have gone straight
to the website.
I can't remember.
Um, but on Calix, for example, that,
that I think I would still get the
notification, but it wouldn't work.
Like I would click on it and it
would just be like, oh,
there's an error because, uh,
Aurora does not support and micro G do
not support, um, the,
the subscriptions like that.
Um,
Yeah,
I'm pretty sure I was able to pay
for it directly on the website and get
around that.
But sometimes you can't do that.
Some apps don't let you pay directly on
the website, which is unfortunate.
So there's little things like that that
don't work very well.
The banking apps, in my experience,
work pretty well because it still locks
the bootloader.
So it still gets that security feature
that it's looking for.
But also,
I know that Google is changing how Android
verifies stuff.
So we may have more issues in general
going forward.
that I would expect to see Graphene handle
a little better just because of the
compatibility layer thing.
So when I was using it,
banking apps worked good enough,
but there's always a possibility that they
don't work as well now because I
absolutely stopped using it when they
stopped getting updates.
Like right after they paused for this
whole thing, there was like a big...
there's like a big update for Android in
general that fixed a lot of like really
serious security vulnerabilities.
And people were like, yeah,
you should definitely get off Calix at
least until they fix this.
So, yeah.
I think we'll, you know,
we'll watch cautiously on this because...
It's an evolving situation,
but I don't think unless anything huge and
major changes,
there'll be any recommendation from
privacy guides.
Just because, like Nate said,
there's not really any significant benefit
to this over GrapheneOS,
which seems to have more focus on privacy
and security than CalixOS does.
I think it'll be interesting to see how
well the maintenance goes over time,
but we'll definitely make sure we're
testing this and seeing how it evolves
over time.
Yeah,
I think you really hit the nail on
the head.
It's really good if you don't have a
Pixel for whatever reason.
Personally,
I would recommend Calix over stock Android
because at least it will cut down on
some of the Google telemetry.
But yeah,
if you have the option for Graphene,
it's definitely the way to go.
And real quick,
I don't want to belabor it,
but I did find that article I mentioned.
I just want to throw it up on
screen real quick.
This is an article from twenty twenty two.
That's why I couldn't find it.
I thought it was an actual page,
but it's an article.
So it is a little old.
So some of the information was outdated,
but it kind of shows you graphene versus
calyx update frequency sandbox Google Play
versus micro G ESM activation extensions
profiles,
which that part might be outdated by now.
So yeah.
Definitely go check that out.
It'll at least give you a rough idea
of why we recommend graphene instead of
calyx.
I think you are muted.
There's been some updates to that article,
so...
It's not a hundred percent correct,
but it does have some general things that
should be still correct.
I believe the things that are not correct
is the privileged micro G and also the
privileged app extensions might've been
removed possibly, but.
I think micro G is still privileged.
I know they've said that they do want
to figure out a way around that because
that is a common criticism they get.
But last I checked,
they hadn't fixed that yet,
but I think the app extensions one,
you might be right.
Okay, yeah, I'm not sure,
but definitely that'll be something you
have to look into yourself.
But yeah,
so that's kind of everything we had to
cover on this story.
I guess we can move into the next
one here.
And this one is a story here from
Foraform Media.
Apple's hide my email vulnerability
reveals people's real email addresses.
hide my email users deserve to know that
it may be possible for attackers to
discover their hidden email addresses the
person who reported the issue said um so
basically if you okay this seems to be
paywalled so um that is a bit of
a problem uh
Here,
I'll hop in because I have a subscription.
I'll say that, to be honest,
that's kind of all there is to the
story because they said that...
So one thing that I will say was
interesting is apparently this came from
Tyler Murphy,
who is the co-founder of Easy Opt-Outs,
who we do recommend on Privacy Guides.
I've been using them for years,
very happy with them.
They were,
I don't know if they still are,
but they were sponsoring surveillance
support back when I was on surveillance
support.
Um, but apparently, yeah,
he discovered this vulnerability and they
have not disclosed it because they said
that Apple hasn't fixed it yet.
And I think that's kind of part of
what this article is,
is I think four Oh four is kind
of teaming up with Tyler to like pressure
Apple into fixing this,
because I think they said they reached out
like all the way back in may and
Apple was like, Oh, okay, thanks.
We'll fix this.
And then like stopped responding.
So, um,
we don't know exactly what this is or
how it works,
but I think this was an interesting story
to cover because, um,
Um, you know,
email aliasing is definitely getting a lot
more popular.
We're seeing more, um, like IVPN,
I think has an email aliasing service now
and AdGuard has an aliasing service.
And of course there's like Firefox relay,
simple login, Addy.io.
There's just,
it's becoming more and more common.
And I think Apple's introduction of this
really kind of shot it into a mainstream
attention.
Um, yeah.
So yeah,
it kind of defeats the whole purpose if
people can easily figure out a way around
this.
And I don't know,
I guess I've seen some discussions.
Do you happen to know, Jordan?
I mean, again,
we don't know the exact vulnerability,
but I know some of the people in
the comments of this article were
wondering, like,
do we think this might apply to some
of the services we do recommend,
like SimpleLogin or anything like that?
I have a feeling that the way that
this works
vulnerability works is somehow tied back
to the Apple account itself,
like the Apple ID,
because the way that the hide my email
aliases are created is tied to your iCloud
account.
I have a feeling it's something to do
with that, but I could be wrong,
obviously,
because they're not revealing
what it actually,
what actually is the problem here.
They're just saying that it's,
that it might be possible.
So yeah, it's not, we don't have,
I mean,
I can't see what's in this article,
but like,
it sounds like there isn't a whole lot
of information in addition to that.
Well, Joseph here in the comments,
I'm scrolling through the comments of the
article and Joseph Cox,
the author said that, uh,
it reveals the email link to the Apple
ID.
So I think you might be onto something
with that.
yeah um i think you know we've never
we've never recommended apple's hide my
email so you know it's not like this
is a direct threat to people in our
community but i can't i can say that
i've used hide my email stuff just because
it was convenient like signing up to a
new account with like my apple account and
stuff like that um
I've used it before.
So, you know,
maybe someone can find my real email
address or something, but I mean,
I don't think it's a huge issue,
but I can see how this would be
kind of a problem,
especially if you're like a whistleblower
or like someone doing something a little
bit, you know,
you don't want something tied back to your
identity.
So it's,
Yeah, it's not really great,
especially when that's kind of implied
with the service.
It's called hide my email.
It's literally in the name.
So if it can't do what's in the
name, then that's a bit of a problem.
So I'm not really sure what the outcome
of this is going to be,
but we can kind of circle back to
our website here.
And we do recommend a couple of different
email aliasing services,
so
You can kind of take your pick,
I guess.
So I guess first off,
we recommend Addy.io and SimpleLogin.
There might be more added at some point,
but this is kind of what things are
looking like at the moment.
Addy.io is a free service,
same as SimpleLogin,
but they limit some of the requirements.
I think it's...
you get like ten domain aliases on Addy
and you get like ten on SimpleLogin as
well.
So, you know,
you've got some options definitely.
And I think, you know,
maybe it's time to switch away from
Apple's closed ecosystem.
I think usually they're pretty good on
privacy related stuff like this.
So I think they'll fix it.
But it could be a better time to
start looking at
better alternatives.
And I think one benefit of Addy.io and
simple login, at least the paid plans,
is you can send emails to any address
from any of your aliases,
which is something you can't do with
Apple's hide my email,
which I found really annoying.
So don't make that mistake.
But yeah,
so that's kind of what we recommend.
I would say
There's no need to panic at this point
because as far as we know,
it's not publicly disclosed or anything
like that.
Apple is usually pretty quick,
but we'll probably have an update for that
next week if Apple does actually decide to
change this.
Yeah, for sure.
We'll keep people updated.
