Why Does Microsoft Hate Security?
All right.
Microsoft abruptly terminated the accounts
of two multiple actually FOSS projects.
Employers are now using personal data to
figure out the lowest salary that you'll
accept.
And the FBI was able to recover deleted
signal messages from a device's local
notification database.
Busy week this week coming up on This
Week in Privacy number forty eight.
So stay tuned.
Welcome back to This Week in Privacy,
our weekly series where we discuss the
latest updates with what we've been
working on within the Privacy Guides
community,
and this week's top stories in data
privacy and cybersecurity.
I'm Jordan,
and with me this week is Nate.
How are you doing, Nate?
I'm doing pretty good.
It's been a good week.
How are you?
I'm doing good,
getting ready to dive into this top story
here.
So this week,
kind of a huge story that's been going
around.
Microsoft abruptly terminates VeraCrypt
account, halting Windows updates.
So basically, quoting from the article,
Microsoft has terminated an account
associated with VeraCrypt,
a popular and long-running piece of
encryption software,
throwing future Windows updates of the
tool into doubt.
Veracrypt's developer told for media,
the move highlights the sometimes delicate
supply chain involved in the publication
of open source software,
especially software that relies on big
companies, even tangentially.
So according to the Veracrypt developer,
I didn't receive any emails from Microsoft
nor any prior warnings.
VeriCrypt is an open source tool for
encrypting data at rest.
Users can create encrypted partitions on
their drives or make individual encrypted
volumes to store their files in.
Like its predecessor, TrueCrypt,
which VeriCrypt is based on,
it also lets users create a second
innocuous looking volume if they are
compelled to hand over their credentials.
And I'd also like to add you can
actually do full disk encryption with
VeriCrypt.
This is why this is quite a concerning
move because
uh if you lose access to your full
disk encryption then obviously you're not
going to be able to access your files
so that is kind of a big concern
here as well um and i guess moving
on to the second thing here wireguard vpn
developer also can't ship software updates
after microsoft locks their account so if
you didn't know already wireguard is a
protocol that most vpn providers use to
facilitate the VPN connections.
And they also have an official WireGuard
app that you can use with your WireGuard
profiles.
And this app on Windows is currently not
being able to be updated because the
WireGuard developer has also been locked
out of their Microsoft developer account.
So that means that they can't ship
software updates to Windows users.
Jason Donnefeld
The creator of open source WireGuard VPN
software told TechCrunch that he has been
locked out of his Microsoft developer
account and as a result cannot sign
drivers or ship updates for WireGuard for
Windows users,
which are critical for its software to
run.
And I think probably the most concerning
thing here is if there was a critical
vulnerability found in WireGuard VPN on
Windows,
they wouldn't be able to ship an update
and get it fixed.
So this is kind of a concerning thing
to be happening right now.
But we did see that there was a
sort of update to this story.
So we did want to mention this immediately
off the bat.
Zach Whitaker from TechCrunch did a
Mastodon post saying that he had contact
from VeraCrypt and WireGuard,
both telling them that they had regained
access following their Microsoft account
lockouts and can now release updates
again.
So that was on the eleventh of April.
And a lot of these articles were coming
out on the April the eighth.
So it took a couple of days for
this to happen.
And I guess a lot of backlash, actually.
So there's this article here from Bleeping
Computer that also goes a little bit more
into depth about how this worked.
So according to the VeraCrypt developer,
his account was actually terminated,
which I basically need to have
a Microsoft developer account to sign
Windows drivers and the bootloader.
I believe this is because the secure boot
process, if the drivers aren't signed,
and it won't be able to load properly
or something like that.
I've tried to contact Microsoft through
various channels,
but I've only received automated replies
and bots.
I was unable to reach a human.
I cannot publish Windows updates.
So I think this story kind of highlights
the concern of trusting a centralized
entity with the update process.
So in this case,
Microsoft does have quite a lot of control
over which developers can actually
create apps and updates on their platform,
which, you know,
we obviously oppose this because people
should be able to run whatever software
they want on their computer.
They shouldn't be held hostage by a
corporation.
And I think in this case,
it also ended up being a kind of
security risk because they weren't able to
release updates and they could have been a
critical vulnerability found.
But I do want to mention that WireGuard
VPN is notoriously very stable.
And the amount of updates that have been
published for it have been quite minimal.
And there haven't been that many critical
vulnerabilities found.
So that is a benefit.
It's also because the WireGuard protocol
is much leaner than other protocols like
OpenVPN.
So that does benefit it in that
circumstance.
In this article here from TechCrunch,
Sorry,
this article here from Bleeping Computer,
it also stated that dev teams from
Windscribe and memtest-eighty-six have
also been locked out of their accounts
too,
so big issues for Windscribe and
memtest-eighty-six.
And it is kind of concerning that this
happened without any warning,
no notification,
just these developers trying to access
their accounts and they weren't able to.
And like Jonah said here in the chat,
he said,
almost like having a triopoly on app
stores isn't a good idea.
Yeah,
I think we should be trying to focus
more on having more app stores,
having alternative ways to install
software.
I think, yeah.
I mean,
one of the benefits with Windows is you
don't have to use the app store to
install apps.
You can actually install them
independently, which is a benefit.
But it also,
like we said in this story,
there is a...
element of control that Microsoft has
because you need their permission to sign
drivers and write to the bootloader.
So if you don't have that developer
account,
then you're not going to be able to
do that properly.
In that case,
your users would have to basically bypass
that,
which is a much more technical process.
Although it is possible,
it's not really recommended and a lot of
users are probably going to feel unsafe
about doing that.
so i feel like i've talked for quite
a while here um nate do you have
any thoughts on this story so far oh
man i mean i think you covered most
of it for sure i think um yeah
it's really uh it i'm glad you mentioned
the um the full disk encryption nature of
vericrypt i'm a vericrypt user myself i i
will admit that and um it's
VeriCrypt can be used either to encrypt
specific things like you can create a
container or you can encrypt like an
external hard drive.
Or like you said,
you can encrypt your entire Windows
computer,
which my wife is primarily a Windows user.
I kind of dual boot in between Windows
and Linux for the most part.
I really just use this Mac for this
and that.
when I travel and stuff.
So that's kind of one of the first
things we do is where I'm going with
that is we encrypt our computers with
VeriCrypt.
And the developer,
I forget which article he said it in.
He may have said it in all of
them.
But the developer pointed out that if they
hadn't gotten this fixed in time before
the certificate ran out,
which I think would have been early June
or end of June, sometime in June,
then that could have potentially meant the
computers wouldn't boot.
And on top of it,
since he can't push out an update,
how are you supposed to make sure that
people know like, Hey,
decrypt your computers because they might
not boot.
So it's really, it's really,
really troubling for sure.
The,
The thing I like about the bleeping
computer article is that it gives more of
Microsoft's side of the story.
And I don't like that necessarily because
I care what Microsoft's opinion is,
but just to have the full,
complete information, right?
And Microsoft claims that ever since,
I think it was April of last year,
they've had this program where developers
have to verify,
which we're seeing that now on the Android
side of things, right?
And Android, it's not...
I don't wanna say it's not going well
because it's not been rolled out yet,
but this just shows things can go wrong,
even well-meaning things.
There are problems with this model.
And so it's really confusing.
Did these people just somehow miss the
notifications?
Was there some kind of glitch where they
didn't get notified?
Because the Microsoft,
I think it was like a VP,
was saying that they've been sending out
emails,
they've been sending out notifications.
He said they've been emailing everyone
since October,
I think the guy from VeriCrypt said that
he noticed this account was shut off in
January.
It's just,
we're just now finding out about it for
some reason.
Not like he was hiding it.
He was just,
he was busy trying to figure it out.
And for some reason,
it's just now that he's coming forward and
being like, hey,
here's where I've been for the past couple
of months.
So, I mean, yeah, there's so many,
Like, so many questions here, you know?
Because there's... Again, there's like...
Did something just get missed?
I don't know.
Why all of these?
I have a hard time believing that like
Windscribe, they have a whole team.
How did a whole team miss this?
And like, for the record,
I'm not blaming Windscribe with that.
I'm blaming Microsoft.
Like,
I don't think Microsoft did a good job
of notifying everybody if they did at all.
It's really weird.
I don't like to assume malice.
You know,
I don't like to look at this and
be like, oh,
Microsoft's trying to crush open source.
But I certainly have a lot of questions
and I don't understand how so much fell
through the cracks and so much got missed.
And
It really shouldn't take all this negative
media coverage for Microsoft to be able to
do something.
That's a big concern that I've had for
years,
that I've noticed years and years and
years ago that...
It was with Facebook specifically.
So I used to manage bands and one
of the bands I managed wanted to change
their name because there was another band
with the same name that got super,
super popular.
So they're like,
we need to rebrand because we keep getting
confused with them.
And like trying to get Facebook to rename
this band was literally a multiple months
long deal.
And it's like,
why can't I just talk to a person?
Like it doesn't even have to be real
time.
I'm not asking to call somebody or chat
with somebody.
Why can't I email a human being?
And it's just â everybody's trying to cut
down on the cost of having a support
staff, and they're trying to save money,
and it's all about shareholders making
more money and stuff.
But it's just like this is the result
is things don't get â like what if
this had never taken off the way it
had been?
Like this would have been a really big
deal.
This would have been really bad.
So â
Sorry,
I'm having trouble putting my thoughts in
order.
But yeah, this was so, so not cool.
And I guess it makes me wonder.
So, like, first of all,
what do you think,
if you have any opinions,
what do you think developers could do
against this?
Because, I mean,
it really does seem like Microsoft holds
all the cards here.
And I don't know.
Like, it's...
because these are privileged software,
right?
I think that's the difference.
We were talking about this in another chat
earlier today,
is like when I install things on Windows
that don't come from the Microsoft Store,
even when they're unsigned,
there's a little pop-up that's like, hey,
this is unsigned.
And I can tell it like, yeah,
I know, install it anyways.
But for these like really high level,
very privileged things, it's like,
I don't even know if there's a way
around that.
So I mean, yes, in a perfect world,
switch to Linux, right?
But I don't know if there's any other
alternatives there.
Do you have any thoughts on that?
Yeah, I think, you know,
when there's a gatekeeper and that
gatekeeper is Microsoft,
there is like not a whole lot we
can do in this case, unfortunately,
which kind of sucks.
Like you said,
like switching to operating systems that
respect you and don't hold your computer
hostage and do this sort of silliness is,
I mean,
I'm sure there is a security benefit from
doing this, but I think, you know,
we have to look at things from like
different angles as well, right?
Like what does this power that Microsoft
holds, what can it be used for?
And if they can lock people out of
their accounts accidentally, accidentally,
I'm saying in quotations,
very large quotations, but, you know,
then what could they do if, you know,
there was a foreign government that didn't
really like, oh,
we don't like that you're allowing people
to use WireGuard VPN to bypass our
firewall or,
something like that, right?
I think people should be able to use
their computer in whatever way they want,
right?
We shouldn't be, we shouldn't be,
you know,
bowing to Microsoft's wins on what we do
on our computers.
So ideally people are using Linux here.
I mean,
there's definitely the ability to use
different repositories is great.
I think
it's kind of unfortunate though,
whoever controls the platform kind of gets
to decide these things.
And as far as I'm aware,
there's Linux is basically the only system
where there isn't a big tech corporation
with ultimate control over everything
because Android,
like we've kind of seen Google owns the
Android source code.
So a lot of times they can exert
things onto the operating system that, uh,
against the user's interests,
for instance.
Like we've seen where they're stopping
people from installing apps on their
devices and stuff like that.
We're still kind of monitoring that
situation as well.
But I think when we operate on platforms
that are not controlled by the community,
then that's when we run into issues like
this.
So yeah, I mean,
I don't really have too much more to
add unless you have something.
No, yeah,
I guess just the last thing I wanted
to mention is,
do you happen to know off the top
of your head what PrivacyGuide's official
encryption software recommendations are?
Off the top of my head,
we do recommend VeriCrypt, I believe.
Yeah.
Okay.
Yeah, I've got it pulled up here.
Let's see.
Can I share?
Yes, sharing this tab.
Okay.
So it looks like we do recommend...
