Are Privacy Opt-Outs Useless?

All right.

A new study finds that big tech tracks

you even when you've opted out.

Cal.com will no longer be open source and

some big developments in US and EU privacy

and surveillance.

All this and more coming up on This

Week in Privacy number forty nine.

So stay tuned.

Welcome back to This Week in Privacy,

our weekly series where we discuss the

latest updates with what we've been

working on within the Privacy Guides

community and this week's top stories in

data privacy and cybersecurity.

I'm Jordan,

and with me this week is Nate.

How are you, Nate?

I'm good.

It's been a busy week,

but I guess I can't complain.

How are you?

Yes, also a busy week,

but now let's jump into the biggest news

in privacy and security from the past

week.

So this story here from four or four

media, Google, Microsoft meta,

all tracking you, even when you opt out,

according to an independent audit.

Uh,

an independent privacy audit of Microsoft

meta and Google web traffic in California

found that the companies may be violating

state regulations and racking up billions

in fines.

According to the audit from privacy search

engine web x-ray.

Fifty-five percent of sites it checked set

ad cookies in a user's browser even if

they opted out of tracking.

Each company disputed or took issue with

the research,

with Google saying it was based on a

fundamental misunderstanding of how its

product works.

So this company itself, WebXRay,

they viewed web traffic on more than seven

thousand popular websites in California in

the month of March and found that most

tech companies ignore when a user asks to

opt out of cookie tracking.

And this is specifically concerning

because California has privacy

legislation,

thanks to its California Consumer Privacy

Act, which allows users to,

among other things,

opt out of the sale of their personal

information.

And there's basically a system called the

Global Privacy Control,

which is basically a...

In some browsers,

it's a switch and in some other browsers,

it's an extension that you have to

install.

According to the Web X-Ray audit,

Google failed to let users opt out of

eighty seven percent of the time.

Google's failure to honor the GPC opt out

signal is easy to find in network traffic.

Now,

I think this is kind of always been

a

concerning thing right there's these

opt-out signals and we're not really sure

how effective they are right because a lot

of these signals themselves right they are

often ignored like we saw the do not

track signal that used to be kind of

big right um that was also ignored by

a lot of websites and now we're also

looking at this new thing which is

GPC so a lot of companies basically argue

that they're not really sure what this

means and they're just gonna track you

anyway which is kind of silly right so

you know it's not really that surprising

to see that so many websites don't comply

with this did you have any thoughts on

this Nate I feel like this is

unfortunately kind of like I assumed this

was kind of going on so

Yeah, I mean it's um...

I don't know.

I do have a I mean,

I always have thoughts on things.

I mean, first of all,

it's it's I do want to point out,

well, OK,

to assume this is always going on.

I agree with you.

But I do want to know a couple

of things that GPC is supposed to be

an improvement over do not track because

GPC is actually legally recognized under

certain privacy laws like the California

Consumer Privacy Act, for example.

So websites are required to honor it.

So.

I'm with you.

When this was initially announced,

GPC specifically, I was kind of also like,

I don't know,

why would companies listen to this?

Like they already don't listen to things.

But I was also kind of hopeful because,

again, it is like legally required.

And we have seen in the past that

typically companies will – and I'll touch

on this in a second in the article.

But like companies do –

they kind of like to ignore things right

up until they get caught.

And then they're like, ah, okay,

you got me.

We'll play along.

Or, you know,

they'll at least start to play along.

Usually it's,

they kind of have to get caught a

few times,

but they get caught and they change what

they do.

And, um, so I don't know.

I,

I guess I was hoping that maybe this

would go somewhere and it still might if,

if that's what happens here.

But, um,

I think the real issue here,

and this person that they interviewed from

WebXRay kind of talked about this.

Oh, where did it go, actually?

Okay, yeah.

So this person who used to work at

Web, or excuse me, Timothy Liebert,

who founded WebXRay,

he used to work at Google.

And

He said that he told four or four

media he felt his job at Google was

to protect its users,

but his bosses didn't agree.

And he left the company in twenty twenty

three to start Web X-ray.

And this is a quote from him.

Shortly before I left,

my boss told me direct quote.

My job is to protect the company.

There was another time I got into a

very serious ontological discussion with a

fairly senior engineer about what the

difference was between taxes and fines.

And they didn't understand there was a

difference.