But yeah,
I think we just wanted to include this
story because I know hide my is kind
of popular.
There are some people who still use Apple
for any number of reasons.
And they're like, well,
I'm already using Apple.
I'll go ahead and use the hide my
thing because it's so cheap.
So it's important to know that.
Um,
I will call out a couple of quick
comments.
Like Cisco here said,
I've been buying a custom domain and
having a catch all email address.
Honestly, I, I do the same thing.
I really like it.
I have a custom domain that I use
through simple login and, um, yeah,
I can just make things up on the
spot or, uh, whatever.
And personally,
I like that because if simple login ever
in shitifies,
I can go to Addy or I can
go to, you know, uh,
whatever the one from IVPN is called that
I keep forgetting.
Like I can, I can switch very,
very easily, which I think is cool.
Um,
And then Dag Overhaul here said,
use aliases for spam control,
not anonymity.
I don't... He says,
make them forward to an anonymous email
address.
I mean, yeah.
I mean,
I guess if you want to go hardcore,
I want to nitpick a little bit and
point out that anonymity is not privacy.
And the idea of privacy is to be
able to control who has access to your
data.
And that's the whole idea is like,
you're not supposed to be able to see...
the main email address.
Like, that is the one job.
That is the whole job of alias emails.
So, I mean, that's certainly a way,
a very advanced technique if you're super
concerned about it.
But, yeah.
MailX, thank you.
You just posted that in the chat.
And yeah, DuckDuckGo is also an option.
I found it difficult to use personally,
but
Yeah,
you kind of need a third party extension
to make DuckDuckGoesOne work well,
which probably is not a good sign.
But someone asked,
what's up with the floating head?
Privacy, I guess.
I don't know what to say.
This is the privacy channel.
You should know why.
But yeah, that's the reason.
Just don't want to show my face if
I can avoid it.
And yeah,
I don't really have much more to add
here,
unless you want to talk a little bit
more,
but could jump into this next story here.
Sure thing.
Do you want me to take this next
one?
Or would you prefer to take it?
How about I give the rundown quickly and
you can add some of your U.S.
perspective because I think you're going
to have a lot more to talk about
on this one.
Supreme Court ruling guts government's use
of geofence warrants.
SCOTUS falls short of deeming geofence
warrants unconstitutional, though.
The Fourth Amendment protects the user's
location history.
The Supreme Court ruled on Monday.
The same logic already applied to a cell
phone's tracking,
and the High Court found no good reason
exists to reach a different result for
location history collected by third
parties like Google.
Split six three,
the majority agreed that the government
needs a warrant and must show reasonable
cause to turn a phone's location tracking
services into a government surveillance
tool.
So the decision came in a case where
cops used a so-called geofence warrant to
track down an armed bank robber from a
list of all phones logged in the area.
Applying a three-part process,
cops worked with Google to narrow down the
list of suspects and eventually arrested
Akello Chatri,
who had opted in to share his location
with Google every few minutes.
Chatri was sentenced to twelve years in
prison but challenged the geofence warrant
as an unconstitutional search.
So the US tried and failed to argue
that no search was conducted under the
Fourth Amendment,
partly because they only searched a little
bit of Chowdhury's location data,
which the government considered too small
to warrant privacy protections.
They also claimed that Chowdhury was aware
that voluntarily sharing his location with
Google could mean that law enforcement
might get access
to the data and along similar lines the
government argued that Chatterjee's data
simply showed his movements in public
where he supposedly had no reasonable
expectation of privacy okay so I guess
that's like the main rundown of this um
Unless you have, like,
it definitely goes on a lot more.
So I don't know if you have more
to add on this.
I mean, of course you do.
So what are your thoughts on this?
Yeah, I do want to...
Real quick,
I do want to run through what the
judge said, because I think it was really,
it's one of those things where it's like,
oh, you're so close to getting the point.
She said that Google repeatedly prompts
users to turn on the service,
often warning that their devices will not
work correctly otherwise,
while not disclosing in that prompt how
frequently location information would be
recorded, how precise it would be,
or how it might be given to the
government.
She said that much like carrying a cell
phone is part of modern life,
sewing is allowing a third party to track
your movements,
and that doesn't diminish a person's right
to privacy.
And then Justice Sonia Sotomayor noted
that even short-term monitoring of a
person can reveal a wealth of details
about his family, political, professional,
religious, and sexual associations,
particularly if he's been visiting
sensitive locations like a clinic,
attorney's office, or strip club.
Yeah, so I mean, it's really like,
it's one of those, it's like, oh,
you get the point.
Come on, like, just take it further.
But yeah, it's, I mean,
that's kind of all it is right there,
I guess,
is the police tried to be like, oh,
but it's, you know,
he's moving around in public,
like that whole, you know,
no expectation of privacy thing.
And I think they even tried to make
the argument.
So like the police tried to make the
argument that it's like,
the phone itself has no expectation of
privacy.
or something like, no,
like the phone itself does,
but the apps don't or something like that.
And the Supreme court was basically like,
yeah, but let's be real.
We live in an age of smartphones.
Like who's not going to have apps on
their phone.
That's the stupidest argument I've ever
heard.
So, um, I'm not,
The Supreme Court surprises me in a good
way sometimes.
I'll just say that.
Yeah, I think my only other thought is,
you know, at the very beginning,
that little subheader, it said, like,
the Supreme Court falls short of deeming
geofence warrants unconstitutional.
And I think that is an important thing
to know, is, like,
this doesn't ban geofence warrants.
But I think this might almost be...
better I'm not a lawyer and I would
happily welcome any input from actual
lawyers on whether I'm right or wrong but
I feel like this is almost better because
like saying that geofence warrants are
unconstitutional I feel like would be
relatively limited like the way US law
works is you can always cite that as
precedent in other case and expand it and
stuff like that but I feel like like
that was still much more limited as
opposed to this where it applied to like
third party collection of location history
I feel like just is so much more
broadly applicable so I'm kind of hoping
This is almost like in the long run
an even bigger win because it can apply
to so many other things.
Again, not a lawyer.
Happy to hear from any lawyers out there
if I'm right or wrong.
But I think that was my only other
thought that I wanted to add.
I guess like this kind of makes me
think, does this apply to, you know,
other data collection?
Could this apply to Stingrays being used
to collect IMEI numbers?
Or could this affect Facebook or any other
company?
Or is this specifically about Google's
location tracking?
Or is this just like...
That's a great question.
I mean,
the article said third parties like
Google.
Um,
they said the fourth amendment protects
the user's location history and the same
logic applies to a cell phone's tracking
and no good reason exists to reach a
different result for location history.
Um, so my thought would be,
I don't know about the stingrays cause I
feel like that's probably like a law
enforcement exception kind of thing,
which I mean, granted,
I guess they didn't do here with the
geofence warrants, but my,
my guess would be if anything,
this will only apply to location data
until,
cause that's kind of the way that us
law works is like everything is built
based
by cases.
And, um, I mean,
I don't want to go on too long,
but basically that's why it's so
important.
It's so strategic to like,
see if we can get this in front
of the Supreme court.
I think, uh,
Cindy Cohen talks about this in her book,
actually privacy is defender.
Like you want to get a judge who's
sympathetic to your case because once they
hand out a ruling,
there's certain criteria that makes
something legal precedent that I learned
from her book.
And anyways, long story short, it's like,
basically it's not always enough to just
be like, well, here's what the law says.
The court has to interpret it and deliver
a
affirms or clarifies that law.
So I feel like it's one of those
things that like, okay,
location history is more or less settled
now,
but all the other things like messages,
metadata, timestamps,
like those things are probably not
protected until somebody comes along and
has a case, a precedent setting case.
That would be my guess.
Okay.
So like, you know,
all the other data that's collected by the
apps on your phone can be hoovered up
by this is what you're saying.
Exactly.
That would be my guess.