If you're trying to upload to the cloud,
we do recommend Cryptomator.
We do recommend VeriCrypt.
It does say that...
for disk encryption um interesting i did
not know we recommended that for full disk
encryption but yeah the like i said it
can also be used for standalone for to
encrypt like an external disk but oh there
it is operating system encryption yeah we
typically recommend whatever it comes
built in with so like linux distros will
come with lux which is the linux unified
key setup um the only thing that kind
of sucks is i'm told that it can
only happen
At the start, like when you install Linux,
I don't think you can go in and
add it afterwards,
at least not very easily.
It's kind of clunky.
Macs come with FileVault and Windows.
So Windows has BitLocker.
It's kind of tricky to use because
originally it was only in like the upper
level versions,
like the Pro and the Enterprise,
which typically cost a lot of money.
The home version now has it if you
use a...
if you use an online account,
which we definitely do not recommend for a
variety of reasons.
And, uh, yeah, but there's,
there's ways to, you know,
you can upgrade to pro, which, uh,
you can usually find, um,
make sure they're the reputable,
but you can usually find resellers online
who will sell them a pro license for
a lot cheaper and stuff like that.
So BitLocker, I will be honest,
me personally, um,
I'm not too crazy about BitLocker because
I've seen a lot of vulnerabilities in the
past where there's a vulnerability found
in full disk encryption and BitLocker is
vulnerable to it, but VeriCrypt is not.
Or I've also seen stories about there's a
bug and now BitLocker won't decrypt and
you can't boot your operating system.
You have to recover it.
So always make sure you save the recovery
methods because that's really important.
But at the same time,
I guess to make devil's advocate argument,
We know that BitLocker is secure.
We did cover a story about this a
while back where law enforcement requested
some BitLocker keys from Microsoft,
and Microsoft only had them because the
whole online account thing,
they were not able to get it just
the â what's the word I'm looking for?
They were not able to get it just
from the device.
As far as we know,
BitLocker has not been broken by law
enforcement or anything.
But also,
we would have been in the same situation
about not being able to boot had this
VeriCrypt thing not happened, right?
And there's also plenty of Windows
softwares that break Windows even without
the encryption enabled.
So I guess my point is,
I think there's pros and cons,
but BitLocker does have a lot going for
it.
Just something to be aware of.
Yeah.
Yeah,
I guess that's all I got on that
one.
Also, yeah,
just a reminder to get off Windows if
possible.
Even if you dual boot,
I mentioned I have Windows and Linux.
I don't fully run Windows all the time.
I try to use Linux whenever I can,
and then I use Windows for the more
CPU-intensive stuff,
like video editing and stuff like that,
that my Linux machine just can't really
handle.
I think that is all I've got.
All right.
And I think if that's all we've got
on that story,
we are going to talk next about a
wage.
What is it?
Surveillance wages.
Cause you know,
just when you think privacy can't get any
worse.
So this comes from market watch and it
says employers are using your personal
data to figure out the lowest salary that
you'll accept.
And yeah,
Man, I mean, honestly,
this article really,
the headline kind of says it all.
So there's been a lot of talk lately
about surveillance pricing,
which is where
And as far as we know,
this is happening more online than in
person.
But companies will use the data about you
to try and figure out like, oh,
maybe you'll pay a little bit extra.
You'll pay a little extra for this plane
ticket.
You'll pay a little extra for this.
I think there was a story a while
back that found out that if you were
in the parking lot of a Target and
you open the app on your store or
open the website,
They would actually try to charge you more
because they figured that you probably
weren't going to go to another store,
which I don't know who's going to sit
in the parking lot and then order
something.
That's kind of weird.
But there's also been a lot of allegations
about â well,
I mean actually â
No, because that's this data.
There's been allegations like Uber,
for example,
if they can tell your battery is low,
that they'll charge you more because they
know that you can't afford to wait for
the price to go down.
I don't think that was proven,
but that's definitely an allegation and I
wouldn't put it past them personally.
So yeah,
now the new thing is using your personal
data to figure out how much to pay
you,
which in the past has historically been
based on things like how long you've been
in this industry,
how long you've been at this job,
what the actual job title you're applying
for is, certifications, things like that.
which I'm sure will probably still play a
role.
But of course,
now they've got to factor in things like,
where did it go?
Things like if you've taken out a payday
loan,
if you have a high credit card balance,
I just made a big move and I'm
not going to lie.
We moved from a very high cost of
living area to a lower cost of living
area.
We didn't have savings because the cost of
living was so high.
So I've got a pretty high credit card
balance right now because we use that to
fund a lot of the move.
Um, so things like that,
I think further down, they did talk about,
we've actually,
I really feel the need to point out,
this is not hypothetical because I've been
hearing for a long time now that this
is how it works with gig, gig work.
And, you know, things like, um,
like DoorDash,
there are certain people who start out
making more, like if, if, okay,
if I put it in an order to
DoorDash,
And it goes to two different people,
two different dashers.
One of them will see a higher price
than the other one based on things like
how picky they are with their â do
they just accept every single one that
comes along or do they wait for the
better ones?
And the ones that typically pay more will
usually go to those people first, right?
Which is so predatory.
It's so â I feel like I'm getting
ahead of myself,
but like â
I don't know.
Yeah.
Like, okay,
we'll just jump into that part because I
mean, again, this is the story.
Well, okay, hold on.
There is one more thing I want to
point out before I jump into the analysis
portion, which is they say that, um,
The vendors that provide tools that make
this possible, oh, no,
it's a little bit further up.
Yeah,
a first of its kind audit of five
hundred labor management artificial
intelligence companies found that
employers in healthcare, customer service,
logistics,
and retail are customers of vendors whose
tools are designed to enable this
practice.
The report does not claim that all
employers using these systems engage in
wage surveillance.
Instead,
it warns that the growing use of
algorithmic tools to analyze workers'
personal data can enable pay practices.
And I skipped over it earlier,
but when they talk about, like,
high credit card balance and stuff,
they can also scrape your social media to
see if you are more likely to join
a union or could become pregnant.
And...
I guess the last thing I'll say is
I love down here.
They were talking about how there are laws
now that are trying to outlaw surveillance
pricing,
but a lot of them have not caught
up to wage surveillance wages,
except for one,
which is Colorado is trying to pass the
prohibit surveillance data to set prices
and wages act,
which would ban companies from using
intimate personal data.
Um, it carves out performance-based wages,
uh,
which I mean on the surface sounds fine.
Uh, I like that.
He says, uh,
Here it is.
The bill would prohibit companies from
using workers' personal data without their
consent to determine what they're paid.
So, I mean,
I read that without their consent.
I'm like, yeah, of course,
that's going to be buried on page fifty
of the contract, right?
That's ridiculous.
So, yeah, I don't know.
Anyway,
so getting back to the analysis portion of
this, this is really frustrating.
I had the privilege of interviewing
someone recently that we'll talk about a
little bit more later.
coming up here, but she spoke about how
a lot of this surveillance used to like
set prices and set wages like this,
it becomes deterministic, right?
Because here's what I can see happening is
you go up to your boss and you
say, I think I deserve more.
And your boss says,
or even negotiating a new job, right?
Because I've done that where I go to,
I get a job and they say,
we'll pay you this much.
And I say, I think I deserve more.
And I've successfully done that.
And what happens when they come back and
say, well, we can't.
Like I do that every,
you guys may or may not know this.
If you rent,
sometimes you can negotiate your rent.
Like I've done that.
I've gone to the leasing office and been
like, I don't want to pay more.
Like,
let's see if we can find to an
agreement and they'll walk it down a
little bit.
And then I've been to other places where
they're like, no,
that's out of our control.
We can't do anything.
And my fear is as this continues to
grow,
we're going to see more of that
That second thing where people are like,
no, we can't do anything.
It's just,
it's set what it is because that's what
the algorithm says.
And I can't,
I don't have the authority to push back
on the algorithm,
which is demeaning to your employees.
But it's also deterministic.
And it sets us in this like,
this like,
almost like a lack of free will.
I just don't want to use the word
deterministic again.
But it sets us in this environment where
we have no freedom, really.
We have no growth because now it doesn't
matter how hard you work.
It doesn't matter, you know,
how good you do.
It's, you'll forever hit a cap, right?
And sure, those things will matter.
Those things will help.
But, you know,
if you've got the high credit card debt,
if you've got pro-union views on social
media,
now you can either choose to not talk
about that
Or you can choose to just like forever
not reach your full earning potential,
which then keeps you trapped in this
cycle.
And it's just, oh my God,
this is so predatory.
And yeah, I don't know.
I feel like I kind of rambled a
little bit on that one,
but hopefully I kind of said something
coherent.
Yeah.
I mean,
I think one important thing to add to
this is we already see like when it
comes to employment and like how much
people are paid,
like this is already an issue without like
the surveillance stuff, right?
Like,
we have studies that are done where,
you know,
there's people that apply with the same
resume,
but they change the name from a female
name to a male name.
And then the person they get employed more
under the male name,
then they get more interviews under the
male name than the female name.
I think this is just like increasing the
level of discrimination.
People are going to be finding themselves
in right.
Like, Oh, your name appears like this.
And we already kind of know that these
AI systems are incredibly biased against,
um,
people of color, you know, uh,
marginalized groups that are less
represented.
They're, they're not as that,
that these systems are trained on data
that doesn't have them as the majority.
Right.
So it's going to kind of deprioritize
their, uh,
their skills and their experience, right?
So I think this is sort of an
additional layer to that discrimination.
I think someone said here,
Plants McGee said,
giggles in European where this is illegal.
Yeah,
this is illegal in a lot of the
world, actually.
I'm kind of surprised that this isn't
illegal in the US,
but I guess that is the state of
things.
You know what, though?
I don't mean to cut you off,
but I'm glad you mentioned that because I
did want to mention that.
I don't want to get after anybody here,
but I just want to point out,
in my personal opinion,
I think that's a dangerous attitude to
have.
We're like, haha,
that wouldn't happen here.
Just, what was it, late last year,
early this year?
The EU is talking about rolling back parts
of GDPR to be more competitive on the
AI industry.
So like,
Yes.
Like laws help.
Laws are good.
That's I'm glad you guys have that,
but I just really feel the need to
point that out.
Like still keep an eye on this stuff
because laws can change.
And I am under no delusion that European
politicians care more about their citizens
than the U S ones.
They're just, you know,
they put on a better facade about it
in my opinion, but yeah,
just to just keep that in mind,
laws can change and that stuff can go
away.
We gotta,
we gotta make sure that we're constantly
fighting for our privacy rights,
not taking it for granted.
So yeah.
Yeah, exactly.
I mean, I don't know.
This story is kind of, uh,
I don't know.
I think, yeah,
there's laws in countries like the
European union where like, you know,
access to personal information for
employment purposes is protected and not
able to be run through an algorithm or
whatever.
Um,
and there's laws against that in the EU
and, um,
I know in Australia, technically,
that's classified as discrimination.
So it depends on the country.
But like Nate said,
I think it's important.
We can't just say, oh,
it's just the US being the US.
I think we should be constantly vigilant
of governments that are trying to do this
stuff.
Yeah,
so it is a good point that AI
will just be fancy autocorrect and picking
the most likely responses will inherently
lead to a tyranny of the majority rather
than a fair system.
Exactly.
So it kind of has that effect, right?
I think, you know, it's more likely to,
it basically just mirrors the reality,
right?
In a lot of cases,
which the reality is people get
discriminated against and people are paid
less depending on their,
their identity, which is,
we've done studies on this.
We know this is the case.
It's kind of something that we're trying
to fight against to stop,
but it's not something we've completely
solved.
And yeah, I think, you know, if we,
if we try and make sure people are
aware of this,
I think some of the stupid stuff that
I've seen is a lot of companies are
using like
AI to scan people's resumes when they
apply and it will like check the keywords
and stuff and people were just like
putting invisible keywords on their
resumes To make it detect it like this
is this is incredibly silly stuff I can't
believe I have to say this but like
we need to go back to when humans
were reading resumes and interviewing
people and not feeding their information
through an AI system and
That's also just terrible for the person's
privacy.
Like,
I don't want everyone to know my
employment history or where I worked or
what I've the schools I've been to.
