New Exploit Affects 220 Million iPhones
A brand new exploit impacting iPhones.
The FBI has resumed buying location data
and Google's update to installing third
party apps.
All this and more coming up on this
week in privacy number forty five.
So stay tuned.
I don't.
Welcome back to This Week in Privacy,
our weekly series where we discuss the
latest updates with what we're working on
within the Privacy Guides community and
this week's top stories in the data
privacy and cybersecurity space.
I am Nate,
and with me this week is Jordan.
Jordan, it's been a while.
How are you?
I'm good.
Just excited to be here and cover the
latest news.
Yeah, it's good to have you back.
Privacy Guides, for those who don't know,
is a nonprofit which researches and shares
privacy-related information and
facilitates a community on our forum and
matrix where people can ask questions and
get advice about staying private online
and preserving their digital rights.
With that,
we will launch into the biggest news in
the privacy and security space from the
past week.
And Jordan is going to tell us all
about hundreds of millions of iPhones that
can be hacked with a new tool found
in the wild.
Yes, that's right.
So basically there's a story here from
Wired.
A powerful iPhone hacking technique known
as Dark Sword, one word,
has been discovered in use by Russian
hackers.
It can take over devices running iOS that
simply visit infected websites.
so uh reading into this story here iphone
hacking techniques have sometimes been
described almost like rare and elusive
animals hackers have used them so
stealthily and carefully against such a
small number of hand-picked targets
they're only rarely seen in the wild now
a recent spat of espionage and cyber
criminal campaigns have deployed those
same phone takeovers tools
Embedded infected websites to
indiscriminately hack phones by the
thousands.
You might have to take over here, Nate,
because the article is paywalled for me.
Oh no, that's unfortunate.
Okay.
Um, yeah.
So, uh,
basically this article came or this
disclosure, I should say,
came from Google as well as I verify
and another firm called lookout.
They revealed this on Wednesday and they
said that this isn't really a, well,
I guess it kind of is.
Um, this isn't an exploit.
How do I word this?
This is an exploit on iPhones,
but also not,
because they're actually infecting
websites.
And then the websites are the ones who
are delivering this, again,
not even payload.
Further down on the article,
it says that this is actually one of
those
those malwares that can be defeated with a
reboot, when your device becomes infected,
it's able to grab as much data as
it possibly can.
And because it's not persistent,
it's actually pretty hard to...
for these cybersecurity companies to trace
evidence of it.
It's not like the typical Pegasus or those
kind of more advanced malwares that we see
where there's things that they can look
for.
I think it's actually right here.
It uses fileless malware.
Hold on.
Okay, yeah.
Rather than install spyware that persists
on users' phones,
Dark Sword uses stealthier techniques that
are more often seen in fileless malware
that typically target Windows devices.
They hijack the legitimate process on an
iPhone's operating system to steal data.
And then this is a quote from one
of iVerify's people.
It says,
instead of a spyware payload to brute
force your way through the file system,
which leaves tons of artifacts of
exploitation that are pretty easy to
detect,
this just uses system processes the way
they're meant to be used,
and it leaves far fewer traces.
Um, so yeah,
the upside there is that it does not
persist after reboot.
Uh,
but instead it steals data from the phone
within the first few minutes after it's
hacked,
which is called a smash and grab approach,
or at least that's what this guy calls
it.
So it's very, um,
it does the damage very quickly,
I should say.
And, uh, yeah, so I guess the,
The pro and con here,
and just in case anyone's wondering,
because earlier this week or late last
week,
we also saw there was a malware called
Karuna, which appears to be an iPhone,
not state-sponsored.
How do I explain it?
So for those who don't know,
a lot of the time we see...
We see companies,
big companies that will spend millions of
dollars to either find zero days or they
will go to places like DEF CON and
Black Hat and they will they will pay
big money if people there say, you know,
they do a presentation.
They're like, hey,
I found this this exploit.
And it's interesting,
and it's never been seen before.
They'll go up to those people and be
like, hey, next time, give us a call,
and we'll pay you to kind of keep
it quiet.
I believe it's Nicole Perlroth has a great
book called This is the Way They Tell
Me the World Ends that's all about the
zero-day market and everything.
So if you want to know more,
definitely check that out.
there was an employee of one of those
firms who was accused of selling access to
these tools to Russia.
Uh, I believe he was convicted recently.
And then around the same time we saw
this other malware or this other exploit
called Karuna,
which was making the rounds.
This does not appear to be Karuna,
but they do have evidence to believe that
this came from one of those zero day
resellers firms.
Um,
Which, you know what, yeah,
I'll go ahead and touch on that now.
So they talk about â and I know
I've said this in the past.
Like when Pegasus first came to light and
everything, a lot of people were like, oh,
no, how do I know I'm infected?
And we used to say like you're probably
not because this is not something they're
going to burn on any random person.
They're going to use this on like lawyers
and activists and political figures,
journalists, dissidents.
Um, the thing is this dark sword one,
I verify as Cole argues that the fact
that it was used so brazenly with no
real attempt to prevent its discovery
suggests that hacking techniques are now
attainable on the black market.
Uh,
attainable enough that hackers are willing
to use them indiscriminately,
even if the result is their exposure.
He says, if one gets burned,
I'll just go buy another one.
Uh,
they know that there's more where this
came from.
So, um,
I still think the risk of falling to
some of these malware is pretty low,
but it does seem to be increasing,
which...
unfortunately is something we see
historically.
I mean, we see this all across technology,
right?
Like when computers, computers alone,
when computers first came out,
it was like really expensive and only rich
people had them.
And now you can buy a Chromebook for
a couple hundred bucks,
which I understand is still relatively
expensive for some people.
But the point is the price came down
and now it's something that's much more
attainable to the average person.
So that does appear to be what's happening
with malware here.
Now,
the last thing I want to touch on
that was in the story,
that many of you may have noticed.
This only works on iOS,
which is because Apple changed their
naming scheme with the latest iOS.
So this current iOS is iOS because it
is it would be iOS if they hadn't
renamed it.
So this is the previous major version of
iOS.
However,
Apple confirms that about a quarter of all
their devices are still running iOS.
That could be for any number of reasons.
Liquid Glass was really, really unpopular,
so a lot of people did not like
iOS.
A lot of people choose not to update
because they don't want the AI features,
which I think might actually be in iOS
I could be wrong there, but yeah.
Apple, as another explanation,
for some reason,
Apple is really bad at automatic updates.
We were talking about this in a group
chat the other day, actually.
It's like every time I go to the
app store on my iPhone,
it's got like a bunch of apps that
haven't updated,
even though the update came out like three
or four days ago.
And you have to update those.
There was a...
Actually, if you're an Apple user,
there was a background security update
that just came out earlier this week that
most people,
it did not automatically install.
So go check for that.
It's just, yeah, Apple's,
so that could be part of it.
And just for context, there are,
I checked, according to one source,
there's one point five billion iOS devices
out there right now in active use.
So a quarter of those is still like
three hundred million,
which is like the entire population of the
U.S.
So even though this is an older iOS
device,
it still affects hundreds of millions of
people potentially.
And if this has fallen into the hands
of the average...
What's the word I'm looking for?
The average cyber criminal, then...
What I was saying earlier about they're
only going to use this on dissidents and
journalists,
and unfortunately that does not seem to be
the case.
So it is really important to keep your
stuff updated.
It is...
Yeah, I don't know.
I think that's all I got to say
is it is really important to keep your
stuff updated.
And I see some people in the comments,
personal pet peeve,
I see some people in the comments
sometimes that are like, well,
I'm still on Android twelve because I
don't want the AI stuff.
And it's like,
I respect that you don't want the AI
stuff and I'm not telling you you should
just embrace it.
But at that point,
maybe you should be looking into like
alternative ROMs or moving to a more
trusted OS because, yeah,
sometimes these security updates really
are important.
um i think that's kind of the the
bare bones of the story and that's all
i got did you have anything to add
that i missed um i think it is
important that we talk about specifically
like what this attack actually looked like
so if you don't know this is like
sort of i guess uh i verify was
saying this is like a watering hole attack
so basically that means it's an attack
strategy where basically an attacker will
find websites that users commonly visit
and then use those websites to distribute
malware.
So in this case, it was
The attack was against users running iOS,
eighteen point four to eighteen point six
point two.
So just to be clear,
the if you're fully up to date on
iOS eighteen, you should be on, I think,
iOS eighteen point seven point something.
So this didn't affect like even if you're
running iOS eighteen,
it may not affect you.
So just be aware of that.
And the attack itself was basically
as far as iverify is stating here it
was a you know an attack from russia
and it was specifically um a used on
government websites so ukrainian
government websites um so that was any
website ending with gov.ua so basically
they were able to um
compromise Ukrainian government's servers
and basically put this malware out there
onto these devices.
And especially because it was a government
website, it was very, you know,
no one from another country is going to
be visiting that website.
So it's a pretty effective way to infect
a lot of people's devices.
And I think, you know,
staying up to date is important as well.
But I think, you know,
I think a lot of people probably wouldn't
have been affected by this if they were
running lockdown mode,
because it does sound like this is
probably that would probably block the uh
the exploit chain because in a lot of
cases this this exploit itself was written
in javascript and the exploit according to
iverify it was uh it used six
vulnerabilities across two exploit chains
so um i think you know
Staying up to date is important,
but also minimizing your attack surface.
So in this case,
not using all these third party, um,
you know, JavaScript libraries,
locking that down with lockdown mode,
that's gonna definitely protect you in
that case.
Same thing with Android, right?
You can, I know on Graphene OS, they,
they use like MT on the browser and
a bunch of other protections.
So I think reducing the attack surface and
just in time is also commonly exploited
JavaScript.
Um,
So I think disabling a lot of those
things can help, but obviously, you know,
updating your device is important,
but I think, you know, it's usually the,
uh,
these things that like are there for like
web convenience and are actually there to
protect you.
Like the.
they use for rendering WebGL stuff,
that that can be exploited.
I think it's important to be aware of
that and not to just trust every single
website just because it's a government
website, right?
Um,
so I think there was another thing that
they also said, um,
basically because they didn't obfuscate
the JavaScript, um,
it basically was sitting on the website
and a bunch of other groups were stealing
the code to use as well.
So, uh, apparently according to iVerify,
um,
a Chinese criminal group was also using
this, um, Dark Sword and Karuna exploit,
um,
So yeah,
just be on the lookout because people are
definitely using this.
So make sure you're updated.
Make sure you're using lockdown mode if
you're thinking you might be a target of
this.
But it does seem like this is like
a very large
like they're trying to target a lot of
people with this.
It's not like a specifically, um,
it's not specifically targeted towards a
single individual.
Um,
so I'm sure that there's people in the
military,
in the Ukrainian military who probably
visit those websites who unfortunately
have been, um, compromised.
So it's,
it's a wide,
they're casting a wide net to, to,
to get access to people's, um, devices.
But I think, uh, I think the,
the estimate that they've given on here
was on the, on the,
on the high side.
I think I saw a couple of other
websites saying it was closer to two
hundred million devices affected.
So I don't know.
I think it's, yeah,
just be on the lookout for that.
I don't really have too much more to
add.
Do you have anything else you want to
add here, Nate?