Again, not a lawyer,
but as I understand it,
that's probably how it's going to work,
at least until further notice.
Well, I think we take these wins.
This is a win, I think.
Definitely.
That's why I wanted to include this story.
We get so few wins.
It's like, you know what?
I'll take it.
This is a good one.
True.
Yeah, that's good.
So real quick,
want to point out a dag here said
robbing a bank while carrying a phone with
location sharing enabled smart guy.
I know, right?
Like everybody knows that phones, even,
even quote unquote,
normies know that your phone is constantly
spying on you.
Like what idiot brings their phone to rob
a bank?
That's insane.
Yeah.
They're basically like tracking devices at
this point.
So it's a bit, uh, I mean,
maybe it's a spur of the moment thing,
you know?
Maybe.
I've heard weirder things.
But I think that will take us into
site updates,
unless you have anything to add to this
story.
No, let's dive in.
Alrighty, yeah.
So in a little bit,
we're going to talk about surprise flock
devices,
which that's going to be a fun story.
But first, I mean,
so I'm going to level with you guys.
We actually forgot to talk about what our
site updates are this week.
But I know we've got a...
Let's see,
I know we put out a video recently
and I filmed, oh my gosh,
the weeks are starting to jumble together.
Oh, yes.
No,
I filmed a video last week about some
NSA history and the crypto wars.
And I think that is over with Jordan
now for the good editing.
I think I've told you guys this before.
I do like the rough edit where I
cut out all the long pauses and the
stutters.
But Jordan is the rock star who adds
all the special effects and the graphics.
And so I'm really excited to see how
that's going to turn out.
That's going to be super awesome.
Um, but honestly, it's been kind of a,
one of those slower weeks where it's all
stuff happening behind the scenes.
Um,
so I don't know if I have too
much more to add other than that.
Um, have you guys done anything, Jordan?
I think you and Jonah have been working
on a project,
but I don't know if it's published yet.
Yeah,
so Jonah did sit down with Rudy Wang,
who's the product manager at Cape,
Cape Mobile, which is like, I guess,
for people that are not super aware
because, you know,
we kind of wanted to make people aware
of it or at least answer a lot
of people's questions because I think
people are
rightfully so quite suspicious about this
sort of service you know you see like
this this so-called private and secure
mobile carrier it's like it looks kind of
sus so you know obviously we had some
questions and
Jonah did a really good job of asking
technical and also just general questions
about the service.
So hoping to get that interview out soon.
It's all edited.
It just needs some extra bits to make
it flow together a bit,
like an intro and outro and stuff like
that.
But otherwise, it's looking good.
So hopefully we can get that out to
people soon because I think that we've had
so many questions about this service,
especially on the forum.
Like there's been a lot of questions and
people being rightfully suspicious
because, you know,
I think when we see these new services,
it's hard to...
know whether they're legit or not.
And I can say after watching the interview
and seeing their responses to the
questions,
they truly do know what they're doing,
which is interesting.
It's not something that Privacy Guides
recommends at this point, obviously,
but maybe it could be at some point.
It's definitely an interesting service,
but
It's one of these really annoying things
that I think people outside the U.S.
always kind of get annoyed about is all
these cool privacy services.
They're all U.S.
only, like privacy.com, like this service,
all these sort of more niche things.
Voice over IP, yeah,
there's just like more of an appetite for
that thing in the US, which is good,
because, you know,
when things get popular in the US,
it basically means like it'll bleed over
everywhere else eventually.
So, yeah, there's...
That's kind of what I've been working on
this week, kind of been finishing up that.
I've not been super busy this week,
so not a huge amount to report on.
But it doesn't seem to be any site
updates this week either, really.
We definitely need to push through some
pull requests on the website.
So we'll be working on that soon.
But yeah,
I don't really have anything else to add.
Yeah.
I think last thing I can add is
just as always,
privacyguides.org slash news.
Fria was on fire this week.
We have articles about how there's a town
in Massachusetts that got their flock
contract canceled after public backlash.
So remember that stuff does work.
Um,
Google is trying to make recapture even
worse and something about like,
I don't think it's biometric hand
scanning,
but they want you to like move your
hands certain ways.
It's so dumb.
Um,
brave is adding containers to the browser
if you're a brave user.
So yeah, lots of, uh,
Really cool stuff.
Freya's been crushing it with the
articles.
But that is all I got.
I think on the flock cameras,
we talked about it last week,
but check out dflock.org.
That's how you can find local groups and
stuff.
So you can get flock kicked out of
your city.
So definitely check that out.
But yeah.
Cool.
Um, yeah,
so all this is made possible by our
supporters.
You can sign up for a membership or
donate at privacyguides.org slash donate,
or we still have the merch shop over
at shop.privacyguides.org,
which is where I got this awesome water
bottle, which, uh,
is really coming in clutch this, uh, I'm,
I'm on the East coast and we had
a nice little heat wave and, uh,
Yeah,
Privacy Guys is a nonprofit which
researches and shares privacy-related
information and facilitates a community on
our forum and matrix where people can ask
questions and get advice about staying
private online and preserving their
digital rights.
And now, some exciting news from WhatsApp.
Yeah,
so WhatsApp usernames are already raising
impersonation red flags.
So I guess if anyone here has been
using Signal,
which I kind of assume everyone here is
using it or has used it at some
point, Signal's kind of had usernames for,
I think, probably a good while now,
like maybe two years,
a year and a half.
I was going to say a couple of
years, yeah.
At this point,
so that was kind of a huge...
amazing feature because you could give
people a username instead of giving them
your phone number, which, you know,
it's nice to not have to give people
your phone number every time.
So that's...
That's kind of awesome.
But WhatsApp is rolling it out now.
And WhatsApp usernames are being used to
impersonate people.
So WhatsApp this week started rolling out
username reservations ahead of the broader
launch planned later this year.
The feature,
which lets people find and message each
other by handle instead of phone number,
is already raising impersonation concerns.
drawing scrutiny from security experts and
regulators in India,
the app's largest market,
with over five hundred million users.
The rollout marks a shift in how people
identify one another in WhatsApp.
Instead of relying on phone numbers as the
primary identifier,
users will increasingly interact through
platform managed usernames
a change that Meta says improves privacy,
but that critics argue could create new
opportunities for impersonation.
So I think one interesting thing about
this and how this relates to Signal is
with Signal,
it kind of removes the impersonation
concern because the usernames are actually
randomly generated.
So like
If you put your name as,
let's say I put my name as Jordan
in Signal,
it will automatically add two or three
numbers to the end.
So I'm not reserving a username
specifically.
There's extra numbers at the end to make
it more randomized.
And it allows more people to have a
nicer and easier to enter username, right?
But the way that I see this working
in WhatsApp is that it doesn't have that
extra number at the end.
It's just a handle,
which I think is what this is kind
of raising concerns about.
Because, you know, when you have
usernames like that especially when you
allow reservation of a username basically
a bunch of people can just it's basically
always been an issue right with any
platform if someone reserves a username
that you that you own or for your
brand or for your company then you're kind
of screwed right like you can't you can't
take that over unless they're using it to
impersonate you so
That's kind of what we're seeing with
this.
And this has already been, you know,
a concern where this article says the
concerns have already reached regulators
in India where cyber fraud schemes
frequently exploit messaging platforms to
impersonate police,
banks and government officials.
In a notice sent to WhatsApp on Wednesday,
reviewed by TechCrunch,
the Ministry of Electronics and
Information Technology said the feature
could materially increase the incidence of
online fraud, phishing,
digital arrest scams and impersonation
attacks by enabling bad actors to contact
users without exposing their phone
numbers.
So, yeah, this is...
I feel like this Ministry of Technology is
like taking this in the wrong direction.
They're almost saying like,
this is offering people too much privacy.
We should have everyone be identified by
their phone number.