And, you know,
that's just another thing that we're
feeding the AI systems.
Like really we're putting all this
information through these massive AI
companies with like no corporate like
control, especially in the US.
Like there's, I feel like there's,
it's very lax at the moment because the
entire economy is basically propped up by
the AI data center industry.
It does seem like that is starting to
fall down a little bit now,
like with a lot of data centers being
canceled, but.
I definitely think the AI hype stuff is
propping up a lot of stuff.
And it kind of means that a lot
of cases this behavior is allowed and when
it shouldn't be.
So, yeah.
That's kind of my thoughts on that.
Did you have anything more you wanted to
add, Niamh?
No.
I think just, yeah, it's such a, like...
it doesn't matter where you are in terms
of your economic beliefs.
Like even if you're a free market person,
there's always going to be someone who can
do the work for less.
And when it's a race to the bottom
like this, everyone loses.
I mean, just look at airplanes, right?
It's, you know,
even Southwest now is getting away,
doing away with their like first come
first serve seating and like free check
bag because it's becoming such a
competitive market.
And they, I don't know,
it's such a race to the bottom.
One of the,
the headers here that I think I may
have scrolled past said judging our
desperation rate, which is again,
it's just so predatory.
It's one thing like surge pricing is one
thing, right?
Because surge pricing looks at the entire
market and says using Uber as an example,
a concert just ended.
There's a, you know, ten thousand people.
That's probably too many.
Five thousand people in this one spot
trying to get home.
We're going to charge more.
Right.
But this is looking at an individual
person.
This is looking at you specifically and
saying, I know that.
that you've sent out five hundred resumes
this week.
I don't know how you did that.
You probably used a bot,
which I wouldn't blame you.
You sent out five hundred resumes this
week.
You've gotten two callbacks and you've got
a thousand dollars left in your savings
account.
You will literally do anything.
And I'm going to give you the bare
minimum that I can to make you say
yes.
but also not pay you.
Your other coworkers are making more than
you do.
Personal opinion,
I've always thought it was ridiculous that
you're not supposed to talk about pay at
work.
No,
I was always happy at my last job
to tell people how much I was making
because I wanted everyone else to know.
I think I've mentioned this in my last
job.
I was...
the highest paid person in in our job
title just by sheer coincidence and luck i
don't know how i got that and i
was very open about that not because i
wanted to brag it to everybody else but
because i was like you guys like i
don't think i'm better than everyone else
you guys deserve to be getting paid more
too and i would tell people that kind
of stuff all the time so like yeah
um jonah says five hundred resumes in a
week sounds like fighting ai with ai hey
man you know that's that's the the
situation we're in right it's ai writing
emails ai reading emails ai responding to
emails it's yeah
But I don't know.
It's yeah,
I'm kind of going off on a rant,
but this just makes me so mad because
it's so, I keep using the word predatory,
but it removes, it removes everything.
It removes the hard work.
It removes the whole like, and again,
it doesn't matter what your beliefs are.
Even if you're like a pull yourself up
out of your bootstraps person,
you can't anymore because it removes that
possibility because they know exactly how
much you need and they will never give
you a penny more.
It's just, it just frustrates me.
So sorry,
I feel really passionately about this
subject.
Yeah,
I think it goes without saying people
should be paid a dignified amount.
And yeah, I agree totally.
Like, I think it is important to me.
There's a weird culture around not sharing
how much money you make.
I'm not really sure what the reasoning is
behind that,
but I think it is important to be
open about that, especially because,
you know, your employer, well, I mean,
not every employer,
but this
the people that are using this software,
they are not holding back.
They are doing everything in their power
to pay you the least amount.
So the least you can do is discuss
this with your coworkers, um, unionize,
do all those sorts of things.
Right.
Like, I dunno, maybe that's, uh,
that's too much, but I think it is,
uh, it is important, like another thing.
Right.
But I think, you know,
if your employer is doing this sort of
stuff to employ people,
Name and shame, name and shame,
like seriously,
like that is the sort of thing that
people go on strike for.
So I think if there's companies that are
doing this,
definitely try and get them to stop
because like Nate said,
it's discriminatory.
It's like, you know,
it's removing people's power to control
things.
And yeah,
if you think it's not already happening,
definitely go read this article because
they lay out several scenarios they looked
at where it's like, this is happening,
like not could happen.
Like this is happening in like,
they mentioned, what is it?
What is it?
Staffing, gig nurses, again, gig workers,
DoorDash, Uber,
like it's already happening there.
There's no reason it's going to stop.
And God,
twice now I've had something pop into my
head and then I lost it.
I hate when that happens, but.
Yeah, it's...
This is one of those moments where laws...
I mean...
I know laws are controversial.
Like people are always afraid of
over-regulation and afraid of like,
you know, Oh,
companies break laws all the time,
but like,
what else can we do about this?
There is no, I mean, yes,
we can all take our privacy seriously and
we should,
regardless of whether or not this is
happening, but there's really like,
I don't see any way to fix this
other than just straight up outlawing it.
Like we were talking about earlier,
this is illegal in a lot of countries.
It should be legal here in the U
S it should be very illegal.
Everyone should be mad and sending this to
their politicians and being like,
we need to outlaw this before it becomes
a regular practice.
Cause yeah,
Oh,
I remember what I was going to say.
Because yeah, on that note,
you can't tell me this is a problem
that the free market is just going to
fix.
Because look at Amazon.
Everyone knows Amazon,
especially the Amazon brand,
is usually cheap garbage.
And you can't tell me that Amazon became
the behemoth they are today by putting out
the best product.
They did it by undercutting everyone else,
by knocking off everyone else,
by using manipulative algorithms to
prioritize their crap first.
I guarantee you,
Amazon doesn't pay for that ad slot at
the beginning.
It's just, this is not...
Yeah, this is a complicated thing to fix.
And it's not just going to fix itself.
That's what I'm getting at.
But anyways,
I think we beat that to death unless
you have something else to add there.
Okay, so in a minute,
we're gonna talk about how the FBI was
able to recover signal messages, sort of,
from a locally stored database on a phone.
But first,
we're gonna talk about some updates about
what we've been working on at Privacy
Guides this week.
And the first thing is,
we have a new interview coming out on
Sunday.
If you guys have not seen that yet,
it's in the newsletter.
Go check out privacyguides.org slash
livestreams.
It should be there right now.
That's live streams with an S on the
end, just by the way.
And we have an interview with the one
and only executive director of the EFF,
Cindy Cohen, will be coming out on Sunday.
I'm super excited for it.
I was the one who got to do
the interview and I'm still excited about
it.
It was really cool.
She was awesome.
And I think it was a really good
interview.
I tried to make sure it was applicable
to everyone.
So we talked about how to stay motivated
in the fight for privacy.
We talked about how to build a good
community.
We talked about what she learned in her
time fighting with the government and her
kind of insights on that.
So really excited for that.
Make sure you're subscribed on YouTube,
on PeerTube,
because we'll be posting it there as well.
PeerTube, of course,
does not have the little premiere feature,
but obviously we do post everything on
PeerTube as well.
So
Make sure to check that out.
And just to hype you guys up for
it a little bit, on the XIX,
we're also going to be interviewing
Carissa Veiles about her upcoming book,
which is coincidentally about AI and all
this stuff we just talked about.
And a lot of the stuff I got,
you know,
a lot of the stuff I was saying
about how this makes it deterministic and
it removes meritocracy.
Like,
these are all things that she talks about
in her book and in her interview.
So...
Yeah.
And then my last thought is that we
are working on a video coming up soon
that many of you have requested.
And that's all I'm going to say to
kind of build a little bit of hype
for that.
So that is what is going on on
the video front here.
And I'm going to turn it over now
to Jordan to let me know what I
may have missed.
No, didn't miss anything.
But we do have some other things that
we've been working on more on the site
update section.
So there wasn't any site updates this
week, but there was.
Freya has put out another article here.
It's about OKCupid settling after selling
three million photos to a facial
recognition company.
Oh,
now that's probably not what you want to
hear about your dating app.
But yeah, if that sounds interesting,
you can check that out.
Go to privacyguides.org slash news to
check it out.
And we've also been what,
so our activism lead,
M has been working on a section for
the website,
which if you haven't called it already,
there was the Privacy Activist Toolbox has
been released.
So you can visit that by going to
privacyguides.org slash activism.
There's the Privacy Activist Toolbox,
which came out a couple of weeks ago.
And that has a lot of tips about
how to
be an effective privacy activist.
There's a lot of great tips in there,
but she's also released this new support
request here on GitHub and
Basically, it's for a DPA directory.
So there's data protection authorities and
that's basically the organizations that
you need to contact to lodge a complaint
with.
So this pull request has got basically all
the regions in the world.
Well, I mean, I'm not sure if...
Yeah,
basically every region that you would
think.
I'm sure there could be some that we're
missing,
but I think Em has done a really
good job here and has covered, I think,
basically all of them.
But there could be small ones that we
didn't find.
So if there is any of those,
I guess you could take a look at
the pull request and suggest adding those.
But so far, what we've got is Africa,
Asia, Europe, North America, Oceania,
and South America.
So basically it will list the privacy law
in particular, the abbreviation,
the data protection authority.
So you can click on that.
And there's also a contact page link and
a complaint link.
So you can basically get directly to the
page that has the complaint form.
So basically what we're trying to do with
this is make it as easy as possible
for people to make a complaint against a
company, against the government, because,
you know,
this is kind of important to
utilize.
Because if you don't use your privacy
rights, well,
you're not going to have privacy.
So if there's companies that are misusing
your data,
or if you want to get something deleted,
I think using this DPA directory is going
to be really helpful.
So definitely stay tuned for that.
I know Jonah said he was taking a
look at the pull request.
So I'm sure it'll be released in the
next couple of
weeks so it does look really nice uh
definitely check out the pull request on
github there's a preview there um but it's
really well put together um so i
definitely recommend checking that out um
it has you know all the regions that
you would expect but if there's any
regions that we missed or you know that
there's that we need to add still um
that you think we might have missed this
there's just so many countries on earth um
we i'm sure we might have missed one
or two so if there's anything that you
would recommend seeing
adding to that, um,
if you're from one of those countries,
definitely do reach out and let us know.
Um,
it's kind of going to be a community
project, I guess.
Um, if there's, there's a couple of, um,
countries now that are sort of in the
process of putting together a data
protection authority,
which is really good,
like Egypt and Mexico.
So definitely, uh,
keep an eye on that as well.
Um,
There's definitely a lot of important
information there,
but also it's sort of a project here
where we are trying to get community input
as well,
because we try and represent every country
here,
but I'm sure there's things that change or
if there's countries that are establishing
data protection authorities,
then that's a really positive step for
people in those countries as well.
Yep,
so that's basically everything that I've
got to talk about here.
There wasn't any articles this week,
so kind of a light week on that
side.
But yeah,
I guess we can hop right into our
next story here.
Oh, actually, before we do that,
all of this is made possible by our
supporters,
and you can sign up for a membership
or donate at privacyguides.org or pick up
some swag at shop.privacyguides.org.
I recently made another purchase on the
shop.
There's some really cool new merch that we
released for the activism section,
so definitely check that out.
and have a look if you didn't visit
it in a while.
There's some new stuff on there now.
Privacy Guides is a nonprofit which
researches and shares privacy-related
information and facilitates a community on
our forum and matrix where people can ask
questions and get advice about staying
private online and preserving their
digital rights.
Now,
let's talk about how little snitch is
coming to Linux.
So kind of a big announcement from Little
Snitch,
which has been historically a Mac OS only
app.
They've now announced that there is a
version available for Linux.
So this is kind of reading a little
bit from their blog post here announcing
it.
I guess press release.
Recent political events have pushed
governments and organizations to seriously
question their dependence on foreign
controlled software.
The core issue is simple and
uncomfortable.
Through automatic updates,
a vendor can run any code with any
privileges on your machine at any time.
Most people know this,
but prefer not to think about it.
Linux is the obvious candidate for
reducing that dependency.
No single company controls it.
No single country owns it.
So I decided to explore it myself.
And basically the article goes on to say
that this person was trying to find an
alternative to little snitch.