No.
Yeah,
that like three hundred million number was
just an estimate I came up with by
doing the math of like one point five
billion devices or whatever.
So it may not be exact.
That may be on the high side.
But yeah,
it's thank you for mentioning lockdown
mode because I definitely forgot to
mention that.
They did say that lockdown mode would have
defended against this.
So Apple did.
Like you said,
they did push out an update to devices
that are not able to update to iOS
twenty six.
So if you're sitting here and you're just
like, I can't update, dude,
we'll make sure you get that update at
least because that would be helpful.
But yeah, also lockdown mode is helpful.
Yeah, like you said,
that's an important piece of context is
whoever got a hold of this,
which I think was Russia, like you said,
they kind of left it out in the
open.
So originally they were using it
specifically on like Ukrainian news sites,
Ukrainian government sites,
like they were clearly targeting
Ukrainians.
But now that they just left it out
there unsecured and anybody can go grab it
and there's like comments in the code
about what each module does and how to
use it.
So it's kind of like,
They made it so easy now,
and now it's out there in the wild,
and who knows where it'll pop up.
So yeah, that's unfortunate for sure.
Definitely.
I guess we can move on to the
next story here,
if you want to take that.
Sure.
So this next story is about the U.S.
government buying location data.
And I know this probably...
This is and isn't a surprise.
So back in twenty twenty three,
the government put a pause on buying
location data.
I cannot remember if that was something
that they were ordered to do by the
White House or if they just stopped doing
it for one reason or another.
But they stopped doing it.
And now I think confirm is a strong
word here.
Here in the title, I believe, is that,
yeah, director confirms he didn't confirm.
So the question was.
Basically, Ron Wyden,
who I think not a controversial take.
We like him for privacy at least.
I'll be honest.
I don't know any of his other policies,
but he does really good work for privacy,
and he's really on the ball for that.
He asked the FBI â or he asked
Kash Patel if the FBI would commit to
not buying Americans' location data,
and Kash Patel said that the agency,
quote,
uses all tools available to do our
mission.
So he didn't directly say it,
but he I mean, you know,
come on when he refuses to admit it
for sure.
So this.
This is a. Outside of the privacy space,
because I think in the privacy space,
we all universally recognize that this is
an awful thing that needs to stop.
But even even in mainstream circles,
this is a very controversial thing that
the U.S.
government does law enforcement because.
Law enforcement is supposed to get a
warrant whenever they want to search your
data.
And by going to these third-party vendors,
they don't have to get a warrant.
But the article notes that, interestingly,
this is â
Well, okay, maybe this isn't a one-to-one,
but the FBI claims it does not need
a warrant to use this information for
federal investigations,
though the theory has not yet been tested
in court.
So the way that I read that is
like maybe this whole â
going to third party brokers,
if that went to court and a judge
said, no, you can't do that,
then maybe that would become illegal,
but it has not yet been to court.
Or maybe it is just totally legal.
I know,
I believe Wyden has in the past tried
to introduce a bill.
It was called like the fourth amendment is
not for sale act or something,
which would have outlawed this
specifically,
but of course it did not pass.
And now I know the,
I think section seven Oh two,
if I remember correctly, which is,
what allows the NSA to like bulk collect
data, um,
that I believe is up for renewal and,
um,
hopefully will not get renewed.
But then it says here at the end
that Wyden and several other lawmakers
have introduced a bipartisan act called
the Government Surveillance Reform Act,
which among other things would require a
court authorized warrant before federal
agencies can buy Americans information
from data brokers,
which personal opinion does not seem
unreasonable.
Like I don't think anybody's telling them
not to do their job.
I think we're just telling you to go
through the proper channels where there's
oversight and there's accountability.
But I don't know.
They seem to disagree for some reason.
The last thing I want to mention here
â this has become a little bit of
a personal crusade of mine.
It says here for audio listeners,
it says that U.S.
Customs and Border Patrol control â Border
Protection, excuse me.
U.S.
Customs and Border Protection purchased a
bunch of data sourced from real-time
bidding or RTB services according to a
document obtained by Foro Foro Media.
So â
For those who do not know about this,
there's a lot of really good resources out
there.
EFF has an article.
I mentioned before that Byron Tao has a
book called Means of Control that dives in
deep into this.
But the way that ads on the internet
work is you go to a website that
has ads.
Let's say Reuters because as much as I
like Reuters,
their website is littered with ads.
Most news websites are.
So you go to a news website and
â
When there's that ad space,
they basically open it up for bidding,
just like any given auction.
They're like, who wants this ad space?
Who's willing to pay the most for it?
And in order for those advertisers to
decide how much they want to pay,
they get your data.
They get a copy of your data so
that they can decide, oh,
this person is worth this much to me.
And then they submit their bid and whoever
wins, you see that ad.
The thing is they don't have to bid
to get your data,
which in theory makes sense, right?
Because if they get your data and they're
like, oh, nevermind, I don't want to bid,
but they still have that copy of your
data.
And so this is a proven thing.
There are companies out there who will
enter the advertising ecosystem just to
get a copy of your data and then
turn around and sell it to people like
the FBI.
So where I'm going with this is if
you are not using an ad blocker,
That is, in my opinion,
one of the currently most overlooked ways
to protect your privacy.
And obviously there's a million other
ways, right?
You need to switch to a secure messenger.
You need to switch to a...
private email.
Ideally,
we should get off Windows and switch to
Linux and stuff.
And I know I have a Mac in
front of me.
It's specifically for streaming and
editing, for the record.
This is not my daily computer.
But we should make all those steps.
But to me,
the lowest hanging fruit to start with is
installing an ad blocker because that
real-time bidding is happening everywhere,
all the time, constantly.
And like I said,
they don't even need to bid.
They can just sit there and collect your
data and then resell it to
whoever they want.
Um, so yeah, that is that story.
That is my takeaway from that story.
Um, Jordan, did you have any,
any additional thoughts on that one?
I mean,
I guess like this is kind of surprising,
but I guess not like with,
with the prevalence of data brokers and
stuff like that, it's not that surprising.
Like they said in the, Oh,
they said in the article, um,
there was like, you know,
the FBI is going to use all tools
at their disposal to do their job.
So, um, it's kind of, you know,
it makes sense that they would do that,
but I guess it needs to be like
Senator Ron Wyden was saying, like,
it's not really consistent with the
constitution.
Like it's a little bit,
they kind of bypassing a lot of the
protections that people had with,
you know,
places having to require a warrant
instead.
Um,
It is, yeah,
I don't really have too much to add
here, really.
This is sort of a very American story,
so I can't really comment too much about
it.
Yeah, that's fair.
Yeah, I mean,
it's a pretty straightforward story,
really.
I don't have too much to add other
than what I already said.
But just before we continue,
I just did see a couple of comments
we should probably quickly mention here.
So there was someone who said,
how do you find out what security updates
have been loaded if you can't update to
iOS twenty six?
So I wouldn't update to iOS twenty six.
If you're on iOS eighteen,
just make sure you're on the latest
version of iOS eighteen.
Um,
I would also check the background security
improvements tab as well.
Um, that will also have like,
there was a,
there was a background security
improvement that was released.
I don't know if that's for iOS,
you have to look at that.
Um,
but I would make sure you're on the
latest version of iOS.
You don't have to update to iOS.
Um,
I think the latest versions fix a lot
of these issues.
So.
Yeah,
I wouldn't be too worried as long as
you're on the latest version.
Someone also said,
what is the timeline for the disclosure of
these sorts of things?
Is the idea it's better to announce it
to help make people update?
I think they've already released.
Usually, they notify the company,
in this case, Apple.
Apple releases a fix,
the fix gets released,
and then they disclose it to the public.
And then that's basically where we're at
right now.
You need to update.
to make sure you're not,
there's no background improvements option
to check.
Uh, maybe that's an iOS twenty-six thing.
I don't think so though.
Um, I believe it's in...
I don't have an iOS eighteen device to
check exactly where it is.
Um, but there is,
there should be a setting there.
Um, but yeah, we're in the,
we're in the point right now where we
need to be updating.
That's why iVerify came out with like this
whole, um, press release, I guess,
about the Dark Sword attacks and...
Karuna stuff.
Um, so yeah, it's kind of, uh,
unfortunate, but I think people should be,
that's why we're trying to share it as
like the main story here,
because if you're running an older version
of iOS,
I kind of do wonder as well,
if this would affect older devices,
for instance,
like I was and I was because I
know there's some devices that are limited
to like iOS or .
So it'd be interesting to see if they're
also affected,
but
Yeah,
I think this is one of those things
where you need to be using, I think,
I think lockdown mode doesn't really
introduce that many problems now.
Like a lot of websites have already fixed
out.
Um, oh, it's only iOS,
that has background improvements.
Okay.
I thought it was a,
I think they called it something else.
They call it like rapid security responses
or something.
um so maybe i don't know that is
a good point i guess um looks like
nate is back here hello hopefully i'm back
um this is the first really warm day
we've had of the year and i think
my camera was overheating so um if it
goes out again i apologize y'all but i
think i found a solution for now that
can get us through the episode awesome
then uh why don't you take us into
the next section of the show here
yeah so um in a little bit we're
going to talk about google's updates to
their third-party app installation
procedures but first we're going to give
some updates about what we've been working
on at privacy guides this week so we'll
start by talking about the videos our
private messaging video is now available
to the public so if you are not
a paying member you can
access that now paying members do get
early access to these things but uh that
is up our next video will be about
encrypted email um which that is fully
recorded and the first round of editing is
done so that is off to jordan to
work their magic and they uh they do
all the graphics the zoom and they
basically just make it look a thousand
times more awesome which we are super
grateful for
And we, a lot of you guys,
if you tuned in last week,
you saw that Jonah and I were at
an event for South by Southwest,
an unofficial event.
And we had the awesome opportunity to
record some of those talks.
And those should be out hopefully in the
next coming days.
They should be trickling out.
There's only a few of them,
but they were really insightful and really
good.
And we wanted to share those with you
guys.
So expect those in the near future.
Awesome, yeah.
I think there's also, yeah,
Nate's kind of been piling on the videos
for me to work on.
So I've got quite a big backlog now,
which is great.
So definitely be on the lookout.
I think we're trying to have something
come out next week
For our members,
hopefully that encrypted email video.
That's the plan at least So definitely
look out for that.
And there was also a couple of extra
things we should have mentioned We had
privacy guides news articles coming out So
Freya is working on that every week and
we have a couple of new articles that
came out this week one was about Instagram
ending end-to-end encryption on their DMS,
which is kind of a
very surprising i guess but also like
facebook being facebook i guess um they
just end up making their product worse uh
i don't know instagram has notified its
users that it will no longer support
end-to-end encryption after may eighth so
if you use instagram i feel like not
many people in our community are using
instagram but it's good to know uh good
to put the info out there but
And there was also another one about,
we were debating on talking about this
one,
but Pokemon Go players data was used to
train visual positioning AI.
So there was a parent or spin-off company
from Niantic which basically runs Pokemon
Go and they used images from Pokemon Go
to train its visual positioning system.
So that is kind of scary too.
Freya did a great write-up on that so
definitely check that out as well.