I don't think that's the solution here.
I think the solution is to allow this,
but to add an extra number or to
not allow people to basically squat a
username.
I think allowing it to be,
basically ephemeral or something that you
use specifically to connect with someone
and that expires or something like that,
that could be a little bit better in
my, in my opinion.
Um, because yeah, like,
like this article says,
it can be kind of used to impersonate
companies and governments.
Um, but do you have anything,
you had any thoughts on this one, Nate,
or?
Yeah, it's interesting, because...
Let's see,
I'm actually double-checking here,
because, yeah, so Signal...
There's not a lot of details in...
I actually have two articles here,
and one was the initial WhatsApp is
rolling out usernames announcement.
But even that one really doesn't explain a
whole lot about how...
this actually works um the only thing they
said that i thought was interesting they
said users can optional users will be able
to set an optional key that others will
need to know before messaging them via the
new username so that's like one way to
cut down on spam and stuff but i
remember when signal usernames came out i
thought they were going to be abused and
then people pointed out it's like but
people can't see your username like people
can see your username if you share it
with somebody um but like let's say
let's say I give you my username and
you message me, I can't see your username.
So it's not like you can do an
impersonation, I mean,
any more than you could with like any
other messenger, right?
But it's not like, you know, where like,
like Twitter or Mastodon,
where you could make it, you know,
Nate B at whatever.
And it's like, oh,
now I'm impersonating Nate,
like you could change your display name,
but that's about it.
So that's kind of what I'm wondering here
is like,
is
Is this, are these usernames visible?
Like, is that what the concern is?
Is that people are going to see that
they're getting messages from some of the
examples they use here where like,
what is it?
India Modi is still not open or is
still open for registration,
which for those who don't know,
Narendra Modi is the prime minister of
India.
So it's like,
are people going to think that they're
getting messages from India?
Narendra Modi, the Binance founder,
Chepang Zhao,
said that he couldn't reserve CZ
underscore Binance,
which is the handle he already uses on
Twitter.
So it's like somebody's probably already
using that, and it's just really weird.
And WhatsApp says that there's certain
handles that they're reserving to verify
that they're legitimate users,
but they didn't explain...
what those handles are or like how they're
deciding.
Cause you know, they're,
they're meta and they're never super open.
So yeah,
there's just like a ton of questions here
about like, how does this work?
How are you going to protect people from,
from impersonations like this?
I'm seeing here,
I'm doing some additional research and it
could be wrong.
Usernames must be three to thirty five
characters long.
Let's see.
You can,
You can change or delete your username at
any time,
though deletion reveals the phone number
again for fourteen days.
Oh, and when you delete a username,
it can be reclaimed,
which I think is true of Signal as
well, but it's also just like, again,
if somebody's squatting on a username,
it's, I don't know,
it sounds like this was not rolled out
as thoughtfully as Signal,
which is probably not surprising coming
from Facebook.
But the only other thing I will say,
Cisco here said it sounds like another way
for them to sell verification
subscriptions like Instagram.
That's entirely possible because this
article from TechCrunch did note that they
did say, oh, where'd it go?
I know I had to scroll pretty far
down for it.
It will let users claim their existing
Instagram or Facebook usernames by linking
their accounts,
saying that the option is intended to help
creators, businesses,
and organizations maintain a consistent
identity across Meta's platforms while
reducing impersonation.
So,
Yeah.
I don't know.
They'll probably charge for that down the
road because why not, right?
But yeah,
I think those are kind of all my
thoughts.
It's just I don't understand how this is
supposed to work and why didn't they just
copy Signal?
It was already there.
I mean, okay,
so I'm just reading an article about how
this works and you did mention like the
WhatsApp username key and it looks like
it's a four-digit code that's linked to
your username.
So it sounds pretty similar to how Signal
does it with like a number at the
end of your username.
So...
That does make sense,
but that doesn't seem to really...
I don't think people are going to use
that.
People just use the default thing.
They're not going to use this extra
privacy feature, I don't think.
Yeah, this is kind of a problem,
I think.
But which, you know, meta never really...
With meta,
they always don't take the right path.
They always go the wrong direction with
stuff.
Like we saw,
they removed end-to-end encryption from
Instagram DMs.
All sorts of bad decisions on their part.
So this is going to affect a lot
of people,
like a ridiculous amount of people.
So I hope that they do fix this
or make it a little bit better because
so many people use this app.
So to clarify, yes,
if my research is correct,
if you do not have the person's phone
number saved in your contacts,
they will see your username instead of
phone number.
But if they do have the phone number
saved,
they will see your phone number instead of
username.
So that's what the issue is here,
is if I message you and my username
is Indy Amodi,
I can pretend to be Narendra Modi.
That was...
Sorry,
every once in a while my brain needs
to reboot because I'm like,
why do people make so much money to
be this irresponsibly stupid?
And it makes me so mad.
Yeah, text Eddie here.
People talking about the Instagram DM
thing you said.
People weren't using the encryption
feature that we had disabled by default
and hidden deep in the settings,
so we removed it.
Yes, yes, exactly.
God, that was so annoying.
I feel like this is not like a
– I feel like meta sort of does
this thing where they're like,
here's this feature, and then, like,
here's the added protection that, like,
literally no one is going to use because
it's, like, hidden deep in, like,
the settings.
It's like, okay.
Like,
the default setting on Facebook is to,
like,
share your phone number and contact list
by default.
It's like, well, yeah,
but you shouldn't do that.
But it's like by default it does that.
So –
yeah anyway we can we can uh we
can be mad at meta all day sorry
oh yes i can i certainly can but
uh let's be mad at flock for a
minute instead so we'll uh we'll move on
to the story here about um a woman
was surprised when a flock surveillance
tower appears in her yard without warning
um so there's
I'm going to say there's a silver lining
here, but it just raises more questions.
So this woman, Kat Vaughn of Roanoke,
went to the park
Like, that's how quick this happened.
I mean,
I don't know how long she was at
the park.
It says she returned home from a brief
trip to a nearby park.
So maybe she was there for thirty minutes.
Maybe she was there all day.
I don't know.
But either way,
it's not like she was gone for a
week or something.
And when she came back,
she discovered that there was a freshly
installed device sitting in the parkway
strip,
which is a section of public land between
her lawn and the street.
So to be fair,
this is the first caveat.
It wasn't technically her lawn,
but it was right in front of her
house,
which is one of those things where it's
like...
if you put a camera right in front
of my house, like what gives dude?
Um, so it actually wasn't a camera.
It was a flock Raven audio detection unit,
which is flocks knockoff of shot spotter,
which is, um,
basically a microphone that they stick on
a pole that is supposed to tell if
there's a gunshot nearby, but it is, uh,
what's, what's the word I'm looking for?
Um,
cartoonish, uh,
shout out stuff they don't want you to
know.
Uh, it is cartoonishly inaccurate and bad.
It constantly, uh, gives false positives.
It constantly remembers or not remembers,
um,
it constantly flags things like the manual
oversight.
People are just like, ah, that's like,
whatever, just dismiss it.
That's not a gunshot.
It's just, it's so bad.
It's so bad.
Um, but you know, Hey,
somebody is making money.
So why not the psychopath running flock?
So anyways, they installed this thing.
Um, here's,
here's where I say there's a bit of
a silver lining,
but it just raises more questions.
Um, so, uh, Vaughn called the police and,
uh,
the cops came out to take a look
at it.
And even they were just like,
Like she said, OK,
so when the officer got out here,
he wasn't sure what it was either.
So we went and got a tall ladder
to be able to get up to take
a picture of it closer.
And he said, yeah, I think you're right.
It's a gun surveillance device.
And they weren't supposed to be installed
until July.