They tried open snitch.
which has several command line tools and
stuff like that.
But basically,
it doesn't have the same ability to show
which process is making connections,
which is basically the way that it works
on macOS.
Like any process on macOS,
you're able to see the connections and
block them if you don't want them to
be made.
As far as I'm aware,
Open Snitch is somewhat a little bit more
limited.
It kind of only does like application
level.
I'm not a hundred percent sure because
it's been quite a few years since I've
used Open Snitch.
And it did seem like it was a
bit more complex.
So to use like the interface wasn't
particularly easy.
So this person has developed,
this person at Objective Development has
created a
linux version of little snitch now let's
like kind of clear the clear the air
on how this works so basically it is
there's another app on little snitch on
mac os but i can't remember what it's
called so there is another app on the
it's called lulu and it's by
another company.
It's a nonprofit company.
So definitely, yeah,
Lulu is the other one you're thinking
about.
But yeah,
this one here is Little Snitch has
previously been a paid software.
So it's actually kind of surprising that
this is a free and open source.
It's licensed under GPL v.
So it could be quite cool to see
package managers just adding this by
default,
like just adding this as a package.
But basically, the way that this works is
It is a browser app, kind of.
It's like a web app, basically.
And the reason why they decided to go
with this is that it can work on
a server, right?
Because this is something that you just
run as a system process.
For instance, basically,
that allows you to access the connections
that the server is making through that
nice interface.
So that's a benefit of it being in
the browser, right?
You can access that for a remote computer,
which is extremely useful.
I'm not really sure of many solutions that
do this sort of thing,
especially that easily.
You just install a package and it's
instantly monitoring.
But kind of scrolling down here,
this is basically based on a kernel
component written for eBPF.
And that's an open source component
which is available.
So just to be clear,
the UI is open source and the eBPF
filtering component is free and open
source,
but the
Basically, the backend,
which manages rules, block lists,
and a hierarchical connection view is free
to use, but not open source.
So that's basically the reasoning behind
that is because that part is kind of
proprietary to objective development.
They've been working on that for like,
twenty years to perfect it.
So they argue that that should be
kept closed.
And they kind of did an important note
here.
Unlike the Mac OS version,
Little Snitch for Linux is not a security
tool.
eBPF provides limited resources,
so it's always possible to get around the
firewall, for instance,
by flooding tables.
Its focus is privacy,
showing you what's going on and,
where needed,
blocking connections from legitimate
software that isn't actively trying to
evade it.
So if you install malware,
little snitch is not going to protect you
from the connections getting out, right?
And at least right now,
there are some limitations.
I did see some people having issues with
Fedora workstation working correctly.
They do note that on the page,
on the download page.
I tested it on Debian and it was
working perfectly fine for me.
You just install the package and basically
it only works on kernel Linux kernel six
point one two and above.
So basically the reasoning behind this is
that older kernels currently have an eBPF
verifier maximum instruction limit.
So they kind of have to backport this
fix.
Hopefully they can kind of get in contact
with the Linux kernel developers and do
that.
So that is an interesting thing too.
But I think this is kind of a
pretty, it's a pretty basic app so far.
Like it allows you to enable block lists
and see the connections that your computer
is making.
But I think that's really all you really
need at this point.
I think just being able to see the
connections itself,
because a lot of times you'll be using
software and you won't realize that it's
making connections to like ads and stuff
like that.
especially if you're using software that
is genuine it's genuine normal software
but it's a proprietary app that you know
might have some data tracking built in
like discord or any of any other of
those types of apps um i think this
is an important tool to have on linux
uh especially because people on linux
still need to be able to see the
connections that are being made and you
know there's still privacy invasive stuff
on linux uh you can install
Facebook Messenger on Linux,
you can install Discord on Linux,
you can install Steam,
like all these apps are not great for
your privacy,
but being able to see some of those
connections I think is pretty important.
But yeah,
we kind of got this little poll up
on the screen to use Little Snitch,
you can type one,
two or three in chat to respond and
it'll pop up on the screen.
But Nate,
did you have any thoughts on this one?
No,
I think you kind of you kind of
answered the question I was going to ask,
which is, you know,
Linux is known for being more private.
So my first thought is kind of like,
is there a use case for this?
Why or why would people want to use
this?
And you made a really good point.
You know, one of the this is
tangentially related but you know a common
question is like how do i get people
to switch to xyz signal linux whatever and
one of the things that we are you
know myself and jonah and um you know
some of us always say is like you
have a lot more luck by focus focusing
on the features and so one thing i
like to point out i'm trying to get
my sister to switch to linux because she
was on windows ten and it's you know
not getting updates anymore and um
I'm going to do that with her next
time I see her in person.
And one of the things I'm going to
try to convince her is, you know,
like everything you do on a windows
computer,
you can more or less do on Linux,
especially for her.
If, if, you know,
assuming she's not using any special
software for her job.
Um, you know, you can browse the internet,
you can download discord.
You can, uh,
a lot of games are now gaming on
Linux is doing really well from what I
hear actually.
So, um, for the most part, even,
even some video editing, you know, uh,
the, the Linux computer I use is cube.
So that's a lost cause,
but for like Fedora,
you can run DaVinci on Fedora.
And I think.
Um, you know, there's, yeah,
it's just point being is like,
just because Linux itself is relatively
private,
but especially once you start adding on a
lot of these,
these features that people might use,
even at first,
like if somebody makes a switch to Linux
and at first they start using, uh,
Microsoft office, God forbid,
or something.
I don't even know if that's Linux
compatible, but you know what I mean?
Like they start off and then after a
while, they're just like, yeah, you know,
maybe I'll check out LibreOffice or
something.
And, and, you know, it's,
it's just helpful to kind of have that
ability to control things.
It may also let you know,
like if you fire it up and you're
like, oh my God,
this thing is pinging like twenty
different servers ten times a day.
Like, hold on,
let me take a closer look at this
thing.
So, yeah, it's pretty cool.
And I... I don't know.
I think that's really cool that he made
this...
I guess the selfish side of me would
like to see this come to something like
windows,
even though I know we already have things
like port master open, what is it?
Open wall, simple wall.
But it's not quite one-to-one.
So I think anytime we have more,
more options is always good in my book.
So I think that's pretty cool.
Yeah,
I think I'm also kind of biased on
this because I use their software.
I use Little Snitch on Mac.
I really think it is exceptional software.
People say to use Lulu because it's free,
but it really does not do the same
thing as Little Snitch.
Little Snitch has a lot of benefits over
that.
So it's great to see them kind of
expanding because...
people have kind of been complaining about
little snitch.
They're like, Oh,
I wish it was on windows.
Like you, like, uh,
I wish it was on Linux, you know,
different platforms I think is good.
I mean,
I'd like to see it be on windows
too, but it may just be, you know,
I feel like when we talk about these
filtering softwares, it's extremely, uh,
it's extremely specific to the platform.
Like in this case, it was using eBPF,
but, you know, on Windows,
I'm sure they've got some whole other
system, right?
So, you know, making that basically,
I guess,
compatible with Little Snitch is probably
a lot of work and, you know,
they kind of have to port the entire
thing over.
which is kind of a pain,
but I think it's good to see that
a little snitch is expanding to other
platforms and it's free,
which I think was very generous, but.
Yeah, I agree.
I fully recognize that it's not an easy
thing to go from platform to platform.
And I mean, even Linux, right?
You were saying some people on Fedora are
having some issues getting it up and
running.
And hopefully since it is open source like
that,
hopefully people can do what they need to
do to get it up and running.
But yeah, it's certainly no small task.
And I think that is really cool.
And actually, yeah,
I could never remember because I'm not a
Mac user.
I could never remember if Little Snitch or
Lulu was the one that was free.
And I didn't realize Little Snitch was the
paid one.
And I think that's really cool that
this is free.
So bummer that it's not fully open source,
but I understand the logic of like,
you know,
I've been doing this for years and I
don't want somebody to, twenty years,
more than twenty years,
and the algorithms and concepts are
something we'd like to keep closed for the
time being.
Like, I get it.
So.
Yeah, I think also here,
let's quickly cover this question we got
from Cass K. So they asked,
any tips you guys have for people who
want to start making YouTube content
related to privacy?
All right, Nate, what do you got here?
Yeah,
so I just want to mention that I
have my own website called The New Oil,
which is...
It's supposed to be like a very, very,
very beginner level to privacy stuff.
And my hope is that when people finish
reading that,
they'll move on to other resources like
privacy guides.
But over there,
I do actually have a quick start guide
on the front page for content creators.
And the reason I'm referring you over
there is because there is a lot of
different stuff there.
But it kind of goes over things like...
it's really, I mean,
as with everything in privacy, right?
It's like, what, what do you want?
What are your, your priorities and stuff?
So for example, um,
if you're going to be a Twitch streamer,
you could totally just use your handle,
right?
You know, I mean like Markiplier that,
that dude's obviously not his real name.
It's derived from his real name, I think.
But, um,
A lot of YouTubers and stuff,
they're known by their handles.
But then if you're going to be a
public figure, like a politician,
a lot of them go by nicknames.
Like Ted Cruz, his first name is Raphael.
So things like that.
It's just to keep in mind,
what are you going for will determine a
lot of those things.
But I'm a big fan of things like
using pseudonyms wherever possible.
So again, handles, fake names.
being mindful of your online presence.
You don't have to plant your flag on
every single website, but it may not hurt.
And sometimes you may not need certain
websites.
Like I remember way,
way back in the day,
there's a band I follow, uh,
Oh Sleeper actually.
Um, they only ever had a Twitter account.
They never signed up for Facebook.
They never signed up for Instagram.
Like you could only follow them on
Twitter,
which was slightly annoying as someone who
didn't use Twitter at the time,
but you know,
like that's what they wanted to stick to.
And
Again, likewise,
most bands probably don't need Twitch
unless they're going to do live streaming
nowadays.
And maybe a lot of Twitch streamers don't
need Twitter.
So just kind of asking those questions,
but
Also,
a lot of the technical tools that we
recommend to privacy guides as well,
things like email aliasing,
password managers,
basically securing your online account.
Because I've also, again, I've seen bands,
their Facebook gets hacked and all of a
sudden they're spamming out like,
twenty percent off Ray Bans or whatever at
this sketchy link.
And again,
we just talked about this earlier,
Facebook does not care.
Unless you're Taylor Swift,
they don't care.
Sucks to suck, scrub.
We're not going to help you get your
account back.
I actually read one earlier today,
an article earlier today about how
Discord's support system is still the
dumbest thing that has ever been designed
by a human being.
I'm not sure a human being designed it.
It's so dumb.
But anyways, yeah.
So like just, I don't know.
I think I would check that out and
definitely bounce any of my
recommendations off privacy guides because
I will admit privacy guides has much
stricter,
I don't want to say vetting process,
criteria for a lot of their
recommendations.
So I mean,
I don't know.
Yeah, I would check both of those out.
I think they're really good resources
that'll get you started, hopefully.
Yeah, I just want to add as well,
I think there's some parts that kind of
go... I haven't read your streamer guide,
so maybe I'm just repeating what's already
on the page.
But I think stuff that's kind of important
to establish early on,
are you going to show your face?
I mean, that is kind of important, right?
I think...
You can kind of see what I'm doing
here.
Like,
I don't really want to show my face.
I'm sure someone could find what I look
like,
but it's just a layer of privacy on
that aspect.
People aren't going to recognize you in
the street or whatever,
or people aren't going to be able to
immediately know who you are.
So that is a benefit too.
And I think also thinking about things
that you share,
being very mindful of things that you
share, because, you know,
you take a picture of the room that
you're in,
someone could analyze the texture of the
roof or something,
find rental property stuff and analyze and
work out where you're living or something
like that.
You know, people are pretty creepy.
So I think being aware of
you know, what you're sharing,
how it can be used to find you
being very deliberate about posting stuff.
But I think it's definitely a personal
preference whether you want to show your
face or even show anything about you.
You can certainly be
faceless.
There's plenty of channels that do that
and pretty successfully, I'd say.
So, you know,
I think it's definitely worth thinking
about at least.
But I hope those tips were somewhat
helpful.
We try and answer people's questions in
the chat.