And there was also another thing,
it's kind of another thing where we're
keeping on the lookout,
which is like the homomorphic encryption.
Intel made an advance in that area.
I think it's a lot to do with
these, you know,
the ability to do server-side processing
end-to-end encrypted.
So the server processes the data,
but it doesn't,
isn't available for the server to access,
which is kind of a problem we have
with like AI at the moment.
because it's kind of hard to run that
on your device as well.
Like, you know,
you need a lot of RAM,
you need a lot of CPU processing power.
Mobile devices can't really do that.
So yeah,
this is basically a trusted execution
environment,
which segregates the CPU using encryption.
Definitely read into it.
Freya did a great write up of that
as well,
explaining the whole system there.
So if you're interested in that,
check that out too.
But yeah,
if you want to stay up to date
with that stuff,
you can go to privacyguides.org forward
slash news if you want to check out
that.
Nate's also doing every week,
he does a Data Breach Roundup,
which is
really useful if you want to make sure
you stay on top of things and you
aren't missing if you're in a breach.
A lot of tools that detect if your
credentials are in a data breach are
usually pretty slow to determine that
because they have to add the data set
to scan it.
So if you're wanting to keep on top
of data breach stuff,
definitely check that out.
Nate does a great job on that.
It's very comprehensive.
Let's see how many here.
One, two, three, four, five, six, seven,
eight.
Yes.
So eight ones this week.
I basically write about any data breaches
that come through my RSS feed that affect
individuals.
If it's like company had their source code
stolen, I don't usually cover that stuff.
But yeah, so it varies week to week.
Sometimes there's like three,
sometimes there's like twelve.
So kind of a medium, a midweek,
which is,
I guess less data breaches is better.
Let's normalize less data breaches.
But yeah,
that's kind of what we've been working on
this week.
I guess we can head into the next
article here.
Nick kind of mentioned it before.
basically Google is making changes to,
if you haven't heard already,
there was this whole project with keep
Android open.
And basically Google was trying to
combat malware by basically restricting
application installation on your device
but it was usually apps outside the google
play store so it would stop you from
installing that and there's been a huge
amount of backlash to this as well like
we've uh we signed the open letter to
google um with keep android open and if
you notice that on our socials um you
can share that with your friends and
family get people talking about this
because i think it's important that
you know,
people are pushing against this because
it's basically Google using their power as
a monopoly here.
Like they do have control over the Google
Android ecosystem.
It allows them to make these sort of
wide reaching changes with really no one
to stop them.
Well, I guess we are,
we are trying to stop them,
but
Clearly,
we do have some power because this week
there was a change.
Actually, it was, I believe,
today or yesterday.
There was a change.
Google detailed a new twenty four hour
process to we're not going to mention
sideload here.
We're going to we're going to say install
unverified Android apps.
because that's what it is.
You're not sideloading, you're installing.
So Google is planning big changes for
Android in twenty twenty six aimed at
combating malware across the entire device
ecosystem.
Starting in September,
Google will begin restricting application
installation with its developer
verification program.
But not everyone is on board.
Android ecosystem president Samir Samat
tells us that the company has been
listening to feedback.
And the result is the newly unveiled
advanced flow,
which will allow power users to skip app
verification.
So I think one thing to mention,
like right off the bat here,
people will probably have, uh,
they're probably thinking like, oh,
does this affect my Graphene OS device?
Oh no,
I'm not going to be able to install
apps without going through the
sideloading, uh,
installation process that warns me I'm
installing something.
No,
this is affecting Google Android devices.
Um, so just to put that preface here,
um,
So basically, uh,
as Nate's showing on the screen,
there's now this new advanced flow for
power users to install apps from
unverified developers.
So basically Google wants developers to
register centrally with them,
which often requires payment
identification.
Not many people who create these,
you know,
independent free and open source apps want
to verify through Google.
It's the whole point, right?
Um,
Yeah.
So there's a twenty five dollar fee.
These independent developers, you know,
I think a lot of independent developers
aren't really up to paying the twenty five
dollar fee.
Like I've seen people who were kind of
like, oh,
I don't want to pay Apple's one hundred
dollar a year thing to publish on the
App Store.
Same thing in this point,
like twenty five dollars.
for someone in India might be a
significant amount of money or in Turkey
or, you know,
a country where the currency is worth a
lot less.
So I think that also puts another barrier
on people where, you know,
they would be able to release apps without
having to worry about that.
But it does seem like Google has folded
a little bit here.
Basically,
The whole flow is that it makes sure
no one is telling you to turn off,
to allow you to install from unverified
sources.
Basically it'll say, yes,
someone is guiding me.
No one is instructing me.
And then it starts a security delay of
twenty four hours.
And once that delay has been passed,
then it allows you to select which option
you want to do,
which is turn on temporarily,
which will allow installing unregistered
apps for seven days or turn on
indefinitely,
which will allow unregistered apps to be
installed indefinitely.
And it does give you a confirmation tick
mark.
You can select install anyway.
I think this is.
really just uh we can kind of read
uh keep android open did actually put a
response to this so let's just have a
look at what they said um but i
think you can take that um nate if
you want sure uh give me one second
i'm pulling that up right now i had
that tab open and then i closed it
okay um so keep android open yeah they
did they said this is not a solution
um and they kind of highlighted some of
the
issues in this is the actual workflow.
I think this is actually copy and pasted
from that article we were just showing you
guys.
But they say you have to enable developer
mode,
which there I think this is to kind
of illustrate to people why this is a
little ridiculous.
And to me,
this also was like the first thing that
I was like, oh, but why?
For those of you who've never enabled
developer mode,
you have to go into your settings.
You have to go to about phone and
then you have to find software build
number and you tap that seven times.
Which, I mean,
obviously it's tapping a screen.
It's not that hard.
But just the fact that you...
Because once you enable developer mode,
then you unlock a whole new menu of
settings.
And it's just kind of like,
but why do we have to go in
there to enable this?
That is very onerous.
And then they point out that they call
these scare screens,
confirming that you are not being coerced.
You know,
there's another scare screen warning.
And then, of course,
the twenty-four hour waiting period,
which...
As Jordan noted,
Google's argument for the twenty four hour
waiting period is that.
So I'm not trying to defend Google here,
so follow me on this one.
From what I understand.
Sideloading malicious apps is a much
bigger problem in other parts of the world
outside America and Europe.
Like I think they said it's going to
roll out in.
like Brazil.
Yeah, here it is.
Brazil, Singapore, Indonesia,
and Thailand.
And that's because those are the areas
where these types of scams are extremely
common.
And the way those scams will work is
they'll call you with some kind of
pretense about like, oh,
your bank account's under attack or
whatever.
We need you to update to the latest
app,
but it's not in the app store yet.
So we're going to have you sideload it
and they walk you through the process.
So the idea is that if there's a
most scams, um, as you guys probably know,
most scams rely on urgency.
They want you to just do it now
so that your brain doesn't have time to
kick in and go, wait a minute.
Like, I don't know if, uh, well,
some of the older members of the crowd
might remember.
And I'm counting myself when I say that
back in like,
there was a scam going around that was
like, Oh, I was on vacation in like,
you know, um,
was it like somewhere in Southeast Asia,
not India,
but like
Not Thailand.
I can't remember where it was.
But anyways,
I was on vacation in this part of
the world and I lost my passport and
I got arrested and I need you to
wire me like two thousand dollars to buy
a new passport.
And I remember I got that one from
my mom and I just laughed and deleted
it because I'm like,
we don't have the money to be traveling
like that.
Like, I know this is a scam.
There's no way.
Um, and so,
but a lot of the time,
like when you get those,
the idea is like, Oh,
I need it quick.
Or they're going to, you know, my,
my hearing is tomorrow.
Like the embassy is going to be closed
this weekend.
Like they want you to not think and
to just do it because once you start
to think you're going to be like,
wait a minute,
why didn't they tell me they were going
to Thailand?
That seems like really big news.
They would tell me.
Um, and again,
there's like a million other variations,
but the point is that's,
that's the point of the
force that that period of time where it
stops and slows down but um yeah that
that is still really honest because now
like let's say i get a brand new
phone right and i'm trying to set up
this phone and you know being in privacy
i do a lot of sideload excuse me
installing i do a lot of app installing
from non uh outside the play store and
so now when i get that phone i
have to enable this and then wait a
whole day before i can actually start
setting up my phone which is
Really not cool, especially if,
I don't know,
your phone blows up or something.
Wouldn't know anything about that.
But anyways, yeah, all that to say, like,
I agree with them.
I think this is really...
On the one hand,
I feel a little bit of sympathy for
Google.
Just a little bit.
Because they do want to... You know,
they pointed out here in the actual
article, they said that...
Where was it?
Yeah, in a lot of countries,
there's chatter about if this isn't safer,
then there may need to be regulatory
action to lock down more of this stuff.
And I don't think that it's well
understood.
This is a real security concern in a
number of countries.
And that came from Google's spokesperson,
which, yeah, I mean,
obviously he's trying to push his
narrative, but I think he's right.
I think this is a real security concern
that Google's trying to solve.
However,
I also don't have a lot of sympathy
for Google because I feel like every
month, at least once a month,
usually more than once a month,
I read an article from Bleeping Computer
or Ars Technica that's like, oh,
Google just removed an app from the Play
Store that was malicious and it had like
a million downloads or a couple million
downloads.
And it's like,
I never read those stories from Apple.
And again, Apple's got problems.
I'm not trying to put them up on
a pedestal.
But
My point being is like,
and they do happen with Apple,
for the record.
I've seen them.
But those happen a couple times a year,
tops.
Whereas with Google, again,
it's like almost every month,
sometimes even more than that.
So I find it kind of hypocritical that
Google's like, oh,
we need to fix this problem.
But you're not necessarily guiding people
towards a safer alternative.
You haven't really made the Play Store
safer, in my opinion.
So it kind of weakens their argument.
But yeah, yeah.
I don't know.
I think if we want to give Google
the benefit of the doubt,
which I know a lot of people don't,
I think they are trying to strike...
I think now because there's pushback,
they are trying to strike a balance.
But I definitely understand that this does
feel very heavy handed.
I'm not looking forward to the idea of
like I'm getting a new phone and now
I have to wait twenty four hours,
which I mean,
I guess I use custom operating systems
that, you know,
the classic like that won't affect me.
But, you know,
my wife still uses stock Android and she's
not ready to make the jump to custom
operating systems yet.
But she does use like Neo store and
some of those alternative systems.
um side loading excuse me uh those
third-party app installation features and
so it again it sucks that it's like
she's gonna get a new phone and it's
like hey first thing you do go in
and turn this on because we gotta wait
a whole freaking day for it to get
out of the waiting period so yeah i
don't i don't think this was the best
solution they could have come up with and
i i think they um
I don't know.
I don't know what is the best solution,
but yeah,
I think this is really heavy handed and
I would like to see something even less
obnoxious than this personally.
My big thing is the developer settings,
but I know there's other issues as well.
Yeah, I agree.
I think this is...
Obviously, it's not ideal,
but I think it's important to remember
here a thing that the Keep Android Open
team was saying here is this entire like
the thing that we showed before that Nate
had on the screen,
it was the entire flow is delivered
through Google Play services.