By the way,
it is July third for anyone listening
after July.
after time um so this was god what
was this article written june twenty
eighth so they're ahead of schedule and
then on top of it so uh they
went and checked the city records they
said that the city council had approved
the deployment of seventy five of these
sensors at various locations throughout
the city and the patch of land in
front of von's house wasn't on the list
so that's why i'm like this raises further
questions like okay on the one hand
I mean, first of all,
these things shouldn't exist in the first
place.
Like I said, they don't work.
They're garbage.
They're just somebody's get-rich-quick
scheme because somebody has no moral code.
But putting all that aside,
it wasn't supposed to be in front of
her house, which is good because, again,
what the hell is setting up a surveillance
device in front of somebody's house?
But how did it get there?
Who put it there?
Why did they put it in early?
I have so many more questions,
but I don't know.
This was just such a wild story when
I read this one.
I was like,
I really want to share this story,
but I don't know if there's any real
takeaways here.
Just a very insane story.
Yeah, that's incredibly wild.
I guess one question that I do have
is, like, what is this?
So wait,
it says Flock Raven Audio Detection Unit.
So is this,
am I understanding correctly that it's,
like,
listening for the sound of a gunshot and
then it's going to, like,
do something with that?
So the idea is that it's supposed to
detect sounds
And I mean,
I'm sure it goes without saying,
but you're supposed to put it in like
rougher neighborhoods where gun crime
actually happens.
But the idea is that it detects a
gunshot and then alerts the police.
So we don't have to wait for a
nine one one call or, you know,
especially in,
I'm not trying to stereotype here,
but in some of these poorer neighborhoods,
it's like, you mind your own business,
right?
Like you heard a gunshot.
No, you didn't.
Not if nobody got hurt,
you'd mind your own business.
So the idea is even with,
With ones that don't get called in,
it'll alert the police and they can come
by.
But like I said, they're proven.
You can look these up online.
I can't remember who covered it,
but somebody did a really deep dive.
It wasn't four or four because this would
be four or four.
Actually,
four or four may have covered this too.
But it's been proven that they have like
this ridiculous false positive rate that
they detect like...
like car backfires or fireworks,
like things that any human would hear and
be like, that is not a gun.
And it thinks it's a gun.
And then on top of it,
there's always the privacy concerns too of
the slippery slope, right?
Like, okay, sure, today it's a gun.
What happens tomorrow when it's like
speech?
And you're like, well,
we're just listening for violent crime.
You know,
we're listening for the two people on the
corner doing a drug deal or like planning
a crime.
And it's like, okay, today,
what happens when tomorrow they're
planning a protest?
Or, you know, it's just...
it's no yeah these things are there's
literally no redeeming quality about these
things except to make somebody at the top
rich i i'm gonna say that full stop
but yeah i mean i my question with
this though is like what if you just
like want to fire your gun on your
own property like what what what about
that like what are you not i thought
you're allowed to do that oh no
Yeah, or like Dag said,
don't watch any action movies with the
window open.
Yeah, I mean, it depends.
I would imagine that in a city,
it's probably not cool to be firing a
gun in your property.
But I don't know.
I mean, that is certainly a good question.
Like, yeah,
there's all kinds of scenarios I could see
where it's like,
I'm not doing anything wrong.
Why is, I don't know.
Yeah, that's crazy.
Yeah, it's wild.
But yeah, that's a pretty short one.
I don't think I have much more to
add to that one personally.
Yeah, fair enough.
I guess we can dive into some forum
updates here.
So in a minute,
we'll start taking viewer questions.
So if you've been holding on to any
questions about any of the stories we've
been talking about so far,
go ahead and leave them on our forum
thread or in the comment section on the
live stream.
For now,
let's check in with our community forum.
There's always a lot of activity.
And here's a few of this week's most
interesting discussions happening there.
So I'm going to take this second one
here.
This one is about Reddit.
So if anyone here has ever had the
displeasure of visiting the Reddit
website,
then you'll know that it's frequently
become harder and harder to access Reddit.
information on Reddit,
especially if you're using a VPN,
especially if you're using
it logged out,
especially if you're using any sort of
privacy protection.
And one way to get around a lot
of these restrictions was to use the
old.reddit.com website instead.
So basically, instead of reddit.com,
you would use old.reddit.com instead.
And that would basically load the old
less JavaScript heavy version of the
website.
And that bypassed a lot of the issues
that the newer version of the website has.
But this reporting here from Ars Technica
says that Reddit will require you to log
in to use old.reddit.com.
So logged out old Reddit access is a
significant source of abusive scraping.
So Reddit will start
Requiring people to be logged into Reddit
to use old.reddit.com,
the new requirement will take effect over
the next month.
A Reddit employee going by the username
BoatBotany announced on the social media
platform today.
The person claimed that the change is part
of an ongoing effort to tighten how
automated systems access Reddit.
So basically the excuse that they're using
is this is basically becoming a source
for, I think,
let's read in between the lines.
This is an issue with AI scrapers.
It's kind of always been a concern,
but I feel like a lot of like
large language models are basically
training a lot of data off Reddit because
it's so openly accessible.
So this is kind of just a move
by them to
restrict the access.
And I guess by having people log in,
then, you know,
you kind of can track activity.
So you can see that someone's visiting
every single subreddit,
every single post on every subreddit.
You can see that they're scraping and
block their access.
So by logging in,
we get a lot more signal that allows
us to detect whether an account is
breaking the rules,
and then we can block that traffic or
enforce those accounts, both Botany said.
As of writing,
Ars Technica was still able to use
old.reddit.com without logging in.
And the news is likely to upset some
longtime Reddit users who've relied on
old.reddit.com for a familiar look that
they find easier to navigate and digest,
and who also want to view Reddit without
logging in for convenience and or privacy.
So...
Yeah.
Anyway,
this old.reddit.com website is kind of a
source of scraping.
So, you know,
there's also in this article,
they also said that old.reddit.com might
not exist forever.
So it might almost be time to retire.
That's what they said.
So it's,
they said they can't promise it'll be
around forever.
So that'll be interesting to see.
But Nate,
do you have anything you wanted to add
to this story here?
Not too much.
I think I just wanted to share this
story because I know that old.reddit.com
is a very popular thing in the privacy
community.
Like they said in the article here,
it doesn't really contain any less
trackers per se, as far as I know.
But...
if you can do it without logging in
and you're using a privacy respecting
browser like brave or Firefox, um, then,
you know,
it's still a better privacy thing.
Cause like you said, yeah,
I've noticed it too.
It's not as bad as it used to
be,
but there was a period where Reddit was
like really being a stickler for like,
if you had a VPN on like nope,
instant login page with their stupid
little trying to be cute mascot that I
swear to God,
I wanted to punch it every time.
But, um,
Yeah,
it's getting harder and harder to use.
And also they make a point about a
familiar interface because I just noticed
I'm not super active.
I go through ups and downs if I'm
being totally honest.
I don't think I'm super active on Reddit,
but every once in a while I'll be
super active for like a week and then
stop using it for like three months.
But I've noticed this week I've been on
Reddit a little more and I logged in
and now they're doing that same crap that
everybody else is doing.
It's not bad enough that they had...
an algorithmic timeline,
now they have a suggested timeline and
your actual following timeline.
And of course, by default,
every time you log in,
it goes back to the suggested timeline.
So it's not just the subreddits you
subscribe to,
it's also a bunch of other crap you're
not subscribed to that's popular,
like AskReddit or r slash what is this
or whatever.
And it's like, I don't care.
If I cared, I would subscribe.
Stop trying to show me more subreddits.
So it's just...
you know, the,
the eternal problem of in shitification,
right?
Like it's just, it's frustrating.
And it's,
it's sad that cause Reddit does have
objectively,
I think it does have some value in
the sense that a lot of the time
when you look up something,
even without the AI summaries,
a lot of the time you look something
up and especially if it's something more
niche, like, Hey,
what are the reviews on these shoes?