There was another question here from
Plants McGee,
which I'm not really sure about what it
means.
So what's the deal with Twitter, Sydney?
They just left.
So what is this referring to exactly?
They're referring to the EFF just left
Twitter.
Real quick, I do want to say,
I didn't mention the face thing and I
really should add that because that's a
really good point.
I've been just watching random YouTube
videos lately about dinosaurs and space
because I will forever be five years old
at heart.
And yeah, a lot of those...
So it's not just a privacy thing.
A lot of those channels are faceless too.
And I'm actually sitting here thinking,
I'm like, man,
maybe I should do more faceless videos
because I bet they can pump those out
real quick.
But yeah, going back to the question,
the EFF left Twitter.
I...
I have personal opinions,
but all I'm going to say is go
check their blog post.
They laid it out in very plain numbers
where basically they said â you can tell
I agree with their decision.
But basically they said that they're just
â they're not reaching people,
and they only have so many resources,
and they've decided their resources are
better spent elsewhere.
So you can disagree with them.
That's fine.
Free country for now.
You're welcome to do that.
But that's their logic.
So â
I think I'm just going to share my
thoughts on this.
Obviously these, these are my thoughts,
not,
not related to privacy guides as an
organization,
but I think the platform itself has kind
of become pretty toxic.
I think a lot of people are complaining
about it kind of becoming a bit of
a,
an echo chamber for like conservative
voices and stuff.
I think that's not great.
It's definitely,
the platform's definitely changed and
it's,
in a lot of ways became worse.
I think we're seeing more and more people
leaving because, you know,
it is kind of a platform that allows
in, in a lot of countries,
I would say hate speech,
maybe not in the US because the laws
there are a little bit looser, but yeah,
I can kind of understand not wanting to
be on a platform like that.
And I think, you know,
In our case,
Privacy Guides is still on Twitter posting
stuff.
I think we are getting some traction.
So maybe our strategy is different to that
of the EFF,
but we're still getting quite a lot of
traction with that.
I think it's important to reach people no
matter what platform they're on.
So, you know, in a lot of cases,
we're going to be on all these crappy
platforms.
Doesn't mean we support the platform or we
want to...
Doesn't mean we want to make people move
to better platforms like Mastodon.
We recommend different ones that people
should move to instead.
But I think you have to meet people
where they are.
And if we just stopped posting on all
these platforms,
we wouldn't be reaching as many people and
converting them to believing different
things,
like that X is a bad platform and
invades your privacy.
Same thing Jonas said here.
It doesn't make a ton of sense to
me to leave X,
but not Facebook or TikTok,
but shrugging emoji.
I think it's definitely like a personal
choice.
If the analytics said that they weren't,
I mean,
it doesn't really make that much sense in
my opinion,
because
we have all these multi-posting tools.
Like, for instance, our team here, Nate,
I, me, and Jonah, we're basically,
a lot of our posting is through Buffer.
And all it is is just ticking another
box to send it to another platform.
Like,
we're not specifically creating anything
for a specific platform.
So, I mean, if those platforms
I mean, we can debate all day,
like how bad X is as a platform.
We can debate all day how bad Facebook
is and TikTok, but I still think,
you know,
we post on all those platforms because we
wanna be able to reach
these people because you know everyone
deserves privacy not just everyone on
mastodon um so and especially because
these people are probably less aware of
the issue that's why they're on those
platforms in the first place so i can
kind of understand from like an
ideological perspective like if you really
don't like being on a platform that kind
of amplifies conservative voices i can
kind of understand why you may not want
to be on a platform like that where
you get harassed but
I think from an organizational
perspective,
I think I'm not quite sure if I
agree with this because it is kind of
easy to cross post and I can respect
the decision,
but I'm not sure if I agree with
it particularly.
But yeah, that's kind of my thoughts.
Okay.
I don't really have much to add.
I think that was a good point about
buffer, but I don't know.
I don't, I don't have a,
what do they say?
I don't have a dog in this fight.
So it's kind of a messed up saying
now that I think about it,
don't fight dogs.
On that note,
I think we're going to move into a
story about the FBI extracting a suspect's
deleted signal messages saved in the
iPhone notification database.
So I'm not going to scroll on this
one too much because this is actually a
paid post.
But this comes from four or four media.
Highly recommend.
It's totally worth it, in my opinion.
They do great reporting.
But Jonah did say in the chat that
you felt like this is a little bit
of a nothing burger here.
And I...
I halfway agree.
Um, cause you know, it's the,
the headline kind of says it all,
but I think it's worth talking about
because it kind of points out,
they said further down in the article that
this, like,
this just kind of amplifies how difficult
it can be.
Actually,
let me see if I can find it
here,
but they basically said it just points out
how difficult it can be to, um,
to think about every possible angle of
your OPSEC,
especially when it really matters this
much, you know?
So like last year in June,
we found out that, which I mean,
the more technical people who know this
kind of stuff, which remember,
not everybody is super technical,
but yeah,
We found out last year that because push
notifications are usually not encrypted,
Apple and Google can see them,
which probably was not a shocker to most
people.
But also, basically,
the way that they're registered to make
sure they get to the right device and
stuff, it's... Basically...
It's another way that police can get your
data, right?
Police can go to Apple and Google and
they can subpoena you for your data.
And so we're really big fans of services
like Tudor, for example,
does not rely on Google for push
notifications on Android.
Signal, I think,
also has their own implementation.
Proton does rely on Google,
but they encrypt it.
So there's not really anything useful
there, although there is still metadata,
which is worth noting.
But...
And now we're learning it's still even
more complicated than that, right?
Because basically what happened is they
arrested somebody and they were able to,
you know,
they ran the Celebrite or whatever,
whichever device it was.
They ran the forensic tools on the
person's phone,
which was an iPhone in this case.
And this person had already deleted
Signal.
I believe they even had disappearing
messages enabled,
but don't quote me on that.
I feel like I read that in this
post somewhere.
And the police were still able to extract
some of the messages because the
notification history was stored on the
device.
And, um,
Yeah,
I did not see that coming personally.
So it is worth noting that because these
are device notifications that we only got,
or they only got, I should say,
half the,
I can't word today and I apologize.
They only got half of the conversation,
right?
They got the incoming stuff.
They did not get everything, of course.
And I personally am a little bit unclear
on exactly how this would work.
Like for example,
how long do these notifications stay
there?
It sounds like this is a like a
volatile memory kind of thing like RAM.
So would rebooting the phone get rid of
them?
I'm assuming not because I think if these
people were smart enough to use signal and
disappearing messages and to delete
signal,
then they probably rebooted their phone as
well.
Or maybe not since they were able to
forensically examine the phone.
I really can't say for sure.
But
I just, personally,
I have some technical questions like that.
But I think the big reminder here that
I thought was interesting I wanted to talk
about was just the reminder to be mindful
of your notifications.
One thing I really appreciate about
Signal,
and I know other apps do this too
to various extents.
Privacy apps tend to be a lot better
about this, of course,
as opposed to something like Discord.
But Signal lets you get pretty granular in
terms of like,
I can mute this chat.
I can mute this chat for an hour.
I can mute it for a day.
I can mute it indefinitely.
I can select notifications.
It says here that includes name, content,
name only, or no name in content.
And so this is actually what I used
to do ever since I found out about
that story from last year.
I have Signal set to send me just
a notification that says Signal.
And then from there,
I use notification profiles
to kind of manage things.
So like when I was at work in
my last job,
which was a more traditional nine to five
sort of job, I, you know,
in the sense of like,
I can't be on my phone during the
day and stuff like that.
I had a notification profile that would
start at working hours and at end of
day, which was never really end of day.
But at that point I'm like, whatever,
we're staying late.
I don't care.
And during that time,
pretty much the only notification that
would come through would be my wife in
case there was an emergency.
And so at that point,
I don't need the notification content,
right?
Because I know exactly who it is.
It's the only person that the notification
will get through.
And likewise, when I go to sleep,
my wife in case I'm traveling and my
sister in case of emergency.
And I think that's it.
Now, I have one local friend, too,
in case of emergency.
And those are the only people,
even though I try,
lately I've been doing a good job,
but usually I try not to sleep with
the phone in the bedroom.
But you know what I mean?
It's like,
I'm able to craft these very specific
notification profiles.
And even now here at Privacy Guides,
I do have working hours where I'm like
at work and I try to focus.
So I've got everything that isn't, again,
like my wife and my sister and then
all the Privacy Guides people,
they're the only ones that the
notifications go through so that I don't
get distracted by other people.
And yeah.
I think trying to figure out how to
make a device work for you in that
sense, you know, somebody, I think I saw,
I think it was in the privacy guides
forum when people were talking about this
story,
or it may have been in the comments
of this actual article,
but somebody mentioned like changing the
ringtones, you know,
before I started using these notification
profiles,
that was something I did is my wife
had a different ringtone than everyone
else.
So that if I got a, you know,
a notification, I would know, is it her,
do I need to check this or can
I just ignore it?
And so, yeah,
it's definitely something to be mindful
of.
And something else that kind of came up
here,
I'm looking at the comments now on this,
is on iPhones,
if the calls show in recent,
that will show up in the actual phone
app log.
On both iPhone and Android,
there's always relay calls,
so your IP address isn't exposed.
Slight quality trade-off,
but if you're a high-risk person or if
you live in an area where you've always
got a good signal,
it's probably not a big deal.
So just things like that to keep in
mind.
But one last thing I do want to
circle back to when Jonah said, he's like,
this is kind of a nothing burger because
Signal doesn't encrypt their own local
database in the first place.
And I think that's a valid point.
I mean, I love Signal.
I recommend Signal.
It's very user-friendly.
It's very easy.
It's cross-platform.
It's got all kinds of shiny little
features that people enjoy and makes them
more likely to use it.
But I think it is important to note
that there is no perfect tool,
whether that's Signal,
whether that's SimpleX,
whether that's
Um, you know, whatever messenger,
whether that's email,
email itself is incredibly imperfect,
which we did explicitly mentioned that in
our latest video about email.
So, you know, it's,
it's looking at your threat model.
It's looking at what you need from a
tool and it's understanding what the
limitations are and how to either
eliminate them, mitigate them,
work around them.
Cause then I'm not gonna lie.
My, my, um,
One of my thoughts I had today when
I was thinking about this story is like,
I can't control other people's phones.
You know,
I have my notifications set not to do
things.
But now when I text people,
my notifications are on that device.
And that's just something to be mindful
of.
So yeah, kind of a shorter story,
I think today, but you know,
it's a pretty quick takeaway.
So I don't know if you had any
thoughts on that one that you wanted to
share, Jordan.
Yeah, I mean,
I think you brought up some great points
there.
Like, you know,
there's ways to at least somewhat protect
this on your end.
Like you said,
the settings in Signal itself.
I almost wonder though,
you could almost disable notifications
just in general, you know,
no notifications.
And then, you know,
there wouldn't be a database where
anything would be stored in this case.
But, you know,
maybe that's kind of problematic for
people to do.
But there's also the case where
know there's at least on android there is
the ability to enable notification history
so it can save notifications that's off by
default but it's another thing to check um
to see if you have that enabled definitely
disable that i don't think that's
necessary to to enable like it's it's the
whole point of notifications is they're
kind of ephemeral they're there on the
screen i kind of assumed though
that's when you dismiss the notification,
it's gone, right?
I didn't think that there would be saved
on your device in a database.
So this might be something for Apple to
actually fix because I feel like that is
a bit of a concern.
and anonymous three, four, four,
just put in the chat, threat model,
threat model, threat model.
Exactly.
Like if,
if your concern is your device being
seized and you want to protect the data
on it, um, you know, use Molly,
have an encrypted database in signal.
Um,
don't use notifications cause they can be
accessed.
Right.
Um, I think it's kind of hard though,
especially because, uh,
in this story in particular,
I think it was,
They said the case was the first time
authorities charged people for alleged
Antifa activities after President Trump
designated the umbrella term a terrorist
organization.
So I don't know,
this is kind of a very nebulous thing
going on in the US.
Like what is Antifa?
Like it's not really an organization.
It's kind of a bit silly that they're
calling it that.