And I think this is something that a

lot of people in the privacy space have

noticed is I think the issue here is

these companies,

the fines are not really fines.

They're just cost of doing business.

Like I remember,

I wish I could remember which story it

was,

but Meta got in trouble for something and

they got issued a fine.

And the article kind of openly said –

like they didn't make a point of saying

it.

It was kind of just like a real

quick sentence that if you weren't paying

attention, you wouldn't even notice it.

But the article basically said like,

oh yeah,

Meta is going to contest the fine because

basically it's bigger than they thought it

would be.

Like they don't even care that they got

fined.

They don't even care that they're wrong.

They're just like, no, no, no.

We set aside a certain amount of money

to pay these fines, quote-unquote fines,

which are really just a cost of doing

business and a tax like he said.

But it's more than we budgeted for,

and that's why we're going to fight it.

It would be like if you got up

to the register and you're going to buy

– like you go to the grocery store,

the corner store, whatever,

and you're going to buy a soda.

And they're like, oh, it's five dollars.

It's like, whoa, whoa, whoa.

Hold on.

I have five dollars,

but this should only be three dollars or

maybe it is five dollars now with

inflation.

But you know what I mean?

It's like it's not even that I don't

have the money.

That's not how much I set aside for

this thing,

and that's basically how these companies

treat it.

Yeah.

I think to give a little bit of

a benefit of the doubt,

I think it's tricky to find these

companies sometimes in the sense that

like,

These big tech companies like Meta,

Microsoft, Google,

you want to be able to levy a

fine that's going to hurt them and going

to make them pay attention and stop doing

this crap.

But at the same time,

you need to write the laws in a

way where it's like privacy guides,

for example.

It doesn't wipe us out if we –

not that we do any of this stuff,

but if we make a mistake somehow and

we're accidentally collecting something we

didn't know, I don't know,

just throwing it out there.

A fine that is one percent of Meta's

hourly revenue would wipe us out.

And so you want to find that ground

where you're not destroying the small

guys, but at the same time,

you're still hurting the big guys.

And I do have some sympathy for that.

But at the same time,

I feel like as far as I know,

there's no laws being weighed right now or

suggested.

So, I mean,

it's not like they're really trying to fix

that.

But that's really the problem is just that

the penalties for doing this stuff are.

just a cost of doing business.

And yeah, I don't know,

really unfortunate, but I guess.

I think, oh, sorry.

No, go ahead.

I think like I do think it's interesting

what you said is the the the stuff

about finding a company based like,

you know,

if you don't want to destroy all the

small companies,

I feel like we could kind of get

around that.

Maybe if we had like, you know,

proportional of their earnings,

like based on their profits or revenue,

maybe.

But, you know,

obviously I feel like our governments are

too

captured by these big tech companies and

lobbying and all that sort of stuff um

so it's probably not super likely but I

think you know having a fine that is

actually proportionate to how much they

make because I don't know I guess that

might be hard to argue from a from

a um a damage perspective right like if

they were if they were collecting let's

say

all of Americans data that wouldn't even

be that much of the entire globe right

for meta because meta has like billions of

users so um it'd be hard to say

like just uh in California you know even

less so um I feel like it might

be hard to argue the fine being so

large I guess um but it's still a

problem uh I don't know what the

answer is but I do think they need

to be fined more especially for not um

complying with this stuff but it's good

though I didn't realize the GPC stuff

actually was um related to like legal

stuff like there was a legal precedent

behind it so that's good um but I

guess it's like you said it's kind of

the cost of doing business for these

companies

Yeah, it's very – like I said,

that was kind of what gave me hope

for it because when I first heard about

it too, I'm like, we already did this.

What's different this time?

But it's the legal enforcement.

But it's – I don't know.

The street proportional thing,

I have mixed opinions on because we'll

take – if my project –

I'll just say it.

Like the new oil,

I published transparency reports.

I made twenty thousand dollars last year,

which was by far the most I've ever

made.

And so let's say a ten percent penalty.

Right.

That's two thousand dollars.

I don't have that in the bank right

now.

Most of that money has been spent on

various things.

But, you know, ten percent,

two thousand dollars for me is a lot

of money that would wipe me out.

Whereas for Meta, you know,

ten percent of their what,

ten trillion dollars they made last year

or whatever.

I don't know.

I could look it up.

But you know what I mean?

Like ten percent for them,

they're already paying four percent.