Or like, um, you know,
I'm having trouble with this, uh,
I'm trying to think of something I'm
actually having trouble with recently,
but you know,
I'm having trouble with a thing.
Like I'm looking for a little life hack.
Like Reddit is really good for that kind
of stuff.
And it would be really nice to not
have to log in to use Reddit just
to check somebody's thread.
Um, so it's,
it's really a shame and it's really
annoying.
Although, to be fair,
Reddit is so astroturfed,
I'm not sure how much I trust a
lot of those answers anyways.
But yeah, so just I guess, again,
I just wanted to share because I know
that is a really popular trick to use
in the privacy community.
So you guys should be aware that it
is going away, unfortunately.
Yeah,
I think one thing that I saw an
interesting comment on this article,
actually,
someone was saying they don't really need
to require a login.
Like there's other ways that we can,
we can detect humanity, right?
There's like, oh, Anubis, like using,
yeah, exactly.
So Dag said,
you can do that tracking or bot prevention
measures without forcing a login.
Smells more like preparation for age
verification.
Yeah.
And I think a lot of third-party apps
actually rely on old.reddit.com to like
basically scrape it.
And it's not scraping, but it's like,
I don't know what you would call that,
but it's like...
Are you talking about a lot of the
front ends?
No, just like apps like Infinity.
There's an app for Reddit which is called
Infinity and there's another one on iOS.
But I believe they just...
scrape old.reddit.com and then just use
that to display the content to bypass some
of the,
because there was API restrictions.
They don't use the API.
I was wondering what happened to that
because I remember there was a big deal
about it and then Reddit said they were
going to work with some of the more
popular apps like Apollo and then just
never went anywhere with that.
I was curious what happened to that story.
Everyone just went and didn't want to give
Reddit money.
So, yeah.
That's everything I had on that story
there.
Okay.
And in that case,
we'll jump over to our other...
forum thread,
which is the kids act has passed the
house.
So again,
this is just like a really quick signal
booth boost.
If you live in the U S um,
definitely please check the newsletter for
a link.
Uh,
so this person links to the text of
the bill and how each representative voted
and how to find your representative at
house.gov, which is awesome.
um, excuse me.
So I think this still has to go
through the, uh, let me see here.
Yeah.
It still has to go to the Senate
and then the president has to sign it.
Um,
but this is basically an age verification
law.
You know, it's, it's, uh, I think correct.
I could be wrong.
Um,
but I think it's kind of just like
an amalgamation of a bunch of bad bills
that have not passed.
Um, but you know,
it requires specified online platforms to
establish safeguards for minors,
such as limiting access to sexual
material, um,
providing parental controls and requiring
AI chatbots to disclose information to
users who are minors.
And, you know,
that's the first thing is like,
how's the chatbot going to know if you're
a minor, they have to age verify you.
Right.
And, you know,
the whole like limiting access to
specified sexual material.
Sure.
That's great.
Until just general,
like sexual education becomes specified
material.
It's just,
these things are just a slippery slope and
will not end well.
So if you are American, um,
find your senators because, um,
No offense to this person.
Thank you so much for sharing this.
But like your representative already
voted.
I guess you can feel free to vote
him out.
We actually I think we have a primary
coming up.
I should do some research, but.
find your senators I would say because
it's already past the house like you can
call them and yell at them but it's
not going to change their vote so what
we need now is to call the senators
and say do not vote for this or
I don't know if this actually works but
my thing is I tell them I'm like
if you vote for this I will actively
campaign against you like if I'm being
real I probably don't have the time for
that but like I will happily tell everyone
why they should not vote for you so
yeah call your senators if you live in
the US because this is this is not
good
Yeah.
They should provide parental controls and
leave it to the parents.
We've, I mean, we've,
we've covered this topic like five or six
times now.
And yeah,
that's definitely a thing we say all the
time is like, at least in other countries,
when you start a new phone,
like an iPhone or whatever,
the first thing it asks you is like,
is this,
does this phone belong to a minor?
And if you say yes,
it walks you through all the parental
controls.
And I don't understand why they can't just
do something like that, but.
Whatever.
I guess one interesting,
I guess to talk about this a bit
more, is this whole act,
is this something that is bipartisan?
Is this some certain part of the
government that's pushing for this?
Is this something like that?
That's a good question here.
Let me see this link.
So it was a Republican who introduced it.
But, no, it's pretty bipartisan.
A hundred and sixty-two yeses from the
Republicans, thirty-two noes,
twenty-four not voting.
Democrat, a hundred and four yes,
eighty-five no, twenty-three not voting,
one independent yes, everything else zero.
Oh, that must have been Bernie Sanders.
I think he's an independent.
Is he a senator?
I don't know.
We don't have a lot of independents.
But, yeah,
two hundred and sixty-seven for,
a hundred and seventeen against,
forty-seven not voting.
So it's...
unfortunately kind of bipartisan why do
our politicians work together on the worst
loss why can't you guys unite on something
good they'll squabble about like really
silly stuff and then they'll just like all
unite to like do the most dystopian like
ninteen eighty four stuff like what it's
so bad um
Yeah, it's I mean, Dag is right.
I've said this before, too.
No one can say no to protecting the
kids.
They do this on purpose because then if
you don't protect the kids or if you
vote against it,
then people are just like, oh,
you hate children.
Like it's a rhetorical device and it's
absolutely awful.
So.
Yeah, kind of off topic,
but Cisco is like Bernie's independent.
I think he's independent.
I could be right.
I know he was independent.
No, he's independent.
Nineteen seventy eight till present,
according to Wikipedia.
So, yeah, Bernie's independent.
I think when he ran for president,
he ran on the Democratic ticket because we
live in a two party country and like
he has a better chance of living to
walk on Jupiter than winning as an
independent.
But other than that,
I think he's always been independent.
Interesting.
Okay.
At least what I'm seeing is, well,
I guess to kind of ask this,
I mean,
I'm seeing there's predictions of whether
this bill will pass.
But do you think this is something that
will pass?
Like,
is this something that is most likely to
not have any issues passing through the
Senate and the President or...?
Honestly, I don't know.
I'm not politically aware and educated
enough to really be able to speculate
reliably.
Although I will say like two thirds of
the people voted yes.
So I mean, that's a pretty big margin.
It does say on this website that I
found govtrack.us that there's a thirty
four percent chance of being enacted.
So I don't know really what that means.
in that.
It means we should still call our
representatives and not trust that to be
the case.
Because all I'll say is the Eurovision
odds that I read every year are
hilariously wrong and off.
So I don't know if I trust the
odds on anything at this point.
Yeah.
So I guess how can people access a
list?
How can they find who their senators are?
Because you said it doesn't really matter
because it's past the House at this point.
So
Um, so yeah, no, good question.
So there is senate.gov.
And honestly,
if you just type into any search engine,
um, if you just type in like,
who is my representative,
there are so many websites that, uh,
you will have to put in an address.
I'm telling you people that right now,
because they need to know what district
you're in.
But to be fair,
when we're talking about the national
level,
probably doesn't have to be like your
exact address.
Maybe it can be the house across the
street.
I don't know.
But, um, there are so like, okay,
so I just typed it into brave search.
Who is my representative?
Okay.
First result, House of Representatives,
house.gov.
Second result, congress.gov.
Third result, commoncause.org.
This one's for New York City specifically.
This one's for California specifically.
USA.gov, senate.gov, Texas, Pennsylvania.
So, I mean, yeah,
there's no wealth or no shortage of
websites that will help you.
Ballotpedia, I've seen them around a lot.
Some of them, like...
house.gov and senate.gov and congress.gov
focus on the federal level but i've seen
some websites i think it's common cause
will literally go all the way down to
like here is your local school board
superintendent like some of them get
really really deep down there so um yeah
you definitely don't have to dig too hard
to find the national ones for sure yeah
it's interesting i've seen uh quite a lot
of coverage about this like kids act thing
and i've actually been seeing like stuff
about people saying it doesn't go far
enough
it needs to go further.