But I think people should be
guess more vigilant than usual because you
know you never know if your your
activities are going to be considered
antifa and then your devices might be
seized so it could be worth thinking if
you know you might be a target of
this sort of thing a little bit more
thoroughly because it does seem like the
government is cracking down on political
behavior um i can't really read the full
article here so i'm not really sure it
says here that it was uh people present
It said the case involved a group of
people setting off fireworks and
vandalizing property at a ICE detention
facility.
Yeah, in Texas,
and one person shooting a police officer
in the neck.
So I'm not going to comment on whether
they were guilty or not,
but that's what the FBI is finding.
Yeah,
I think that's up to the courts to
decide.
But I think the thing is, right,
you know,
if you're doing any sort of
political action.
I'm not saying, you know,
you should go out and vandalize an ICE
facility, but, you know,
I'm saying like any sort of political
action,
whether that's peaceful protest or,
you know, marching through the streets,
you know,
I think it's important to think about ways
that your data could be extracted and used
against you.
I think in this case, you know,
it's definitely,
everyone deserves privacy,
even if these people were
vandalizing something um so it's kind of
unfortunate that uh the the iphone was
kind of a bit uh vulnerable to this
extraction method i also do wonder if
lockdown mode could have prevented this um
because i think lockdown mode does prevent
a lot of these uh
like tools that these FBI uses to like
forensic extraction tools.
Um,
I think it probably could have been
interesting to hear, um,
if that was the case or not,
I'm going to assume no, but you know,
I feel like anyone who's going to any,
uh, political action,
like just enable lockdown mode.
It's like the least you can do.
It's, it's, it's a basic thing.
It's just a switch you turn on.
Um,
but I do think it is, uh,
calling out Antifa is big,
the hacker known as Fortan energy.
Yeah.
It's just like, it's, it's just,
it just shows that the government doesn't
really know about like any sort of,
any sort of political organizations.
I think it's a lot easier to, uh,
it's a lot easier to lump a whole
bunch of people together and sort of say
this nebulous thing is bad.
Um, then, you know,
having any sort of specifics like, yeah,
these,
these protesters at this specific ice
facility, um, who that's why, I mean,
we don't really know if they're part of
a group or anything, but, um,
they could have just been acting
independently.
Um, I think it's just,
it's kind of ridiculous that we're,
grouping it all together like that.
But yeah,
I don't really have more to add than
that.
Yeah.
The only thing I wanted to comment on
is you said that it would be best
to turn off notifications altogether,
which yeah, I mean, if it's really,
really, it's all about threat model,
right?
Like that wouldn't be feasible for me in
my day to day for sure.
But yeah, if you're,
especially if you're doing something
sensitive,
whether that's simply protesting or
whether you're taking it further,
which I'm not advocating for violence or
breaking any laws, but I'm just saying,
you know, threat model.
Yeah.
You maybe should bring a separate device.
You maybe should turn off notifications.
It's, it's tricky, but it's also just,
yeah, I don't know.
I wonder how
I personally just wonder how well-known
this kind of vulnerability is.
Is this the kind of thing that technical
people would look at and be like, yeah,
obviously, iPhones are keeping a...
Because it sounded like Jonah...
Full disclosure,
Jonah's the person I usually go to with
deep technical questions because he's
really smart about this kind of stuff.
And when I was asking him questions about
this earlier this week, I was like...
And I asked him those questions about
would the phone restart?
Would this, that, and the other...
Or excuse me,
would a restart clear out the...
the cache or the database.
And he didn't really know either.
And he said the same thing that you
said, where he's like,
I always thought that when you swiped a
notification, it was gone.
Is this like, does you,
do you have to handle it differently
somehow?
And so I,
where I'm going with that is like, he's,
he's really smart in my opinion,
not to like, you know, but, uh,
and if he doesn't even know this stuff,
it's like, how many people do know this?
Like, this is not common knowledge.
And, um, I think we did find a,
uh,
some some court cases i mean this was
like a real real quick web search we're
not lawyers obviously but we did find some
some cases where the judge kind of threw
out certain evidence because they're like
how would a person be expected to even
know that they were leaving evidence which
i mean that's not exactly what his
argument was but you know it's like
there's a certain level of just like like
it's insane that you found this and i'm
not going to allow this in court and
it's i i kind of wonder how this
would qualify as well how how well known
is this kind of a thing and
Yeah, super crazy.
But I think this also brings up like
the other concern with iOS, right?
Because iOS is a closed system, right?
We don't have access to the source code.
We don't know that there's a database
storing people's notifications.
Like we're up to iOS now.
Like there's been versions of
Well, not twenty six,
but I guess nineteen.
Nineteen updates.
And we still haven't seen this be an
issue before.
So I think that's the benefit of open
source operating systems like, you know,
graphing OS.
We know there's no notification database.
We know that those messages are being
stored after they're being dismissed.
Whereas with iOS,
it's sort of a black box.
we can protect as much as we can
from this sort of thing like we can
make assumptions that things are done a
certain way but i feel like making
assumptions is kind of risky because we
don't have clear evidence with what these
systems actually do so i think that's
where open source operating systems are
going to definitely beat out this sort of
thing jonah says was about to type what
jordan is saying yeah um so i guess
uh we kind of had the same thought
on this um but
I think it's definitely, you know,
I think one thing to think about as
well is, you know,
there's certain apps that need
notifications and there's certain apps
that don't.
Like we can definitely try and reduce
notifications
the amount of stuff sending notifications,
because as far as I'm aware on like
Googled and Apple devices,
there's the stuff that's sent,
like the way that notifications work is it
sent through, you know,
Google Firebase or it's sent through Apple
service.
And we've already had a story previously
where, you know, someone's,
notifications were able to be subpoenaed
from Apple and Google and get access to
the notification content.
And there's possibly sensitive information
there.
We did end up finding out, though,
that in a lot of cases,
a lot of these apps that are privacy
focused,
they actually encrypt the notification
content.
So Apple and Google will get notified when
notification is arriving they won't have
any insight into what it actually is so
you know i think notifications are kind of
one of those sort of uh they have
a lot of like foot guns i guess
they kind of are like a bit of
a uh dangerous thing uh that we need
to consider i think bringing the story up
is like you know brought this to the
forefront again um i think
Obviously,
there's people that need to disable
notifications,
but I think it's good to at least
consider this as a threat,
because I guess people haven't really been
doing that.
Yeah, and not to speculate too much,
because you literally just said, like,
you know,
all we can do is speculate sometimes,
but I wonder if, because you pointed out,
it's like
there's been so many versions of iPhone
and we're just now learning this.
And part of me just wonders,
has it always,
and this is just me thinking out loud,
obviously,
I know none of us have answers to
this, but like,
has it always been doing this or is
this a new feature?
Because my thought process is,
if it's always been doing this,
I think that kind of highlights the arms
race nature of privacy and security where,
you know, before it was like,
I don't know,
just to pull random examples out of thin
air that may not fit because I'm making
this up as I go along.
But before,
the police would walk by a building,
look in the window, and go, oh,
there's my evidence.
And now they have to go deep into
the building, into the bank vault.
So it just kind of makes me wonder,
is this some new thing?
Or is they've just never used it before
because they've never needed to try so
hard to find evidence before,
which would...
If that is true,
then that would just show how much more
secure everything is getting.
But again, we don't know.
We'll never know, probably.
Just a random thought that I had.
I think that's all I've got on that
story, personally.
Alrighty then,
I guess that's kind of a little bit
of time now to move into the forum
updates this week.
So in a minute,
we'll start taking viewer questions.
So if you've been holding onto any
questions about any of the stories we've
talked about so far,
go ahead and start leaving them on our
forum thread or in the chat on the
live stream and just so you know if
you're watching this and you're not you
don't have an account on one of those
platforms we do stream on stream yard so
check out the forum post and there's a
link there you can join without an email
just a name and you can ask a
question but now for now let's stick
to our community forum.
And there's always a lot of activity
there,
but here's a few of this week's most
interesting discussions happening there.
So there was this thread that Nate linked
here, and this one is about Wisconsin.
So Wisconsinites can keep watching porn
after governor vetoes age verification
bill.
So I guess I'm going to kind of
throw this to you, Nate,
because I feel like you have quite a
lot of thoughts on this one.
Yeah.
Um,
so I originally thought this was good
news, not just from the porn angle.
I think that's just four Oh four being
clickbaity.
Um, which I say that with love.
I mean, it's to me,
it's only clickbait if you don't deliver
on the promise and you know,
it's everybody's trying to stand out.
Right.
But anyways, um, yeah, so we've been, uh,
you know, privacy is an uphill battle.
I think we all know that.
And I think that, um,
It can be really depressing because I
think if we're being honest,
we generally tend to lose more than we
win,
which I don't think it's a lost cause.
I think...
Especially, I think, as things get worse,
people are going to start realizing the
value of their privacy,
and hopefully we can start to reverse that
trend a little bit.
But a lot of the time,
we do take some pretty severe losses,
and so it's important to celebrate the
wins,
which I'll get to why this is a
bit of a mixed bag in a minute.
But for now,
I do want to celebrate the good sides,
which is that the governor rejected this.
This was an age verification bill.
Uh, assembly bill one Oh five,
which would have four sites with more than
one third of material harmful to minors,
uh,
defined as depictions of actual or
simulated sexual acts or body parts
included, including blah, blah, blah,
blah, blah.
Um, female nipples,
not male nipples as always, but whatever,
that's a rant for a different time.
Anyways.
Um,
It would have required using any
commercially reasonable method that uses
public or private transactional data
gathered about the individual.
And the article says this means uploading
an ID,
showing their face for a biometric scan,
uploading credit card information,
or a combination of these.
And the governor vetoed this bill and
said,
I am vetoing this bill in its entirety
because I object to this bill's intrusion
into the personal privacy of Wisconsin
residents.
While I agree that we should protect
children from harmful material,
this bill imposes an intrusive burden on
adults who are trying to access
constitutionally protected materials.
Um,
Evers wrote that the bill doesn't prevent
platforms from giving collected personal
data to third parties,
such as the government or data brokers.
And he wrote,
this is a violation of personal privacy.
Additionally,
I'm concerned about data security and the
potential for misuse of personally
identifiable information that could be
intercepted by or transmitted to a third
party used for the basis of blackmail or
identity theft.
Further,
although the bill includes penalties for a
business entity who violates the
prohibition of retention of personal data,
those penalties cannot undo the harm.
So all really,
really good stuff that I was super stoked
to see.
Unfortunately,
I think here in the comment section is
kind of where it went wrong is some
people pointed out,
and I don't know if I missed this
in the original article because I'm still
not seeing it here either.
Um,
maybe it's like in a different statement
that he gave her,
like the rest of the statement,
but some people quoted that, uh,
the governor wants device level age
verification.
And apparently this is a quote from him.
Uh,
we can and should work to prevent minors
from accessing adult content.
Um,
but there are better solutions than the
one offered by this bill.
For example,
we can work with tech companies to
implement device-based device-based age
verification that takes place on a user's
phone or computer,
which can be more secure and effective
method.
Other States have been moving toward
device-based solutions and major tech
companies are adopting these options as
well.
So yeah, it's, I don't know.
I don't want to get into the age
verification debate.
Cause we've, I still am fresh from like,
there was,
there was like a three or four week
run where we talked about it every single
week.
And I still don't feel like we have
anything new to add to that,
or at least I certainly don't.
Um, you can feel free to,
to chime in if you have more to
add to that.
But, um,
I don't know.
I have mixed feelings about device based
stuff, but I certainly see the drawback.
And anyways,
I guess this one's a mixed bag,
but it's I want to celebrate the win
that he did repeal it.
And I certainly agree that this would have
been way worse than device based.
I'm definitely I definitely know the
problems with device based.
I'm not saying I'm in favor of it.
But there's a difference between getting a
paper cut and getting your finger chopped
off.
And I think this would have been getting
your finger chopped off.
So I think that's good that we avoided
a much worse fate.
I hope he doesn't go for the device-based
stuff.
That's kind of the drawback.
But yeah, anyways,
I'm going in circles now.
I just wanted to celebrate a small,
even if it's a mixed bag,
we did have a small win this week
that I thought was pretty cool.
Yeah, that's good to hear.