So it's not actually part of
the Android operating system.
So the thing with Google Play services is
that it kind of just automatically updates
and applies changes to operating system
without your consent.
This is useful for Google because they
need to roll out fixes or introduce new
features.
But when it starts being about whether you
can actually install apps from third party
sources,
I don't think we want Google to be
the
the arbiter um i think you know uh
they state here the advanced flow has
still not appeared in android beta dev
preview or canary releases so basically
this entire flow that they're displaying
is
basically just a blog post and some UI
mockups.
So I think we should wait until we
see how exactly this works until we
actually get our hands on it.
I don't think anyone should be accepting
this.
And I think there could be a better
way to do this.
I don't know what that solution would be,
but I think, you know,
as soon as you start placing
restrictions on third-party developers,
I think it's getting to the point of
like, it's slightly anti-competitive.
I mean,
a lot of these apps aren't trying to
make money,
but
I think everyone should get a fair chance
of being installed on someone's device.
People should be allowed to choose what
they want on their device.
They shouldn't have to go through a
twenty-four hour waiting period to install
something on their device.
We should be able to choose what we
want on our device.
So, I don't know,
I think just from a freedom perspective,
Everyone should be in favor of people
being allowed to install software on the
device that they've paid for.
Like Google is basically just becoming the
arbiter of app installs on your device.
It's like a very, I don't know,
like people definitely wouldn't have
accepted this like ten years ago,
but I feel like we've gotten to a
point now where like everything is so
locked down.
like restrictions on apps are becoming
worse and worse.
So people are more likely to accept this
slight compromise that Google's made here.
But I think it's still not time
personally.
I mean,
I know Nate said like he was he
felt like it was a decent middle ground.
I think it's okay,
but I think we can definitely push Google
for something a bit better.
And hopefully we'll actually see an
implementation of this before it actually
gets released.
Because I think right now we've only got
like a hundred and sixty three days until
it's locked down.
So we need to see a working prototype.
We need to see at least something from
Google to know that this is not
kind of just a sham to make everyone
stop talking about this and be like,
Google has announced that they're going to
fix it.
You don't need to worry about it anymore,
everybody.
And then, you know,
Google rolls out the original
implementation.
But yeah,
someone says Play Store sucks and
Yeah,
I think Nate just said there was so
much malware on the Play Store.
I don't think it's particularly useful
that they're saying... Obviously,
there's a larger percentage of malware
used through these unverified apps, right?
But I don't think the Play Store is
also very safe because I've got
grandparents,
I've got older people in my life, and...
They absolutely will install a torch app
that requires your GPS location and your
camera and your
messaging history and your contacts and,
you know, they weren't,
they weren't bad at that.
And that's clearly like a data harvesting
app, but Google play has no problem, uh,
allowing that app to be, uh,
installed on people's devices.
You know,
there's apps that like spam your phone
with notifications and like ads that's
perfectly fine to exist.
Um, I think, yeah, every,
every store is going to have, uh,
Every store is gonna have malware and
issues.
I think even really curated ones are gonna
have apps that have vulnerabilities as
well.
And I'm sure something might sneak through
eventually.
It's not like there's definitely not a
zero percent chance
And I think, yeah,
most people would prefer,
most people probably don't even know that
there's another way to install apps.
Like most people would just assume that
Google Play is like where you get your
apps from.
Like it's kind of a problem that Google's
created because they want to be the number
one place to get apps, right?
So yeah, anyway, sorry,
I feel like I've been rambling a little
bit,
but hopefully that helped add some points
to discuss here.
I mean, I ramble plenty,
so it's totally fair.
Yeah.
And I mean,
just to kind of back up what you
were saying, like, yeah,
there's never going to be a perfectly
vulnerability free store.
I mean, like I said,
it happens to iOS every now and then.
It's just it happens a lot less on
iOS.
And I feel like to Google's defense to
what you were saying is they will remove
apps as far as I know once they
get found.
But it's the fact that they got there
on the first place.
Like,
why does this happen so much less on
iPhone?
And I have to assume it's a vetting
thing because, you know, I mean, sure,
there's a higher barrier to entry to put
your apps on an iPhone in the first
place.
But at the same time, it's like,
They still try to submit malicious apps
there too.
Like there was a study a few years
ago about how Apple has stopped like a
quarter of a million malicious apps from
ending up in the app store.
To be fair, maybe Google's got like,
we've stopped one million.
Like I don't know what their stats are.
But my point being is like,
clearly Google could put more effort into
this.
And I just feel like it's really
disingenuous to be like,
we want to keep people safe.
So we're going to push them into our
store, which is only marginally safer,
arguably.
And it's also like a...
um, what do you call that?
Like a survivor bias or a confirmation
bias where it's like, okay, sure.
We hear about all the maliciously
third-party unverified apps that get
installed, but at the same time,
what about the, you know, I,
at least fifty percent,
probably more than that,
of the apps on my phone are third-party
unverified apps.
They're, you know, NextCloud, they're, um,
Trying to think what else I have on
there.
I don't know.
My brain's drawn a blank, but they're,
they're all things that like signal,
you know, they're,
they're all things that I can obtain from
outside the play store.
So I prefer to do that because I
don't want the Google analytics there.
And it's like, those are never malicious.
So those never get reported, but you know,
it's yeah, I don't know, but it's crazy.
And just to be clear,
I didn't necessarily say I like this
solution.
It's just not as crappy as what it
was.
but yeah, it's still not great.
And one thing I think you mentioned
earlier,
but I kind of forgot to touch on
as well is this whole,
Google is not really giving satisfying
answers to a lot of this stuff.
Like,
so you mentioned the twenty five dollar
fee and how twenty five dollars is like
a lot more to somebody in like India,
for example.
And he did say that like, oh,
we're going to account for that.
We're going to kind of balance it out.
But it's like this.
Who was it?
The Samat person.
I forget what the role is,
but they didn't really answer any
questions like they did.
at least this Ars Technica,
they mentioned like,
I don't know if they actually asked Google
directly,
but they did mention things like one of
the concerns is that Google is now
building this list of app developers if
the developers choose to get verified,
which already presents a host of privacy
and security concerns.
Like here in America,
we had that whole like a, like that,
what was that?
Ice spotter, ice block or something.
We had that app where you could report
sightings of people
Immigration agents.
And in some countries,
that is super illegal.
Even just peacefully putting some kind of
protest app, super illegal.
And so if that person chooses to verify,
now Google has their information.
They have their payment.
They have their government ID.
They know exactly who they are.
And so Google...
Um, like actually right here,
Google swears is not interested in the
content of the apps and it won't be
checking proactively when registers
developer, uh, when developers register,
excuse me, I can't talk tonight.
Um,
this is only about identity verification
so that basically if they become a,
if the developer distributes malware,
they're unlikely to remain verified and
they can get booted from the program.
Um,
but then like, you know, when he's a,
when this smart person, he's like, Oh,
but this, uh, you know,
we're not keeping a list of developers.
Well then how are you going to verify
if somebody is a repeat offender?
Like your,
your answers don't make sense here.
And yeah.
Um, I also just need to,
to be snarky and point out,
he says that, uh,
Not everything is malware.
It depends on the context.
So like a rootkit is malware,
but a rootkit you download intentionally
because you want to root access to your
phone is not malware.
Likewise,
an alternative YouTube client that
bypasses Google's ads and feature limits
isn't causing the kind of harm that would
lead to issues with verification.
Anybody who uses things like NewPipe or
FreeTube knows that those things break
about once a month because Google does
something on their end to block it.
And then they have to update and do
the cat and mouse.
So yeah,
that was just kind of funny to hear
them cite that.
I don't think that came from Google,
for the record.
I think ours wrote that.
But it's still kind of funny to hear
them cite that as an example.
And it's like, yeah,
but Google still treats that stuff in a
very hostile manner.
Yeah.
Yeah.
I think the other thing that you kind
of mentioned it a little bit,
like with the ice block thing,
but I think there's plenty of countries
that we've already seen this happen with
where like, you know,
having a centralized app store kind of
allows governments to basically get apps
removed or to like have apps not be
allowed to install on devices.
Like I'm pretty sure the,
the way that works, like in China,
a lot of apps don't want to comply
with a lot of the like legislation that
they have.
Like, Oh, you've got to,
share a certain amount of data or you
have to meet these like economic
requirements or whatever.
Um,
and so they're actually just removed from
the play store or for like censorship
reasons.
Like there's stuff that's being shared on
those platforms that they don't want, um,
people to access basically.
Um, so having the centralized,
like we already saw this with like iOS
devices,
basically turns your phone into a Rick.
Like you can't install the software that
you want on it.
Right.
Um,
But yeah,
I think it's like it's like with Linux,
right?
You can kind of install software from a
trusted repository and you can also add
additional repositories.
I think it should work similar on Android.
Like you should have the option to have
install stuff from additional places.
Maybe there's more of a warning about it,
but I don't think having to go through
developer settings and all this stuff is
particularly great.
I think it definitely also puts up a
bit of a barrier,
especially when you're like,
showing all these warnings like,
this is very un-recommended.
What you're about to do could compromise
your device.
It's not gonna sit well with someone who
doesn't understand the technical reasons
why they're showing that.
Yes,
a lot of cases it's it could be
useful for someone to see that warning.
But if it's like someone and they're like,
oh,
I want to be able to watch YouTube
with without the ads,
I'm going to download new pipe.
And it's like this app could compromise
your device.
This is a highly this is a highly
suspicious action you're about to take.
Are you sure you want to do this?
People are going to be like, oh,
this is just malware.
I'm just installing malware.
It's not malware.
So
I don't know,
not really happy with this situation.
I think we're going to keep pushing Google
here to make a better decision.
I just think they should go back on
all of this and just go back to
what it was before.
Like you have to enable it, right?
But
it should still be an option for people.
Um,
I don't know if there's a better way.
Maybe they have a way of scanning like
the device to see if the permissions are
suspicious or I don't know.
I can't really think of a better way
that doesn't involve Google just like
doing more invasive stuff on your device.
But
I mean,
I think it should go back to how,
like how it is on Linux.
Like you can install additional
repositories,
you can install the applications you want
on your device.
And that is an increased risk of using
a third party platform to install packages
or like using a third party repository.
But that should be up to the user
to determine if they want to take that
risk, not Google,
who's like making that decision for you.
But yeah,
that's pretty much all my thoughts on this
one.
Do you want to take the next story
here, Nate?
Yeah, sure.
So this will probably be a pretty quick
one.
I just thought it was really interesting
because I am a nerd who really likes
thought experiments.
And the headline from this one,
this comes from Slashdot.
It says, should Banksy remain anonymous?
And the original article comes from
Reuters.
And Reuters did this really deep dive
um, really deep dive.
Uh, I'll be honest.
I didn't read it all cause it's so
long, but I skimmed it.
And, uh, they tried to identify Banksy,
which for anyone who doesn't know Banksy
is a very, very famous, um,
graffiti artist, I guess you would say.
Uh, well, I mean,
I would say artist in general,
he's done a lot of like legit artwork
as well,
but he's also well known for doing
graffiti work, um, all around the world,
actually, not just he's from the UK,
I believe, but, uh,
Well, we're assuming he's from the UK.