Please, please, please, please,
please don't make this happen.
Cause I think once this passes in the
U S I think it's, it is,
it's such a massive precedent for
everywhere else.
It's like, Oh,
it's in the U S you know,
like it's,
if it's good enough for the U S
it's good enough for everywhere else.
Like,
Um,
so hopefully we can avoid that happening.
Um,
and that it doesn't get even worse than
what it already is.
Can it change?
Can the bill change once it gets,
or does it have to re go through
the house again?
I think it would have to go through
the house again.
I could be wrong,
but I think it can change.
Yes.
They,
it can get to the Senate and somebody
could be like, no,
we need to amend this part.
But I think if they make changes,
it has to go back to the beginning,
but I could be wrong about that.
Okay.
So we still have, there's still hope.
Okay.
Yeah, that's, that's,
the US has got nothing on the EU
plans,
like chat control and age verification for
all the things.
Um, yeah,
I think there's different problems.
There's different problems in different
countries, right?
Like,
I think there's the US has a massive
problem with data brokers,
which is not really the case in Europe.
A lot of data is public in the
US.
So that's another issue.
You know,
every country has different concerns,
I think.
And I think it's not super smart to
just, you know,
start a ranking contest about which
country is better and all this silliness
because, you know,
it doesn't really get us anywhere.
I think we can be critical of every
bad law that every country wants to put
in place.
And there's definitely some terrible stuff
going on in the EU as well,
which we've talked about extensively as
well.
It's not like we're only focusing on the
US in this case too.
Yeah.
another comment here from cisco i don't
know if you've seen but bill c-thirty-six
in canada it's banning social media for
people under sixteen yes we've been kind
of following that there's c-two and
c-twenty-two and c-thirty-six um they're
all pretty
pretty terrible stuff.
I did see that currently the Canadian
parliament is on break.
So there's a bit of time to contact
people, your representatives about that.
Dag Overholt said,
EU protects you from corpos as long as
the government has complete control.
Okay.
It's definitely a different way of running
a country.
Let's just say that.
Yeah,
so that's kind of all we've got on
this,
unless you had anything else to add on?
Yeah, not really.
Yeah,
I guess we can move into the Q&A
section.
So we'll start by...
Excuse me.
We'll start by taking questions on the
forum from our paying members.
And as a reminder,
you can become a member by going to
privacyguides.org slash donate or anywhere
on privacyguides.org.
You can click the red heart icon in
the top right corner.
Um,
so we had one reminder on the thread
to consider adding XMR chat.
Um, Jonah is actually off this week.
So, uh, again,
he handles a lot of the higher level
decisions like that.
I know he's expressed interest in adding
XMR chat.
It's just, um, again, yeah, it's, uh,
there's a lot going on here.
You know,
he did the Cape interview and there's
just, uh,
I don't know where it is on the
list,
but I'm pretty sure it is on the
list.
And, uh,
Again,
reminder that you can just donate Monero
directly.
I know it's not quite the same as
XMR chat, but it is there.
Yeah.
Any donation is always appreciated.
There's also a comment here from...
Cisco five, five, six,
one who said I'm planning on contacting my
rep,
but I don't really know what to say.
Okay.
So for people in Canada,
there is open media is who you probably
want to look at.
They have been running a really good
campaign against basically every privacy
invasive thing.
I think they've, yeah,
they've got a press release already out
about the,
um bills c-thirty-four bills c-sixty-three
so a whole bunch of them there um
so check out open media openmedia.org um
they've got a lot of good resources and
I think they also have yeah they have
other related stuff as well not just like
privacy related stuff there's stuff
related to other um
I guess consumer protection stuff.
So it's worth checking out that as well.
It's probably stuff that you'd also
support.
So they're a great organization.
Um,
I don't know of any more in Canada.
That's the only one that I know.
Um, but I know they do good work.
So if you need, if you need some,
I guess, extra info on what to say,
they've got, I've got you covered.
So I thought of the American route and
I,
my first thought
Hot take,
let me finish to the people in the
audience.
My first thought is this could be a
good use for an LLM,
like Leo or Lumo,
like one of the privacy respecting ones.
But like, hey,
I want to oppose this act.
I don't know what to say and it'll
walk you through it.
Alternately, if you prefer not to use AI,
which I totally don't blame you,
I literally just typed in oppose the kids
act into Brave.
And okay,
I don't know anything about this
organization,
but the very first result that popped up
was a website called fivecalls.org.
And it has,
if you click that link and scroll down
to the bottom, it has a script.
Hi,
my name is blank and I'm a constituent
from city and zip code.
They will ask for your zip code in
my experience.
That's like the thing they care about.
I'm calling to demand that representative
slash Senator who oppose HR seven, seven,
five, seven,
the house pass kids act and any other
legislative package that includes COSA and
age verification requirements.
Broad legislation like this does nothing
to protect anyone.
Instead it blocks state's level laws and
shield big tech companies from
accountability.
It must be opposed.
Thank you for your time.
Pretty straightforward.
Sorry,
I know I read that kind of fast.
But, you know, just, I mean,
maybe post in the forum,
like on this actual topic,
like you could get some opinions from
other people.
Or honestly,
what I've done in the past is,
because I was opposing,
I think it was like the,
was it called like the LEAD Act?
Like the Lawful Law Enforcement Access to
Data or something.
I don't know, it was a backdoor act.
But I would literally call them,
because I had like three federal or state
level organizations
state level, federal level.
I had three like federal level reps I
had to call.
And so I would literally just call them
on my lunch break,
every single one of them.
And I would say that like, hi,
I'm calling from this zip code.
I'm a voter.
I oppose this thing.
And they would just take it down,
write it down and go, okay, thank you.
And that's it.
Like,
I don't know if it's less effective than
giving them a why,
but you don't have to say much is
what I'm getting at.
Just expressing any opposition.
Just the thing I always tell people,
please be sane.
Don't tell them they're evil.
Don't tell them they're stupid.
Be polite.
Just like I oppose this.
This is not the right way to solve
this issue.
I do see we actually just got a
question in the forum thread.
Oh, sorry.
That says,
how important is threat modeling for
privacy?
I've put that off for the longest time,
which has led to a lot of underprotecting
or overprotecting.
I don't feel like it's talked about
enough.
That's funny, because I...
I harp on threat modeling constantly,
and I still feel like there was a
point where I was like, okay,
I think we've talked about this enough.
But in general,
so I mean it's – I think it's
personally – I think it's really important
because like you said,
without threat modeling,
you don't know if you're doing too much
or doing too little.
And especially I think a lot of people
in the privacy community have a habit of
doing too much.
And not realizing, you know,
to the point where it starts to impact
like mental health or, you know,
relationships with friends and family.
And it's like, OK,
you can pull back like you're you're not
you're not a spy operating in North Korea.
You don't need to be that hardcore.
But alternately, yeah,
it could lead to a lot of like,
oh,
I'm using Linux with – I'm using cubes
and graphene and all this super secure
blah, blah, blah, blah, blah.
And it's like, okay, cool.
Have you taken your data down from the
internet from before you got into privacy?
So I think it is really important,
although I will say that I don't think
it –
Um, number one,
I don't think it necessarily has to be
a formal process.
Like,
I don't think you need to sit down,
like you're making a budget at the dinner
table.
And the other thing that I haven't found
a good way how to explain this yet,
but I think something that doesn't get
talked about enough is the fact that a
threat model is less of like a specific
thing, like a specific consistent thing.
And it's more of like,
I guess I would say it's more of
a philosophy for how you approach data
because in the sense of like, um,
Like,
I'm trying to think of an example here.
So, okay, no, so this is an example.