I mean, one thing that I kind of,
it kind of bounces off the issue that
we talked about in the highlight story is,
you know,
I think we should be against all these
sort of centralized things, right?
Like this is centralization.
Again, like we talked about app stores,
right?
Three app stores, or I guess really two,
there's like two big ones,
Google Play and Apple's app store, right?
And
I think this is just like sort of
reinforcing why these platforms are bad.
Like we talked about at the start,
like having these platforms decide what is
allowed, what is not allowed.
This is just a bad idea.
This bill in particular,
it sounds to most people,
I think it would sound reasonable,
but the issue is where, you know,
there's more, there's things where like,
you know,
what's classified as adult content, right?
Like that's the stuff that they mentioned
sounded reasonable, I guess if you're,
I mean, I guess, uh, but you know,
there's all sorts of issues when it starts
covering more stuff that isn't technically
adult content.
That's restricting people from accessing
those, uh,
applications unless they verify their
identity.
Um, so I dunno,
this is definitely sort of,
I guess it's somewhat of a win.
It's not like a.
The bill got taken down, I guess,
but there's still the chance that
device-based age verification might make
its way through,
like we've been seeing with the app store
transparency stuff.
I think that would definitely be
probably in a lot of cases worse because
you know doing this on a device level
is a lot more invasive and it gives
a lot more control to these tech companies
so I'm certainly against both I think I
can't believe I keep having to say this
but like you know we have parental
controls like we have all these amazing
tools that people have access to I don't
think the government needs to get uh
involved on people's devices so much,
right?
Maybe people have different opinions.
There's a way to do this privately.
I just think there's always leaks, right?
Like this article in particular, actually,
it mentions, like if you scroll down,
there's a section in there where they talk
about the Discord age verification stuff
where people that were having to send
their ID data and selfies was breached in
a security breach, right?
Like
Even though we think all of these services
are done properly,
the age verification systems,
a lot of times security is just not
the priority.
So that's sort of my thoughts on this
story, I guess.
And even if they were,
just to add on to that last part
you said, this week alone,
I've covered three or four stories about
insider threats and people...
abusing their access to a system to get
into.
I covered one.
I need to add these to my website,
actually.
I covered one about a police officer who
was using DMV photos to make AI nudes
of women, not even making that up.
And then I found another one.
I wasn't even looking for this one.
This one didn't even come across my
newsfeed.
I was web searching for something else and
it magically showed up in the search
results.
There was a dude at Facebook who was
giving himself access to over thirty
thousand private photos.
So, yeah,
even if these systems are made correctly,
quote-unquote correctly,
I'm not going to count Facebook as
correctly because they've had more data
breaches than there are grains of sand on
Earth.
But even if these things are made
correctly, they're still insider threats,
and it's just â
Yeah,
I think I'm kind of coming around to
you because there's so many ways to solve
a problem, right?
And there's the technical solutions,
there's legal solutions,
but then there's like educational
solutions,
which I think is kind of like where
things like privacy guides come in and
this this podcast and stuff.
And I think
From what I'm seeing,
I think this is probably largely an
educational problem because I feel like I
mentioned the example of, again,
my sister didn't even know that iPhones
have parental controls.
And granted, her kid is really young.
She doesn't have to worry about that yet.
He never has.
He doesn't have his own phone or tablet
or anything.
Um,
so she's not at that point where she
has to worry about it,
but like how many parents know these
things exist?
How many parents know what they're capable
of?
I've heard,
I never used them cause I don't have
kids.
I've heard that some of these parental
controls are actually really good,
but how many of them, you know,
just don't know they're there or they'll
pay for some garbage third party thing.
That's going to be selling their kids
data.
Cough Cough Life, three sixty.
Because, you know, again,
like especially my my generation,
we came up in an era where like
Windows security was garbage.
Nobody trusted Windows firewall.
Of course,
you had to pay for a third party
antivirus.
And that's just not true anymore.
And I just I wonder how many people
even know that.
So, yeah,
I think I am kind of starting to
lean more towards the side of like I
think this is largely an edge or at
very least we need to start with the
educational aspect.
And then if we get everybody up to
speed and find out that there's cracks,
then maybe we start talking about how do
we fix this?
But
Yeah,
this definitely feels like an
oversimplified... I mean,
I've known that from the start.
But yeah,
age verification is just an overly simple
solution.
I think I want to add a little
bit extra onto what you're saying there
about how we should...
teach adults about these features.
We have gotten to a point, right,
where it is like,
I almost feel like people don't have an
excuse because if you buy a new Google
device, if you buy a new Apple device,
if you buy a new Windows device,
in the setup process,
it literally asks you,
is this device for a child?
Um, like it is kind of like,
I feel like we've gotten to a point,
right?
Where like, maybe,
maybe the device has to come with like
a red sheet of paper or something that
says, if this device is for a child,
please set it up during the setup process.
Like how much more obvious can we get?
Like, you know what I mean?
But actually I do want to push back
on that a little bit.
Cause it doesn't do that here in the
U S. Um,
but I think that would be a good
idea if it did that in the U
S because I don't see any reason it
shouldn't.
No.
It doesn't ask?
I haven't seen a single one in the
US.
And I mean, granted,
it's been a while since I've set up
anything that wasn't... No,
even because the most recent device...
Well, I mean, okay,
this computer is a company computer,
so it was already set up when I
got it.
My Windows computer I got in...
When did I get my iPhone?
I don't know,
but they're all within the last five years
for sure.
And not a single one of them has
done it to me.
I don't know.
I don't think I know anybody who set
up a device from scratch.
I think most people I know just like
transfer their Apple ID or their Google
account or whatever.
So I don't know.
I could try to do some digging and
look into it.
But yeah,
I've never had a device ask me that
ever here in the US.
But like I said,
I don't think that would be a bad
idea because...
Yeah.
How cool would that be if, you know,
my sister goes out and buys her kid
his first iPhone and it says,
is this device for a child?
And she goes, why?
Yes.
Yes, it is.
And then it just walks her through the
parental controls.
So yeah, I think that, I mean,
I can only comment on like,
I don't have particularly new devices.
Like I have an older phone, right.
I reset it recently and through the setup
process, at least on iOS, it did ask,
um, you know, it said,
It said during the setup process, like,
is this device for a child?
Same with this Android phone on the Google
operating system.
And same with Windows, actually.
I installed Windows recently and they did
ask.
But it does say on Apple's website.
I did look into this before because I
was having this conversation with someone.
Like, it does offer this section.
It does say on their website, you know,
this is a â
before you can set parental controls on a
child's device.
So it doesn't say specifically on here.
I mean, I don't know.
I don't think it would be different in
the US,
but I guess you can trial and error
this.
But it does say,
I'm seeing articles here where it says it
is...
implementing new features when you set up
a device.
So I'm not sure,
maybe we'll have to look more into how
that affects things globally.
Because I know in Australia,
we do have like age verification laws and
stuff.
So it could be applied differently here.
But I do think companies are making things
incredibly easy now to do this.
And that's why I kind of get a
bit frustrated when there's government
officials who are pushing for these really
aggressive methods to do this right like i
don't know i feel like generally it's not
up to the government to decide this sort
of stuff like it should be up to
like a parenting decision um from the
parents like if they want to have a
child using an adult device they can but
um
Yeah, I definitely think the process,
at least even if it doesn't display it
on setting up a device,
I think it's good that the integration is
already there.
The options are there.
Maybe we could do a better job showing
people that this isn't even an option.
But I feel like it's, I don't know,
maybe Joda can comment on like a US
perspective on this.
But every device I've set up so far
has asked me if it's a child's one.
So I don't know.
Yeah,
maybe I need to go reset my iPhone
and see what happens.
And I agree with you.
That's what I'm saying.
I've heard the parental controls are
really good.
It's just, at least here in the US,
I feel like it's an issue of how
do we let people know those are out
there.
I didn't even know Windows had parental
controls, to be totally honest with you.
But I don't know.
I've just...
Maybe that's something that's only rolled
out in the past couple years,
and I just barely missed it.
So...
I don't know,
but I certainly would not be opposed to
it.
To like, yeah,
these controls are already built in.
Say that this device is for a child
and we'll walk you through how to set
them up and how to use them.
I think that would be awesome.
Yeah, I've definitely seen it on Windows.
Can't recall on Android and iOS.
So it does,
I think it might've been because you
might've got the laptop as a Windows X
laptop and then you upgraded it to Windows
XI.
It might've bypassed the screen.
That could be it, yeah.
Because it, wait, was this one?
I'm not sure, actually.
I think it was more a Windows Eleven
feature.
So it could have been before they fully
released it all.
But the way it works on Windows is
quite good as well.
It works really well on iOS and Google
as well.
I think it's currently a Mac.
Yeah, Mac has it too.
So all the major platforms do have it.
So I kind of become a little bit
frustrated when we're
Trying to push these aggressive laws.
I've seen it for Apple Watches,
says Jonah.
Yeah, I've seen it too.
Quite good if you use their online
accounts, as far as I know.
I mean, yeah.
I mean, this is kind of a drawback,
right?
I don't think Graphene OS has parental
controls built in.
Don't think that's really a priority for
them.
And definitely not Linux, so...
I mean, yeah,
that is kind of an issue with these
more open platforms.
They tend to not include these sort of
features.
So yeah,
it's definitely a good discussion to have
though.
Yeah, for sure.
And I'm definitely going to keep an eye
out for it next time I buy a
new device now,
because now I'm really curious.
I think that would be great if it
was a default prompt for sure.
So.
On that note, I think it's, I mean,
that's all I had on that forum thread.
So I think it's time to head over
to some viewer questions.
So we'll start with questions on our forum
from paying members.
If you are interested in becoming a
member,
you can go to privacyguides.org and click
the red heart icon in the top right
corner.
of the page but we only had one
question this week on our initial um on
our forum post about this this topic and
uh this is from expert forty forty eight
seventy who says what are the privacy
implications of using an alternative front
end that fetches content directly from the
original service rather than proxying it
um you say something like something
invidious instances do uh so it will be
It will be, while using a popular VPN,
how does that compare to just using the
original website with a content blocker
like uBlock Origin?
My experience has been that browser
fingerprinting techniques can still track
users easily,
even with content blockers enabled,
so I'm wondering whether non-proxying
frontends offer different protections.
I'll be honest.
I'm not super familiar with the technical
aspects of frontends,
so I'm not sure which ones proxy and
which ones don't.
I can talk about it if you want.
Um, I'll let you go first then.
Cause you probably know more about this
than I do.
Yeah.
So basically there's, uh,
I guess let's talk about the main two
ones here,
but like we're talking about piped and
NVIDIAs, at least the web-based ones.
So, um, by default,
as far as I'm aware, like a lot,
it depends on the instance, right?
Because these are like decentralized
services.
So it depends on what the instance is
configured.
So the piped, um,
Piped uses a piped proxy.
So it's actually your requests to YouTube
are going through a separate,
the server that you're connecting to for
the websites,
basically they're proxying the requests on
your behalf.
And the issue with this sort of method,
right,
is
it's a lot easier to be blocked, right?
Because if there's ten thousand people
accessing a piped instance, it's going to,
YouTube's going to block that.
They're going to think you're a bot,
you're spamming.
So that's the issue that we kind of
have with piped.
They're kind of getting blocked a lot and
the access is not as good.
NVIDIUS in this instance,
it actually plays
basically what it does is it strips out
all the add-in tracking technology from
the YouTube website and it will actually
play the video directly from Google.
So you're still making a connection to
Google itself.
Again, though,
there's a setting in the settings called
proxy videos,
and that will proxy it through the NVIDIA
instance.
But by default,
it should play it directly from Google.
So the reason this is kind of also
becoming a problem is because a lot of
VPN servers are getting restricted and
they require you to sign in to play
videos.
Yeah,
there's like more restrictions being made.
So with NVIDIA,
you can actually check this yourself,
right?
You can use uBlock Origin and you can
see the connections that the website is
making.
You'll see it's connecting to Google
Video.
So your IP address is visible to YouTube
itself, right?
But there's significantly less tracking
happening because
the JavaScript on YouTube's website isn't
actually loading,
which is the usual concern, right?