I believe that's where he's most active.
But Reuters did this deep,
deep dive to try and figure out who
Banksy was because there's been a lot of
I mean, of course,
there's been a lot of speculation over the
years.
And there's also just been a lot of
there's been a couple of like,
we're pretty sure it's this guy.
It might be this guy.
But they set out to like for sure
figure out who he is.
And spoiler alert, I think they did.
And I kind of don't like that personally.
I think it took some of the magic
out of it.
But I liked this headline of should Banksy
remain anonymous?
And I thought that was something
interesting to think about because there's
a few different angles here.
One of them is a legal liability.
This dude is technically a graffiti
artist, although...
I don't think it's here in the Slashdot
summary,
but in the actual Reuters article,
they mentioned how he does kind of seem
to get a pass because he is so
well-known.
And to be fair,
his art probably brings a lot of tourists
and stuff.
So even though he's technically doing
illegal things,
other graffiti artists have noticed.
It's like, if I did that,
I would absolutely go to jail.
But the police don't even seem interested
in figuring out who he is anymore.
They're just like, yeah, whatever.
He made some art.
Let's clean it up and move on.
But...
They also talked about his lawyer when
Reuters reached out to them and said like,
hey, we want a statement for this piece.
He urged us not to publish this report,
saying doing so would violate the artist's
privacy, interfere with his art,
and put him in danger.
And they pointed out again that what he's
doing is technically illegal and the
police could come after him and it could
stifle free speech.
So yeah,
it was just â it was really interesting
to â
um i mean i i have a feeling
our our whole audience is going to say
like yes he should remain anonymous or
maybe not maybe you're one of those like
hardline lawful good people that's like
yeah it doesn't matter if he's not doing
any real damage i mean he's costing some
people some paint on their building but
other than that he's not doing any real
damage let him do his thing but it
was just really interesting to see this um
this again huge deep investigation on the
front page of reuters that uh kind of
challenged like
I don't know.
It was just really interesting.
I don't think I have much more to
add than that, to be totally honest.
But to...
To kind of like, where is that line?
I think that's kind of where my mind
went.
It's like, where is that line of like,
again, yes, he's doing something illegal.
He should not be allowed to do that,
but also like free speech and free
expression.
And it's not just the UK.
He protests things all over the world.
Like he's drawn on the walls in Palestine,
separating Israel from Palestine.
Most recently he was in Ukraine,
which is what sparked this investigation.
So it's not all like him saying,
living in a repressive regime,
criticizing his government.
Well, I don't know.
Some of the stuff I've seen come out
of the UK lately has me really worried.
Maybe he is living in a repressive regime,
but it's not all that.
It's also him going to other places around
the world just to make all kinds of
statements,
all kinds of political statements,
I guess.
But, you know,
just kind of the hippie stuff, you know,
like,
why can't we all just get along kind
of political statements?
But it's yeah.
Like I said,
I really don't have too much to add
to that one.
It's just it's just an interesting story
that
I thought was a good discussion about,
I guess about public interest, right?
Because we think about that a lot too,
about famous people and how much privacy
versus transparency do they deserve
depending on their roles.
And I don't know.
I like thought experiments.
I think that's what prompted me to want
to talk about this one.
I don't know if you have any thoughts
on this.
I think when it comes to art,
I think
this is, you know,
there's plenty of artists that do this
sort of stuff, like not just Banksy.
Um, and you know, obviously people,
the government is not going to be super
happy if you're like defacing a public
building or like there's a, there's,
I think defacing is,
is certainly up in the air, right?
Like I think in a lot of cases,
uh,
it's very much like, you know,
trying to make a message,
trying to make a pub,
make a message publicly,
people publicly aware of an issue,
for instance, like, uh,
I don't know if it's,
we've had a lot of like street art
just like pop, pop up in Sydney,
Australia, like, and it was never,
you know,
it was never publicly sanctioned.
It's just a lot of it's to do
with like
know street art um criticizing the
government criticizing like social justice
issues um i think you know it's not
really hurting anybody so i think you know
maybe i'm it's it's it's showing an art
artist's vision i think in a lot of
cases when there's like graffiti uh
it actually brings people, like Nate said,
it's like a tourism thing,
especially when it's like a famous artist.
There's plenty of places where there's
like graffiti in places.
Um,
and people come there just cause they want
to take pictures.
Um,
it doesn't have to be any famous artists.
Right.
Um, but I think, you know,
it's part of the community.
It's part of like,
it's just,
it's kind of an expression of people in
that who live in that place.
Um, so I dunno, I think it's,
I don't think Banksy's identity should be
like revealed obviously.
Cause I think, you know,
people should be able to choose whether
they,
share that information or not.
Um, I think it just applies.
It doesn't really,
I think someone could definitely make the
argument that because he was technically
committing crimes or like not crimes,
I guess maybe like a,
I don't know what you would classify
graffiti as like vandalism, I guess maybe,
but yeah, some kind of misdemeanor,
I think.
Yeah.
So I think, you know,
It's up to the community to determine
whether it's acceptable or not, I guess.
I think you know there's definitely a
difference between like a lot of people
just do like tagging stuff or they like
put their name on something that's not
really art that's just like vandalism but
I think if it's actually something that's
trying to display a message I think it's
a little bit different um like social
commentary and stuff I think is definitely
more acceptable but I think you know
legitimate actual street art is definitely
on a different
different level,
but I think it's definitely,
I think one of these things where it's
down, it's down to someone's beliefs, um,
as a person,
like it's not really a very clear cut
thing.
I don't think, um,
whether it's a clear cut, obvious answer,
but I think in this community, it's like,
you know,
I think people should be for protecting
artists, privacy,
protecting anyone's privacy if they don't
want to have their identity revealed.
But,
yeah i think yeah i don't really have
too much more to add do you have
any thoughts no yeah um i mean yeah
i was really disappointed to see that they
went ahead and published his name anyways
or who they believe it is um
And it's,
I'm with you on the one hand,
because like, to me, it's like,
I don't think his message is
controversial.
You know,
I could see the argument of like, well,
let's say I own a business and he
graffitis the side of that business with a
message that I don't agree with.
Like, okay, I hear that,
but he's not in my opinion.
I mean,
I don't see anything controversial about
any of the stuff he's posted.
I mean, for the record,
I don't follow him super closely.
So I don't know if somebody is going
to go dig up and be like, oh,
go look up this painting.
This was like super political and somebody
may not agree with that one.
on the wall in Palestine was like it
was like it was forced or not forced
perspective but you know it was like it
was a lifelike painting of like a hole
in the wall and it was like this
beautiful beach on the other side and you
know it's art so it's open to
interpretation but the way I took away
from that was like
this could be paradise if we could find
a solution here.
And he wasn't trying to say what the
solution is.
He was just trying to say like,
be human,
be kind to each other and figure out
a solution.
And it's like,
I don't think that's a particularly
controversial take personally, but yeah.
So, I mean, it's, it's, I don't know.
I think there's much worse crimes in the
world, but yeah, it was just,
I don't know.
He's, he's so, yeah.
I was disappointed to see the Reuters went
ahead and published it, but yeah.
It's interesting to think about because I
think about that a lot as a quote
unquote semi-public figure is like,
how much transparency do I owe people
versus how much privacy do I get to
have as an individual?
And it's, I don't know.
Yeah, life is full of nuance.
Definitely.
All right, so in a moment,
we're going to start taking viewer
questions.
So I know there have already been some
questions,
but if you guys are holding on to
any more,
definitely go ahead and start leaving
those in the chat or in the forum
thread.
But for now, speaking of the forums,
we're going to check in on our community
forum because there's always a lot of
activity.
This week has been no exception,
been very busy week.
So here's a few of the most interesting
discussions happening.
And the first one we're going to talk
about is there's a community discussion
about Firefox's new features.
So for those who don't know, Firefox,
I believe it's one forty nine is coming
out here pretty soon.
And it's got a few pretty big changes.
Some of them are very.
Cosmetic welcome cosmetic, for the record,
like I just found out.
I feel dumb.
But I just found out two or three
weeks ago that in Brave,
you can do split tabs.
So it's kind of like tiling a window,
which I just realized I should totally be
doing here, but I'm not.
The split tab thing, I mean.
It's kind of like tiling a window,
except it's the same window,
and it's just the tabs are side by
side.
which is probably a little bit of a
niche use case,
but it's really cool for me.
It's really nifty and I like it.
Firefox is going to be adding that,
but then there's also some more serious
things.
Like there's a sanitizer API, which...
I'm forgetting off the top of my head
exactly what that does.
I think that's supposed to help protect
against cross-scripting attacks,
but don't quote me.
It's definitely a security update.
And noticeably, this one is new.
Apparently,
they've announced the sanitizer API
before.
But Firefox is going to include a VPN.
I believe from what I've heard,
they did not really say for sure in
their blog post,
but it will be free for up to
fifty gigs a month.
And to start with,
it's going to roll out in France, Germany,
the UK and the US.
We'll see about the UK if they start
requiring ID for VPNs.
But that's a different discussion.
And yeah,
I think I've heard rumors that it's going
to be in-house.
I know last time they did this,
it was a white label of Mulvad.
And I actually stand corrected because
I've always said that like,
I don't see the point of the in-browser
VPN because I want more than just my
browser to be protected.
And from what I'm told,
that is not how this is going to
work.
It is actually going to like protect your
whole device.
It's just going to give you a lot
more granularity in the browser.
That's what I've heard.
But yeah,
Yeah, what do we think about this?
I think I'll go ahead and say that
I'm notoriously critical of Mozilla,
but I'm happy to see them putting good
features into Firefox.
I mean,
at least it's not an AI feature that
nobody asked for, right?
So yeah,
I think this is potentially a good step
forward.
I will be interested to see how that
VPN works potentially, but yeah.
Uh, I think you did, unfortunately,
unfortunately, Nate, to,
to ruin your parade of anti AI.
They unfortunately did include, uh,
there's an update in this, in this update,
they're including smart window,
which was previously called AI window,
which is basically.
Oh yeah.
That, okay.
I missed that.
I was just reading the summary here in
the thread.
Yeah.
So unfortunately that is coming in this
update.
I think they realized calling it AI window
was probably a bit too on the nose.
So they've changed the name to smart
window this time, I think.
We did talk about this a little bit
internally about this privacy,
this free inbuilt VPN.
I think the thing I was specifically
talking about was Mozilla VPN.
So this is a different thing.
This is, I guess, Firefox VPN.
which is different to Mozilla VPN.
Mozilla VPN,
one of the cool things about Mozilla VPN,
like Nate kind of talked about,
was it would cover your whole device and
then when you use Firefox,
it would integrate with the desktop client
and it would allow you to select different
locations for where your browser would
exit based on the website.
so you know obviously you wouldn't want to
like access your bank's website and also
be coming from like turkey because that
would like cause your bank to like you
know lock down they're not gonna they're
not gonna like that um so that allowed
you to have different end points coming
out there um i think that is also
very useful because you know
A lot of times VPNs are blocked.
Like on Reddit,
you'll frequently find it's blocked.
On YouTube, it'll ask you to sign in.
I think that's an interesting thing with
Mozilla VPN.
But I think like Nate said,
this is a separate thing.