I don't know if this is a good
example, but I...
In non-privacy online spaces,
because I do hang out on those sometimes,
I typically don't post photos of myself
because I don't want,
even though it's very unlikely,
I know Privacy Guides is not that famous
and neither is the new oil or anything,
but I don't want the off chance of
somebody like, oh my God, you're Nate,
like I recognize you.
But I mean, like offline, you know,
if my wife is like, hey,
can I take a selfie of us doing,
you know,
this this Christmas event together?
Like, yeah, of course.
I don't care.
Like it's it's it's not about a consistent
like no photos of me ever.
Right.
It's it's contextual.
It's like, where is this photo going?
What is it used for?
Who's it being shared with?
what are the risks of this photo?
My wife might send it to the group
chat, the family group chat,
but who cares?
Everyone there knows what I look like.
And I don't know,
maybe that wasn't the best example.
I'm working live here off the cuff.
But my point being is like,
it doesn't have to be the same level
of protection across the board because it
can be very contextual on like,
what are the risks?
What are the likelihoods?
That's all part of threat modeling and it
will vary from situation to situation.
I don't know if that made sense.
No, I think you're,
you brought up some good points.
Yeah.
I mean, I don't think it's, uh,
I don't think you have to, uh,
do anything super quickly as well.
Cause I do feel like some people they've,
they were like, oh my goodness,
I found out like how my data's being
used for all these like terrible things.
And now I've got to like update every
password and like,
secure every account,
delete hundreds of accounts today.
It's like, no,
like you got to slow down a little
bit.
Like don't, don't, don't go too fast.
You know, don't, um,
think things through and yeah, it's,
it can definitely,
you can definitely go too far.
I think, um, yeah, I don't,
I don't really know.
I mean,
I don't personally share a whole lot about
stuff that I do on the internet with
people in real life.
Um, so it's always just a nebulous,
I work on internet things and that's kind
of it.
Um, but I think, you know, it's,
it's good to think about like what your,
uh,
what your threats are because you know,
me and Nate,
cause we're on this public podcast are
going to have different,
a different threat model than you as a
person just participating in our forum,
I guess.
Um, not drastically different, but like,
you know, obviously we're sharing names,
Nate's sharing his face,
I'm sharing my voice.
Um, so, you know,
you have different threats to consider.
Um,
and I definitely think don't rush into
things because um yeah you can make you
can make decisions that you can't undo
like for instance if you show your face
well you kind of have to show your
face forever right like you know um so
you know just take that with uh
take that as something as a warning,
I guess.
I've definitely made mistakes.
I've definitely fumbled along things,
but yeah,
we're trying to work on more educational
stuff to help people make their threat
models and stuff like that.
We did have a threat model series that
we're working on at some point.
It's just a lot because every week we
have like a new video coming out or
like, you know,
stuff that we're working on and like,
Other projects that we feel are more
timely or whatever.
So things kind of get swept down a
bit sometimes.
But it's something we do want to try
and push to get done at some point
to help people with that.
Because it is like one of the most
common questions that we do get about
privacy related stuff.
We should talk about that in the next
staff meeting.
Maybe now's a good time to do the
threat modeling video.
Yeah.
Yeah,
just to back up what you said at
first,
like the phrase I like to use is
Rome wasn't built in a day, you know?
And it's like,
a lot of people will say that in
like personal finance, right?
Like if you wake up and you're like
tens of thousands of dollars in debt and,
you know, screaming towards bankruptcy,
a lot of personal finance people will
point out like, well,
you probably didn't get there once, right?
Like you probably didn't just go out and
buy like,
a mansion in the Beverly Hills and now
you're screwed.
Like it was probably a lot of really
bad decisions that added up.
And so you're not going to fix it
overnight.
And it's the same thing with privacy.
Like you, you didn't,
you didn't just wake up one day and
like mainline all your ID straight to like
a ransomware gang.
It's happened over years of data breaches
and sharing too much on social media and
this and that.
So yeah,
definitely like pacing yourself going
slow.
I do agree with your last part,
but it's, it's,
I want to say yes and no,
because there are certain things that,
like you said,
like you put your face out there.
I wouldn't say you have to keep doing
it, but it's certainly harder,
especially the more you do it.
Like at this point,
my face will probably never be off the
internet, but you know,
if you do it once,
like you could probably take it offline,
but you do have to acknowledge that you
might not,
maybe somebody screenshotted it,
maybe somebody archived it, whatever.
Um,
but also there's a lot of other things
in privacy that I think are reversible.
Like, um,
I think I've shared this before.
When I first got into privacy,
I deleted Steam because I was like, oh,
I'm going to be into privacy.
I'm not going to use Steam.
And then over time,
as I kind of adjusted and got a
better feel for it, I'm like, actually,
I'm willing to take the hit and keep
using Steam.
And I know in retrospect,
I probably should have gone with some
other platforms that are less problematic
in terms of DRM.
But from a privacy perspective,
I was like,
I'm willing to take the hit because these
are games that bring me value and I
enjoy playing them and
And now I have to like repurchase all
those games that I had over all those
years.
So instead,
what I wish I had done is like,
okay,
just log out of Steam for like six
months, you know, or, you know,
you can always, if you delete Facebook,
you can always sign back up.
Like some decisions are reversible.
And so I think there's,
Um, it's just a balance.
Like, yeah,
some decisions are not easily reversible
and you should put a lot of thought
into them and not act right away.
But then other ones are also like, eh,
you know, you can always delete that app.
You can always read, read,
download that app.
Like,
so I can't really give you like a
hard and fast rule, obviously,
but just something to think about,
I think.
You are.
Okay.
There you go.
Yeah.
I think it's,
I think the thing is definitely be careful
with like email accounts and stuff like
that.
That's like probably one of the biggest
mistakes that I made was like,
Having a Gmail account and I was like,
oh, I want to nuke it so bad.
And I just nuked it like too quickly.
And there was stuff that was... Oh, no.
So it becomes a nightmare.
So I would say keep it around for
a couple of years.
You can delete it.
It'll feel a lot better once you finally
are at a point where you're like,
I can actually delete this.
Because I guarantee you, you'll be like...
Oh, wait,
I remember I've got that account that I
made on that website from like ten years
ago.
Oh,
it's with my old email that I deleted.
It's like, oh.
You'll be able to sort it.
For sure.
Yeah, definitely.
I feel like I had another quick thought
on that one, but I can't remember it,
so it must not have been that important.
Yeah,
I guess if nobody else has any questions,
that's all I'm seeing on the forum.
I guess we can close out here.
Sounds good.
Yeah, let's do it.
Alrighty.
All right.
Well, thanks everyone for watching.
All the updates from this week in privacy
are shared on the blog every week.
So sign up for the newsletter or subscribe
with your favorite RSS reader if you want
to stay tuned.
As always,
a reminder that we send it right when
we start streaming.
So it also serves as a good little
notification that the stream has started.
For people who prefer audio,
we have a podcast available on all podcast
platforms and RSS.
And this video will be synced to PeerTube.
Privacy Guides is an impartial nonprofit
organization that is focused on building a
strong privacy advocacy community and
delivering the best digital privacy and
consumer technology rights advice on the
internet.
If you want to support our mission,
you can make a donation on our website,
privacyguides.org slash donate.
Or again, on any page of the website,
you can click the red heart icon located
in the top right corner of the page.
You can contribute using standard fiat
currency via debit or credit card,
or you can donate anonymously using Monero
or your favorite cryptocurrency.
Becoming a paid member unlocks exclusive
perks like early access to video content,
priority during the live stream Q&A,
early access to the show notes, actually,
so you can see what stories we're
considering.
You'll also get a cool badge on your
profile in the Privacy Guides forum and
the warm,
fuzzy feeling of supporting independent
media.
So thank you all for watching,
and we'll be back next week.
See you next week.