So YouTube will know that your IP address
is pulling a video from their servers,
but
Yeah,
then we can also talk about like FreeTube,
and that does give you the option when
you're setting it up if you want to
do fully local playback.
So the same thing as NVIDIA is pulling
the video directly from Google,
or you can also use a piped proxy,
which like we talked about,
it can have issues,
but it does offer more privacy because
your IP address isn't being directly
exposed to Google itself.
So
Another thing here is using a VPN and
then using NVIDIUS or like a local,
locally fetching these videos,
it's going to be a lot less
easy to track it because you're using an
IP address that a bunch of other users
have.
So I think that's basically kind of the
rundown.
I wouldn't use NVIDIUS if you are on
like a residential connection because
it'll just be linked to your IP address.
They'll just see your residential IP
address accessing all the videos.
It'll be easier for them to track it.
So I'd say try using a VPN and
try using NVIDIUS and
directly fetching the videos over pipes
because pipes is usually locked a lot more
commonly.
So hopefully that answers the privacy
question about this topic.
It's kind of confusing,
but if I didn't answer it well,
just let me know.
Cool.
Thank you.
I think it's also just one thing I
want to throw out is we don't really
know much about browser fingerprinting.
Like I made like a year ago,
I made a video about that over on
my YouTube.
And the thing I learned is that a
lot of it
I mean, there's like two categories.
There's the people who are like marketing
companies who are like, yeah,
we can fingerprint anybody anywhere.
And it's like, okay,
and I'm going to take you with a
grain of salt because you'll say anything
to make a sale.
And then there's the technical people who
are just like literally everything can be
fingerprinted.
And like the privacy people who say this.
And I think the issue is we don't
actually know for sure
how prevalent it is,
which techniques they're actually using.
I've seen all kinds of proofs of concept
about CSS can be fingerprinted if you do
it right.
A lot of extensions can be fingerprinted.
There's so many different ways to do it,
but we don't know for sure what ways
they're doing and what ways they're using.
I'm not saying not to worry about it.
I just want to point that out.
It's really...
um it's not like you block origin does
nothing i know it does block a lot
of stuff and then you know brave obviously
has a lot of built-in protections firefox
especially with the setting changes that
we recommend offers really good protection
it's obviously not perfect um if you need
perfection or as close to perfection as
you can get you need something like tor
and hunix but at that point you're
probably not streaming youtube so um just
something to keep in mind there's still
definitely a use a place for those so
I mean, I think there's definitely,
we do have some research that has been
done specifically on browser
fingerprinting.
Like when I was looking into,
like we also did a video here at
Privacy Guides.
We interviewed someone about it as well.
There are at least some hard facts about
it.
So, I mean,
definitely go maybe check out that video.
We did talk a little bit with...
um we got information from someone at the
tour project who works on a lot of
the fingerprinting stuff for that um so
definitely look at that i think the um
there's definitely papers that have been
done when i was researching for that video
there was quite a lot of papers about
specifically talking about stuff like
entropy and you know how that affects the
fingerprint I guess I think Nate's right
though just like we don't really have the
specifics of what people what companies
are doing because it's kind of hard to
know right but I think going off the
research that we do have you know
increasing entropy you know like with Tor
browser I think there's
there's pretty much,
there is basically proof at this point
that like, you know,
if you use Tor browser,
if you take all the precautions as
possible, you're not going to be,
you're not going to be able to identify
someone specifically with their
fingerprint if they're using something
like Tor browser.
But I think we have gotten to a
point where so many tools just have all
this built in,
like Firefox and Brave both have
fingerprint protection built in by default
now.
So it's like,
Basically,
we're getting to a point where these
protections are becoming pretty
mainstream.
But I think if you need something a
bit more extreme,
then something like Molvado Tor is
definitely going to offer better
protection.
Yeah, just to be clear, like you said,
we have a lot of research into how
good the browsers are at resisting it.
We just don't have a lot of research
into how many companies are doing it,
what exact techniques they're using,
how common it is.
I assume it's pretty common.
I assume that a lot of companies are
doing it.
They don't tell us because it's kind of
like their secret sauce for marketing,
and this is why we're so effective.
But yeah, it's just...
I guess what I'm getting at is I
think uBlock Origin and a good privacy
browser is probably a lot more effective
than we give it credit for.
But I mean,
I'll definitely never complain about
somebody going the extra mile if they feel
the need to.
So it doesn't hurt.
Yeah, I think it's definitely...
I'll just push people towards...
I know Nate did a video about it
as well.
I thought that was quite good.
We also did a video.
Definitely check out,
get different perspectives on it
because...
uh there's definitely a lot of different
opinions right because we've got we've got
the tor people we've got the brave people
we've got the firefox people they've all
got different uh we've got the ark and
fox people they've got a different uh
perspective than the tor browser people so
you know guess go to different places for
information try and uh
try and understand the topic as best as
you can.
Hopefully the resources that we've put out
there is good enough to kind of make
a good judgment on it.
But like, like Nate said, like,
I feel like when we talk about this
stuff, it is kind of an extreme topic.
Like, you know,
having a privacy browser and a new block
origin, like Nate said,
is like going to be better than ninety
nine percent of people.
So just put it in perspective.
Which on that note,
I've been perusing the live chat here.
And I think there's only one question we
haven't addressed so far.
But it actually kind of touches on this
a little bit.
And it says,
this comes from anonymous three four four
here in the stream yard chat.
Threat modeling should be deferred to
experts that you personally consult on
over and over again.
It's unfeasible for an individual to know
every single vulnerability and scenario
that they have to protect against.
Do you guys plan to provide privacy
consulting in the near or far future?
I mean,
I don't speak for everybody around here.
I don't think we're planning anything like
that as far as I know.
I certainly haven't heard anything about
it.
Probably not would be my guess.
Not anytime soon, at least.
I don't know if we make far.
I personally do not make far,
far future plans because you never know
what will happen.
Right.
I've had my long term plans thrown into
chaos multiple times throughout the course
of my life.
So I've given up on long term plans.
I just worry about the next five years
or so and go from there.
But I do want to say that threat
modeling I don't think has to be an
expert thing because there's multiple
steps to threat modeling, right?
And one of those steps is basically
figuring out â
how bad are the risks if i fail
like that's that's one of the steps right
and so i think for a lot of
people like that's i think that's kind of
where we come up with the idea of
like a low threat model you know if
somebody's like i'm gonna pick on people
here but back in the day i used
to see people having like really really
extreme meltdowns where they were like oh
my god i connected to youtube once and
i didn't have my vpn on like i'm
so screwed and it's like
Calm down.
It's not that big a deal.
Google has one IP address.
It probably rotates anyways in a lot of
parts of the country or a lot of
countries around the world.
The results for most people are not that
big a deal.
And again, going to what I said earlier,
if your threat model is so high that
Google can't have your one IP address,
you probably shouldn't be going to YouTube
in the first place.
But anyways,
my point is I don't think it's something
that everybody necessarily has to go see a
professional for.
And I say this as somebody who has
done consulting in the past.
I think, yes,
if you have a very high threat model,
then yeah,
you probably shouldn't just be winging it
and trying to piece together a bunch of
random websites and YouTube videos.
But at the same time,
like if you're just like, dude,
I'm not an activist, I'm not,
uh political figure i'm not super i just
i just want my privacy i just want
to not get targeted ads i just want
people to not be stalking me but it's
not that big a deal and i'm not
willing to bend over backwards i mean
that's part of a threat model too right
how much effort are you willing to go
through because not everybody is willing
to go through the same amount of effort
and i'm going to say that again because
i feel like a lot of people in
the privacy community forget that
Not everybody is willing to go through the
same amount of effort and that's fine.
As long as like their threat model is
being met.
So yeah, it's an, I don't know.
I think if you want to get consulting,
I mean,
if that's something you want to do,
that'll help you sleep at night,
go for it.
But I don't think it's something that
should only be deferred to by experts.
Cause I mean, we're human too.
There's no like,
governing board that certifies privacy
experts or anything so I don't know yeah
I just that's my thoughts
Yeah,
it's like one of these things where like
I feel like, you know,
there's certain things where you can just
throw money at something and kind of
remove a bunch of the effort here.
Like I feel like going through and trying
to understand what are the best tools,
what do I need to do?
Like it is kind of time consuming.
Like Nate was saying,
like not everyone has hours every day to
go through an hour.
you know,
work out the tools and update things.
So, I mean,
it can make sense to throw money at
something.
I don't think you need to.
I think everything is available for free.
Like,
we try really hard to make things
accessible to everybody.
Like, we don't want to paywall stuff.
You know,
we offer benefits to members who give us
donations because, you know,
it's the least we can do for supporting
us.
But I think, you know,
if there's something that you want to kind
of
easy mode you can talk to an expert
i mean i'm not going to recommend it
i think all the content is available for
free and we've talked about this before
like you can take things slowly like you
can just do one thing every month like
when you have a bit of spare time
like you don't have to to go at
like i think it was michael basil who
said this it's like uh privacy is a
marathon not a sprint um
And I really like that quote because I
think it's, you know,
we think about things that we need to
do,
but I don't think we need to do
things immediately and we don't need to
try and blitz through everything in like
two days.
You certainly can if you want,
but it's definitely not required.
So, you know,
definitely put that into perspective for
you.
I always love telling people how I was
that lunatic that sat down one weekend and
went,
I'm going to move all my passwords to
a password manager and I do not recommend
it.
But,
Yeah,
not to get into a big back and
forth, but you said like, yeah,
for the average person,
threat modeling is not too high.
I mean,
everybody should threat model because
that's how you know if you're doing
enough,
but you're like going back to the story
of the Notification League,
surely it would be better to consult an
expert for blue team defenses.
Yeah, again,
if you're working on a professional blue
team,
if you are an activist who's facing jail
time or could potentially,
like sure at that point, but yeah,
we don't offer consulting at this time.
I don't know if there's any plans to,
but I mean, if we do,
I'm sure we'll announce it.
I think one thing also to add to
this comment, right, is they're saying,
like, threat modeling, like,
they're saying you should surely be better
to consult an expert for blue team
defenses.
I think, you know,
let's be a little bit honest here.
This is, like,
a very privileged position to be in.
Like,
not everyone has the money to just throw
this.
Like, we're talking about, like,
decentralized groups of activists here.
Like,
we're not â I don't mean any shade
when I say this,
but a lot of organizations are not exactly
â
uh, they're cash strapped, right?
Like they don't have money to do this
sort of thing.
Uh,
it's not really that high on their list
of priorities.
Um, so if it's like a,
a business where they have a certain
budget to,
to spend on this sort of thing,
obviously makes sense,
but that's why I think it's so important
to offer this stuff free because,
you know,
there are people who are in less, uh,
less privileged positions that also need
this information.
Um,
And it should be accessible, right?
So obviously, in the best case scenario,
this person should have consulted an
expert for blue team defenses.
But I'm pretty sure that this person was
probably not someone who had the money or
the time to be investing in this sort
of protection, I guess.
Yeah, for sure.
Taking one more look at the thread here.
Doesn't look like anybody's added
anything.
Anything else you wanted to mention or
call out?
Not particularly.
I guess if no one's got any extra
questions,
I guess we can move into the outro
here.
So all the updates from this week in
privacy will be shared on the blog every
week.
So you can sign up for the newsletter
or subscribe with your favorite RSS reader
if you want to stay tuned.
For people who prefer audio,
we also offer a podcast available on all
podcast platforms and RSS.
And this video will also be synced to
PeerTube.
Privacy Guides is an impartial nonprofit
organization that is focused on building a
strong privacy advocacy community and
delivering the best digital privacy and
consumer technology rights advice on the
internet.
If you want to support our mission,
then you can make a donation on our
website at privacyguides.org.
To make a donation,
click the red heart icon located in the
top right corner of the page,
and you can contribute using standard fiat
currency via debit or credit card,
or opt to donate anonymously using Monero
or with your favorite cryptocurrency.
And becoming a paid member unlocks
exclusive perks like early access to video
content and priority during the This Week
in Privacy livestream Q&A.
And you'll also get a cool badge on
your profile in the Privacy Guides forum
and the warm,
fuzzy feeling of supporting independent
media.
Thanks for watching,
and we'll see you next week.