This isn't the same thing.
It's kind of confusing.
They've got two products.
This is only for your browser.
As far as we're aware,
they haven't said that it's going to be
your entire device because they say this
is a proxy.
So as far as we are aware,
that is only going to be through the
browser itself, as far as we know.
So I would say that's what we should
think that this is first.
Um, I don't think this is, you know,
an amazing.
because I think we have such good free
privacy, like full VPNs you can use now.
Like you can use ProtonVPN free.
Like they have quite good speeds.
It's free.
I think Proton's doing a great job by
offering that for free to people.
I think people should use that if they
don't have another way to protect their
privacy.
But I think especially with the low cost
of VPNs at this point,
like more that is five euros a month,
like that is a pretty cheap price for
a lot of people.
But I think, you know,
price is also it's a trying time.
You know, people are trying to save money.
So I think, you know,
fifty gigabytes of data is definitely
pretty uh pretty generous i would say it's
like that's gonna take you quite a long
way um especially monthly i feel like i
don't even use i use like only a
couple of gigabytes a month on my phone
so i mean if that's i mean i
mean i know there's people that use like
hundreds of gigabytes on their phone every
month i don't know how you do that
exactly but um
I think fifty gigabytes is a lot maybe
I'm like I think it might just be
because our internet is really slow here
but it's kind of hard to download that
much stuff but fifty gigabytes and it's
it's kind of frustrating Firefox and
Mozilla in general do this all the time
like they only release their products in
specific regions
Like in this case, they're saying the US,
France, Germany, and the UK to start.
That's where they're releasing this free
Firefox VPN.
And it's the same thing with Mozilla
Monitor, which I think is defunct now,
and Mozilla VPN and Mozilla Relay.
It's like their email aliasing thing.
It was only available in certain
countries.
I was always kind of like interested in
trying it.
never was available in australia so i
think they should probably look at you
know i don't really understand the reason
why they're only releasing this in certain
locations but um i think especially in
locations where i feel like they don't
need the privacy as much like what about
countries that are like you know under
siege by like authoritarian governments
maybe we should focus on those first to
get this technology to but um
It's still an interesting thing.
I didn't really read any of the comments.
Was there anything you were thinking that
people mentioned that we haven't really
talked about yet?
I don't think so.
There was kind of a discussion right off
the bat about whether they meant, um,
like there was a confusion of, um,
When they said to start,
did they mean to start?
And that might change?
Or did they mean the countries might
change?
But I think everybody kind of agreed that
it's like, no, it's probably the country.
But yeah,
there was a lot of discussion about is
it
like what I was saying,
is this going to be an in-house thing
or is this going to be a,
like a white label of Mulvad was some
people here are saying this might be like
competition against opera,
which I I'm with you.
Like personally, I don't,
I do think the proton last time I
tried one of them,
the proton free servers tend to be a
little bit slow,
but I also know since then they've kind
of added a few more.
So hopefully that's helped.
But that said, I do think,
I'm not opposed to them adding this as
like a compete with opera thing,
especially if they can keep the cost low
for them.
And this isn't going to be one of
those things that,
you know, in a year, they're just like,
oh,
we killed this off because it's really
expensive.
But I don't know.
I mean,
I know there's the whole smart window
thing, which I don't know.
To me,
that reminds me of like Brave's Leo.
Like Brave has like a little pop out
mode where you can just talk to Leo
directly and have a conversation with it,
have a conversation in the sense of like,
I'm not asking it to paraphrase this page
or whatever.
But they also have like a little sidebar
where you can ask questions about the page
you're on.
And they say that this will be completely
optional.
So I don't know, to me,
that's just competing with brave, which,
again, I don't know, it's just,
it's good to see the mostly focusing on
the browser again,
and not buying like ad companies or fake
review plugins or Yeah,
so
Yeah,
I think one interesting thing you said,
oh, this is like,
I feel like Brave also has like a
VPN built in Vivaldi.
Oh, they do.
I forgot about that.
So I think it's more of a,
I think they're going more to try and
challenge Vivaldi here and Opera.
But Brave also has, it's a paid thing,
but it's still technically built in,
I guess.
I guess they're just trying to be like
feature compliant.
competing against, you know, this stuff.
so yeah i don't know uh i think
it's also one other thing that uh firefox
has actually rolled out in like the latest
release they do have the ai block switch
now so like if you've got that enabled
you're not going to get any of this
ai stuff so i wouldn't worry about that
i would make sure you have that ticked
if you use firefox because you don't want
to get this in the next update um
So yeah, I don't know, this is,
it's good to see Firefox actually doing
something this time.
Like I feel like we were sitting at
like no changes being made every year.
There was like absolutely barely any
changes to Firefox for like, I feel like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like, like, like, like, like, like, like,
like
I don't think it's going in the direction
I would like.
I don't think many people agree that it's
going in the direction they want.
And I guess with all this AI stuff,
I think it's pretty tricky to avoid at
this point.
Every company is basically rolling this
stuff out.
At least Firefox is making it easy to
opt out, but I just,
it kind of frustrates me that all the,
all the donation money and all this money
from Google to be the main search engine
is just being dumped into like AI and
like privacy preserving analytics.
Um, it's not really stuff that is gonna,
I don't think it's gonna bring people into
the browser,
but I think if they actually made some
big changes and listen to what community
people actually wanted from the browser,
I think they could.
you know,
there's plenty of projects that are doing
interesting things.
Like I think one of the most interesting
ones was arc browser.
Like they were doing quite a lot of
interesting, you know,
different things that no other browser was
doing.
Like,
I think it'd be interesting to see Mozilla
just actually try something new,
like not just like copy what other people
are doing,
like actually try and make something, uh,
little bit revolutionary a little bit
different um to actually give people a
reason to use it because right now it's
like firefox just kind of is bad
especially on some websites like you're
just gonna be have a worse experience like
people don't test for firefox now um like
even this website we're using streamyard
to do this right now i can't use
firefox
to do this.
So, you know, it's,
if you can't do basic stuff with your
browser,
I think that's going to push people away
from doing, from using it as well.
But yeah,
I think that's kind of my thoughts on
this.
Somewhat positive, I guess, but yeah.
Yeah, I agree.
I mean, for me,
it's unfortunate that Mozilla is
constantly playing catch-up to everyone
else.
Like, again, the split view.
Brave has that.
I don't know how long they've had it,
because I just discovered it,
but Brave has that.
And even their AI stuff, it's like...
Like, everyone else... The AI ship...
I mean, I feel comfortable saying this,
because this isn't like a, you know,
hustle podcast or whatever, but, like,
I feel like at this point,
if you're just now jumping on the AI
bandwagon, it's gone.
Like...
It's gone.
Why are you there?
And so it's, you know, it's like,
I don't understand why they're,
and they're doing it in such a poor
way too.
Like I remember being really disappointed
when I looked into their AI features,
not because I wanted to use them,
but just because I wanted to understand
them and they don't even do anything.
It's like, oh,
here's a tab where you can talk with
chat GPT.
Your privacy policy,
like their privacy policy is literally
like go see open AI's privacy policy.
And it's like,
so what's the difference with this?
and just going to chatgpt.com.
What use is this?
And it's like, oh, well,
it's integrated in there.
I don't care about that.
If I cared about that,
I'd be using ChatGPT's browser.
I don't understand why it needs to...
to do that.
I don't know.
It's just,
it's weird to me that like they're
constantly playing catch up and yeah,
it would be nice to see them because
they have such a passionate,
active community.
I know they do.
And I'm sure people have plenty of ideas
about how they can improve it, but it's,
it's, it's, yeah,
it is nice to see them investing in
something that isn't AI for,
even if they have the little smart window
thing, but yeah,
The split view, the tab notes,
which I don't know how that's going to
help, but the sanitizer API, the VPN.
I agree with you.
It's not enough,
but it's nice to see them starting to
get back into it.
And hopefully,
I'm hoping the momentum will pick up for
sure.
Yeah, I think we had a question here.
We have, well, not a question.
I guess someone was just saying, uh,
without manifest V two extensions,
I find the internet to be pretty bad.
Um, I agree.
I think, you know, you block origin,
I think is kind of a needed tool
at this point.
Uh,
you block origin light is it doesn't work
as well and it doesn't block a lot
of things that you need, right?
Like, you know,
you would hope that, uh, you know,
websites don't have a million pop-ups and
like cookie banners and paywalls and all
this sort of stuff.
But it's kind of the modern internet at
this point.
Um, you need to, you need to,
you need to use an ad blocker unless
you want to go completely, you know,
off the rails, I think.
So if,
if Mozilla is like the last bastion of
MV two extensions, then, uh,
I think that is definitely a thing that
separates them from Chrome, but,
You know,
that's not going to be enough to keep
people there because plenty of people are
still using Chrome and they're still using
you block origin lights.
Um, it's good enough for them.
It's not perfect,
but it's definitely good enough.
Um, so.
people kept saying that we're going to
leave Chrome.
If, if Chrome doesn't, uh,
if Chrome doesn't use, um,
doesn't allow MV two,
I'm going to leave Chrome.
And then everyone just stayed on Chrome.
Like, like,
I think people might not realize that a
lot of people don't actually use
extensions.
They don't even know what they are.
They just use their web browser like
normally.
Um, so yeah, I dunno.
Um,
It's, yeah,
I don't think Firefox is in a very
good position at the moment,
unfortunately.
I do got to point out,
I disagree that most people don't use
extensions because I feel like every time
I look at somebody's Chrome browser,
they've got like ten extensions and it's
always like grammarly.
And then like what's funny is it's always
like six different ad blockers.
It's always like ad block plus,
plus ghostery, plus privacy badger.
It's more...
I almost get the impression that like
people don't understand extensions and
they don't understand which ones,
like what they do and how they work.
And they're just like, Oh, you know,
the more I throw on there,
the better it gets.
Right.
And it's like, no,
you need to be intentional with which ones
you use because you're giving them a lot
of permission, but yeah.
Yeah.
Which,
which just kind of goes back to what
you're saying though, is like,
people don't understand like manifest V
two versus V three and they don't really
like, they don't understand like, okay,
now I've got ad block plus or whichever
one,
but it doesn't work as well as it
used to because Google has hindered it and
they don't understand why.
And which is still unfortunate, but yeah.
So, I mean, if we,
if we like take into account the amount
of people that use, uh, Chrome, right.
And we look at like, you know,
ad block plus or you block origin.
Um,
there's not that many people using them.
If you, if you consider the actual,
like amount of people using Google Chrome.
Um, sure.
The percentage.
Yeah.
uBlock Origin Lite is like,
sixteen million.
That's pretty small,
like if you compare it to the amount
of people.
I mean,
it could be like a sample thing,
like I've personally seen people that use
Chrome and they didn't have any
extensions,
and I've also seen people with a bunch
of them,
so
It's kind of hard to determine what this
is through like anecdotal things.
But I think if we look at the
numbers, we can get some idea,
at least at least like these ad blocking
ones.
I mean,
we could look at like other extensions
that people are using and installing,
probably, you know,
some really weird stuff.
But it doesn't seem like it's super
common.
But that's just going off the numbers,
I guess.
It's not really... No,
to back up what you're saying,
one source says that Chrome has almost
four billion users,
three point nine eight billion users
worldwide based on an estimate.
So, yeah,
like sixteen million people is not much.
I don't know what the math is on
that one.
I'm not even going to try,
but it's not much.
Yeah, I mean,
it's probably not the greatest way to
determine it, right?
People,
it could be multiple installs by one
person.
It could be counted by like, you know,
you've installed uBlock Origin a couple of
times on a couple of your devices.
It could be even less than sixteen million
people, unfortunately.
It doesn't exactly paint a very good
picture because, yeah,
it sounds like most people don't care.
MV two to MV three gives people more
security protections, I guess.
But it does.
It's kind of an issue comes at a
cost, comes at a cost.
Yeah, exactly.
Um, okay.
So yeah,
we could move on to the next, uh,
forum thread here.
Um,
cause we have talked about Firefox and
Mozilla quite a bit.
I feel like it's an easy topic to
just kind of talk about for a long
time because there's just so many issues
for sure.
Um, but this next one was.
Someone started a thread.
It was actually a very recent thread,
only sixteen hours ago.
So favorite underrated hobby for staying
productive.
I'm looking for hobbies that aren't just
fun,
but also help clear your mind or improve
skills in subtle ways.
Anything offbeat that people swear by?
I feel like this is definitely an off
topic section of the forum.
I think this could be interesting to read
some of these things here.
I feel like Nate added this.
So I feel like you have something you
want to say about this.
Do you?
Yeah, I do.
I wanted to add this one because
I don't know about you guys.
Okay, so a quick tangent off topic.
When I used to work with Henry in
Surveillance Report,
he was very open about the fact that
he's like, I do privacy all day.
So when I'm not working,
I don't really listen to privacy podcasts
or read privacy books.
I need to detox from it.
And now that I am also doing privacy
full time, I...
I haven't gone quite to that extent,
but I get where he's coming.
I mean, I understood it before,
but now I'm living it.
And, um, so I,
I think it's just really important to,
I don't want to say touch grass.
Cause that's a very like disparaging term,
but it's, it's just really important.
I think for all of us to like
take a breather, especially privacy,
like it can be so depressing sometimes.
Cause unfortunately I feel like we do take
more, more losses than wins.
A lot of the time, you know,
we don't, um, we don't get to, uh,
I wouldn't say we don't get to.
We see a lot more bad news regularly
about Instagram rolling back and encrypted
DMs and Android trying to crack down on
third-party installations and this, that,
and the other.
And so it's very...
it can be a little depressing sometimes
because we only get the good news like
chat control was defeated.
We only get that stuff every so often.
So I really like this idea of what
are your hobbies just in general?
I like these people talking about things
they do.
One person here said they read,
which is pretty...
not really offbeat but you know reading is
is a really good thing and they said
like they read a lot of fiction too
like it's not all tech and privacy stuff
they read a lot of non-fiction fiction um
one person did mention self-hosting which
is a good way to learn more about
tech and privacy uh to your comment one
person did say i didn't realize we had
an off-topic section of the forum where
we're allowed to talk about things
unrelated um so yeah definitely we do have
that and then um
Somebody said they do chess.
One of my favorites, they said,
not sure it would qualify as offbeat,
but I enjoy dribbling watercolors on
potato slices,
letting them dry out and then taking
photos of them.
You blow up the images and they kind
of resemble an aged artsy fartsy painting.
one day I'll print and put these up
for sale.
And somebody replied, they're like,
I'm going to go on a limb and
say it qualifies as offbeat.
But, you know, it's a...
And for the record,
I thought that one was super cool.
I want to see those too.
Those sound awesome.
But yeah, it's just, I guess,
kind of a reminder for all of us
to find something enjoyable that helps you
unwind because this stuff can be a lot
sometimes for all of us.
I don't think you have to work in
it full time,
but it is really good to remember that
there's...
Privacy should be a means to an end,
in my opinion.
Privacy should be what enables you to take
control of your online life and your data
and build the life that you want.
And that includes going out and doing
other stuff sometimes.
So, yeah.
I don't know if I have any underrated
or productive...
Also that,
I just want to throw that out there.
Personally,
I'm a really big fan of like being
productive and self-improvement and stuff
like that.
So obviously not everything has to be,
like when I'm playing video games,
that's not always productive, right?
But it's fun and it relaxes you.
So, yeah.
Yeah, I think it's good to remember,
you know,
not everything you do
has to be productive i think being
unproductive a little bit you know and
doing things that aren't actually you're
not going anywhere like you're just doing
something for the sake of it it's like
kind of the point of being human right
like we're not here just to produce and
and make things and uh and make money
and work you know i think people need
to also take time and be and do
things like you know nature like gaming
and all these other hobbies that people
have put here um
But I think, you know,
taking time to be unproductive can help
you be more productive.
I think taking a break,
taking rest is kind of important.
And, you know,
I guess I'll throw in a couple of
extra ones.
I do think exercise is pretty important.
It's pretty good for your health as well.
It's productive, I guess,
because you are becoming healthier.
I think people should...
if you're able, uh, exercise regularly,
you know, it's an important thing.
I think it doesn't really achieve any
particular goal.
It just is, you know,
it can be any sort of exercise is
important.
Um, yeah, I mean, I think it's,
there's plenty of different, uh,
things you can do.
I enjoy photography, like in my free time,
stuff like that.
I think art stuff is also important,
gets your brain going.
Um,
but I do think it is important to
not make everything in your life about
securing your privacy and like about this
one topic.
Cause that's, uh,
that's one way you're going to get burnt
out.
That's actually a section on the activism
section we recently launched.
Um, so definitely check that out.
Um, but I think, you know, it's,
Yeah, it's an interesting thread.
Maybe go over there and drop your favorite
thing you like doing.
I think it's nice to have these off
topic forum threads sometimes because I
feel like every thread is just like so
draining.
Like there's just every day,
there's just a new story of like,
the absolute worst thing happening.
Um,
and sometimes it's good to disconnect a
little bit.
Maybe that means not actually going on the
privacy guides forum for a day, you know,
taking a break.
Um, it's definitely helpful.
Um, and yeah,
I think it would be more productive if
you take more breaks.
Um, everyone needs days off.
Yeah.
A hundred percent.
Um, yeah, I mean,
I don't really have much more to add.
Do you have anything?
I don't think so.
I was going to say we could probably
move into viewer questions now,
which I think we've kind of been answering
them as we went in the live chat,
right?
Have we missed any that we haven't covered
yet?
Um,
I think there was just people kind of
sort of making comments here.
Not really any questions per se.
We did kind of talk about a lot
of stuff, uh,
that was already covered in a lot of
these points.
Like someone mentioned.
Ninety-nine percent of what these browser
AI things can be replicated in a browser.
Um,
and browsers are less permission heavy.
So like using an AI app is kind
of useless.
Yeah, I agree.
They need a light version of the iPhone.
Maybe.
Oh, no, no, no.
They're talking about a uBlock Origin
light.
There's the uBlock Origin light for
iPhone,
which I think actually we did add back
to the website.
I think we talk about it on our
iOS section, if I remember correctly.
I think you're right.
Yeah.
Um, and ad guard,
I think those are the two recommendations
still, cuz ad guard does, uh,
it does still protect web apps and things.
So that is a good point.
Sorry.
I missed that.
I kind of misunderstood that comment.
Um, but yeah,
was there any comments from members on our
forum thread this week?
So, yeah, I, I think I passed it.
Um,
Yeah, we did have not too many.
I know one question we got was about...
I don't know if this person's watching
right now, but somebody asked us,
is it possible to provide a list of
news articles that the stream will go over
in advance?
Just to give you guys a little peek
behind the scene, the short answer is no.
Because what happens is,
and I think I may have said this
before, is throughout the week,
we kind of collect articles that we may
want to talk about.
And we try to keep it to four
to six articles on average.
And so...
we kind of wait until friday and that's
when we go over like okay what are
the main things we really really want to
talk about and what are the things that
we can um drop off to you know
uh like the news feed or the news
section um thankfully we do have the news
section where even if we don't cover an
article here we might still write about it
there so uh and sometimes we do both
but
Yeah.
Uh, a lot of the time,
like we're not, uh, we're,
we're still like Friday afternoon.
Um, us time we're,
we're still like putting this stuff
together.
So unfortunately that's not really doable
in advance.
And to also add to that as well,
sometimes we're like, you know,
it's Thursday morning and we're like still
trying to work out what the highlight
story is because sometimes there's just
not that much going on.
Like, you know,
we can't really release the newsletter if
we don't even know what the highlight
story is going to be.
Um, so we're sorry that that's,
that it's kind of frustrating, I guess.
Um, but you know, we've been like,
Nate's been doing a great job with like,
we published the newsletter as soon as the
live stream starts.
Like if you check your inbox,
like it'll be there.
Um, so I would, if you're worried,
if you want to know what we're talking
about on the live stream,
then that'll be the best place to see
that.
Um,
I did drop a link in the forum
thread there.
Um,
but if you do want to sign up
it's just privacyguides.org forward slash
live stream and if you press the donate
button in the bottom right and you select
free on that so you don't have to
pay money to join the newsletter or
anything you'll get the update
notifications for the live stream and that
includes all the links and also like some
small summaries of the stories as well so
if you want to follow along while we're
talking on the live stream you can
get that to your inbox.
It also goes live onto the website
eventually, but let's see,
is it on there right now?
Yeah, it looks like it is.
It should be, yeah,
because when I publish it,
I choose publish and email,
so it should go to both the website
and the... So yeah,
if you prefer to use RSS for some
reason,
you can subscribe to that section and
that'll pop up in your RSS feed as
soon as we publish it.
Looks like we got a comment from
Cannabida.
Do you recommend any books that are not
explicitly about privacy,
but privacy adjacent?
That is a very good question.
I know the answer is yes,
but I'm struggling to remember what they
are because I know there's been a few
books that I've read and I'm like,
I kind of want to add this over
on the new oil as a recommended book,
but it's not really privacy related per
se.
And now I'm trying to remember what they
were.
I feel like in shitification, uh,
by Cory doctor is a good one.
Like that's,
I just bought that one the other day.
I'm waiting for it to ship.
Nice.
Yeah.
That's a, that's a definite,
that's like one that's it's not
technically about privacy.
It's just like, you know,
adjacent big tech being awful kind of
explaining that whole process.
Um, Hmm.
Ooh, Andy Greenberg,
who I think actually wrote one of the
articles we covered today,
or maybe one of the ones we were
considering.
But he's a writer for Wired,
and he's written quite a few.
Like, Sandworm is really good,
and that's about Russia's state hacking
group.
He's written Tracers in the Dark,
which is...
Um,
it's divided into four sections and the
last section is about finding people who
host CSAM websites on the dark web.
So just fair warning.
That was a tough read.
Um, the first three parts are great.
That last part was a little rough to
get through.
Um, yeah,
he's written a couple of books that I
wouldn't say are like directly privacy
related.
Cause again,
they're about like cyber crime and state
hackers,
but they're very interesting and they're,
they're adjacent for sure.
yeah i mean this i feel like you
have quite a few different options to pick
uh maybe you might have to i reckon
if you go to like corey doctor's stuff
he probably has like a bunch of books
that are semi-related to this whole thing
right i think
He's a good person to look at.
But I don't know.
Yeah, I can't really think of too many.
I know there's like quite a few books
about like sort of the AI stuff that's
going on now.
I saw those like one on my timeline
the other day, The AI Con.
That's also an interesting one.
I can't really think of too many other
non privacy related books.
I can think of a lot of privacy
related books,
but just not like somewhat outside that.
I haven't read it,
but on the topic of AI,
I've heard a lot of good things about
if anyone builds it, we all die,
which is about the quest to build AGI,
artificial general intelligence.
So I haven't read it,
but I've heard a lot of good things.
Yeah.
I can't really think of too much here,
too much more.
But yeah,
was there any other things you were
thinking on the forum thread here?
The last thing I wanted to mention that
you did,
we mentioned it in the site updates,
but somebody asked us to go over the
homomorphic encryption story from Fria and
just kind of explain it.
Please go over the story.
For more people to understand it simply
put,
I think it's important to know and follow.
So homomorphic encryption,
and this is grossly oversimplified,
but it's basically a way,
and it's a real thing.
It's not just theoretical.
It's a way to process data on a
remote server in a way where it's still
encrypted and the server can't see your
data.
So hypothetically, like right now,
let's use Google and Proton as an example,
right?
Google...
and I might have this wrong, but correct.
Well, this part, I know I'm right.
Google,
you put your stuff on their server,
you interact with it,
but Google can see it.
Proton,
a lot of it has to be decrypted
in your browser.
So it tends to be a little bit
slower because of that delay.
Homomorphic encryption would be a way
where it can still stay on the server
and you can work with it in real
time, but it would still be private.
And I think it's designed more for...
Oh, man,
I can't think off the top of my
head.
But I know it's not designed for things
like Proton, where it's like, oh,
you can take that little performance hit.
It's got very specific use cases.
But the big problem is,
and I don't know if this is an
exaggeration or not, but...
Freya wrote here that it's thousands of
times slower than processing the data
normally.
And I don't think that is an exaggeration.
So literally,
just to give a tiny bit more context,
Proton mentioned this when they talked
about Lumo.
And they were trying to figure out how
they wanted to make Lumo private.
And they mentioned that they had
entertained the idea of homomorphic
encryption,
except it would literally take about ten
minutes to get an answer back from your
prompt.
So like you type in your prompt,
you go make coffee.
Don't even just get a new cup,
just make a whole new pot of coffee.
And then you come back and hopefully your
prompt will be ready for you.
So it's not really feasible.
It's not practical for most applications,
but Intel released this new chip that
they're calling Hercules.
And it across seven key operations,
Hercules was one thousand to five thousand
times as fast.
So it's still not quite there.
Freya does talk about some of the
challenges that are still facing
homomorphic encryption here.
But it is definitely really cool that
we've seen such a major jump on this
technology.
Because if they can get it up to
a more usable speed,
that really would be a game changer.
I don't want to compare it to nuclear
fission or cold fusion or whatever it is
because that's one of those things that
it's like, oh, at this point,
some people aren't even sure it's possible
because it's so far away.
But it is one of those holy grail
kind of things that it's like, man,
if we could do this,
it would solve a lot of
potential privacy problems.
Although I do feel compelled to point out
that at that point,
the challenge would be getting companies
to use it as we're seeing meta rollback
and to end encryption.
So there's already a lot of solutions that
people just don't feel like using,
but it would be nice to have this
in our toolkit too, because again,
there are specific use cases for it where
I think people would readily use it.
It's just not where we need it to
be right now.
So yeah.
I think, you know,
I've got to be the AI hater on
the podcast.
So I'm going to say, you know,
if you do read the link,
if you look at the link that Freya
linked with this chip that they're working
on, it does still mention, like,
when they use this homomorphic encryption,
it basically...
significantly increases the amount of
memory that's used.
And I don't know if you're aware of
the global RAM shortage,
the global computer component shortage.
I feel like we don't need to make
it any worse by doing this,
by doing this homomorphic encryption
thing.
I think, you know,
I would push, you know,
I don't recommend that you use these AI
tools.
I mean, if you have to though,
if you absolutely have to,
there's local options,
but I think one interesting thing that
this sort of homomorphic encryption thing
or
I guess it's like trusted computing,
I guess.
Is that sort of,
I feel like this is a similar thing.
Um, but yeah,
Freya mentions that in the article.
Okay.
Right.
Yeah.
So basically the,
there was a VPN service that was doing
this through Intel's SGX system to
protect,
basically it would be an additional layer
because when you trust a VPN service,
you basically have to trust that they're
not gonna log your traffic or they're
gonna, you know,
because there has to there has to be
processing that's done to actually
facilitate the connection between you and
the VPN server.
So that can't be encrypted.
But there was this VPN company that was
saying that's what they were doing.
They were using like an Intel SGX like
secure enclave system.
So like basically no one would be able
to get access to it.
It would be in like a trusted platform
thing.
It's also interesting because I feel like
Apple was also pushing this sort of thing.
They're like doing their private cloud
compute system.
hello, Apple, where is it?
It's like,
this seems like a similar technology
thing.
Like it seems like a very similar thing,
except, you know, they're not using Intel,
they're using Apple Silicon instead,
which I think gives them an edge really,
because they're not relying on a third
party company like Intel.
Like, you know, if you,
they can do everything in house,
like firmware's in house,
the Silicon's made in house.
I still think that they use fabricators
still, but they're like a,
what do you call that?
I don't know.
They don't fabricate the silicon
themselves.
They outsource it, I believe.
But yeah,
it kind of puts them in a better
position to do that.
But that still hasn't really appeared.
I don't know what's going on with the
private cloud compute thing.
I think it's an interesting topic to keep
an eye on.
But I think, you know,
like Freya was saying,
the constraints of this are too...
are too high like it's it doesn't it
can't do enough but maybe this could be
used as you know this technology could be
used in a specific application like a vpn
where it doesn't need as much processing
power i'm not sure but i think it's
definitely an area that you know privacy
advocates should keep an eye on because
this is technology that could be used
in a positive way, hopefully not for AI,
but if it's used for AI, I mean,
I hope it offers some sort of extra
privacy protection.
Um,
I think one concern a lot of people
have is their prompts being used for
training data.
If it wasn't in a secure SGX, like,
or I guess,
what are they calling this one?
They're calling it the,
the trusted execution environment.
fully homomorphic encryption chip in a
trusted security environment or whatever
Nate said.
Yeah, like, yeah, I don't know.
That would be better than people just
giving their data straight to open AI.
But I feel like the interest of these
big companies is not in protecting
people's privacy.
They like to slurp up your data for
training.
Um,
so I'm not sure this can maybe become
more popular on like a niche product like
proton,
but I don't think open AI or Google
Gemini is gonna sacrifice their speed,
their processing power just for, you know,
protecting their people's private,
the user's privacy.
I don't think.
Yeah, I mean, not to be overly optimistic,
but I think the thing that makes me
excited about this kind of stuff is that
it's another step forward, right?
Like, yeah,
it's still not ready in this state.
It's still too slow, and there's...
What did they say at the end here?
Uh...
For FHE to take off,
there needs to be support at all levels.
And then there's a company that focuses
more on the software side of things.
There's another company that's looking to
move away from the limits of traditional
computers and utilize photonics,
computing with light to speed up FHE even
more.
So there's still a lot to be done
and different people trying to tackle it.
I think...
What I like about it is just the
fact that it is a step forward because
FHE, yeah, I mean, it's,
I think we both kind of said the
same thing that like,
there's no guarantee that companies will
use this.
And Freya did even specifically mention
like AI, you know,
maybe they said it could be the case
that in a few years,
it'll be the norm to make a fully
end-to-end encrypted query to Google or
ask chat GPT for dinner ideas in a
fully end-to-end encrypted manner.
But even if we get to a point
where it's like, yeah,
the resource usage is minimal,
the speeds are minimal,
this is totally economically feasible,
will it still be economically feasible for
the company who collects all your data?
Which at that point, I think,
this is kind of a different discussion,
but I think some...
I think there has been a rise in
people caring about privacy.
You can tell in the marketing.
Everybody's always trying to like, oh,
we care about your privacy with this
product, even if they don't.
They say they do.
We give you the option to opt out.
We don't train on your prompts.
Companies say that stuff,
which to me tells me that there are
people who
are concerned about this stuff and maybe
don't know as much as they should.
Maybe don't understand what the company's
lying when they say that or how to
tell if the company's lying.
But the point is,
I think there will be some people who
like, you know,
for all the crap we give Apple,
I could totally see Apple if this became,
again, economically feasible,
Apple being like, yeah, let's do this.
And it's like,
Now that Apple's doing it,
Google's got to keep up or somebody's got
to keep up.
So they'll always try to find a way,
just to be clear,
they'll always try to find a way to
do the bare minimum.
So even if Apple or anybody,
if anybody were to roll this out,
there will be other companies who are
like, yeah,
we encrypt your stuff at rest and we
say that it's encrypted.
We already see that right now, right?
We see that with Apple.
like companies saying, oh,
we secure your stuff with military grade
encryption, which means nothing.
And it's just a marketing thing while
they're doing the bare minimum.
It's like, yeah,
you use passwords and TLS.
Nobody's impressed.
But I don't know.
My point being is it's definitely a
different set of obstacles to get over,
but it's still nice to see
that this is taking steps forward, um,
and even becoming an option in the first
place,
because that's really the first step,
right?
Is this has to be usable so that
people can use it.
And then hopefully from there it'll become
adopted.
But at that point we're speculating and my
crystal ball is currently in the shop.
So I cannot predict the future.
Yeah, but yeah,
that's pretty much all I had to comment
on that one.
I mean,
hopefully that is a useful discussion for
you to understand it a bit better.
I hope we explained it well enough and
at least cut through some of the hype
because definitely is a little bit hyped,
I think.
But yeah.
Yeah, definitely.
It's a complicated topic.
So we like severely dumbed it down,
but hopefully that did help.
But I think that's everything we had for
this week.
So thank you guys for watching.
All the updates from this week in privacy
will be shared on the blog every week
that we just talked about.
So go ahead and sign up for the
newsletter or subscribe with your favorite
RSS reader if you want to stay tuned.
If you are an audio listener,
we have this podcast available on audio
platforms,
all podcasting platforms and RSS as well.
And the video itself will be synced to
PeerTube, so stay tuned for that.
Privacy Guides is an impartial nonprofit
organization that is focused on building a
strong privacy advocacy community and
delivering the best digital privacy and
consumer technology rights advice on the
internet.
If you want to support our mission,
then you can make a donation on our
website, privacyguides.org.
To make a donation,
click the red heart icon located in the
top right corner of the page.
You can contribute using standard fiat
currency via debit or credit card,
or you can donate anonymously using Monero
or your favorite cryptocurrency.
Becoming a paid member unlocks exclusive
perks like early access to video content
and priority during the This Week in
Privacy livestream Q&A.
You'll also get a cool badge on your
profile in the Privacy Guides forum and
the warm,
fuzzy feeling of supporting independent
media.
Thank you all so much for watching,
and we will be back next week.
See you next week.