They don't care.

Like it's just it it doesn't scale the

same.

You know,

a person who's making one hundred thousand

dollars a year and gets a ten percent

speeding ticket.

To them,

that's just a much smaller amount as

opposed to a person who's making forty

thousand dollars a year.

So, I mean, I hear you like that.

I just feel like that's not really.

I feel like that's not really a

sustainable solution.

Personally, I could be wrong, but.

I don't know.

It's tricky.

But yeah,

I think that is the solution is until

we like get some kind of better legal

enforcement,

I don't think these companies are going to

stop doing what they do.

And I think the,

what was his name again?

This Liebert, this Timothy Liebert,

he even said that too in this article.

But I think,

I guess a question for you,

what would you recommend?

Because I mean,

I think the solution here is

In my opinion would be that we,

we kind of, you know,

a lot of people argue that laws don't

work and that we need to force companies

to respect our wishes.

And I think they kind of got a

point with this kind of stuff.

Like,

I don't know if I'd go so far

as to say laws don't work,

but I think we need to do what

we can to force companies to respect our

wishes regardless.

Right.

I mean, I think it's,

I think people get too caught up in

black and white thinking, right?

Like you can definitely use the laws as

well as doing things to protect yourself,

right?

Like I wouldn't like just use a browser,

not harden it at all,

share as much information as possible,

rely on this like somewhat nebulous global

privacy thing.

Like, you know, I think it'd be,

a thing that you could use that along

with like a fingerprint resistant browser

to protect yourself a bit more, um,

not share as much information,

use email aliases,

secondary phone numbers,

stuff like that to protect yourself.

Um, because yeah, a lot of cases,

I'm not really sure if this global privacy

control thing is

to be respected like this company said but

i also think it's kind of interesting that

this person um i think you read earlier

that they were um

part of the Google team working on like

the cookie compliance stuff.

I think it's like,

I'm not entirely sure what they're

expecting.

Like you go to work at the largest

data collector in the world and you expect

them to care about like respecting

people's privacy.

I'm not really sure.

I mean,

I guess maybe you could make the argument

that like you are trying to change it

from the inside, but like,

I'm not like friends don't let friends

work at like big tech corporations.

Like let's, let's, you know,

it's not a great idea.

Yeah.

I, um, first of all,

I think that was a great answer with

the black and white thinking.

I think you're right.

Um, I'm,

I'm a real big fan of using multiple

approaches.

Right.

So like, yeah,

you should use a hardened browser and,

and Tor VPN, all that kind of stuff,

but also.

we should push for better privacy laws and

stuff like that.

So fantastic answer.

Thank you for saying that.

But yeah, I mean,

as far as this guy specifically,

I don't know when he started at Google.

So it could be like, you know,

there was that book, Careless People,

that was written by the lady,

Sarah Wynn Williams,

that used to work at Facebook.

And to be fair,

she got there back in like, what,

two thousand...

like eight or something like back when,

when Facebook was still like had the

potential to be good and she kind of

watched it become the cancer that it is

now.

So I don't know,

like if this dude had been there from

the start back when Google used to say,

don't be evil.

And back when you Google stood up to

China and all that kind of stuff,

then I could kind of see, but yeah,

I feel like, um,

I feel like with these big tech companies

these days,

you kind of have to hit a point

where you're just like,

they're not going to change.

Like, you know what you're getting into.

And I don't, I don't, I have, um,

I feel this way about a lot of

systems.

I want to be careful how I say

this,

but I feel like there's certain systems

around the world that just kind of like

I don't know.

I'm kind of cynical on if they can

be changed.

It's like you either get corrupted and

become part of the problem or you get

forced out because you refuse to fall in

line because you're trying to make things

better.

And unfortunately,

I think big tech is one of those

systems that nine out of ten times or

ninety nine out of a hundred times.

It just it is what it is.

And it's hard to change.

It's an uphill battle.

So.

But yeah.

Yeah,

but I think like to talk a little

bit more about like using those both

angles on this approach, like, you know,

trying to enforce these privacy laws.

We do have an activism section on our

website now.

So

You can check that out at

privacyguides.org slash activism.

There's some stuff in there about like how

to contact your, actually, I'm not sure,

it's not live yet,

but there was a section in the works

for contacting your data protection

authority.

And there's also a lot of bunch of

tips on there about, you know,

all sorts of things to basically build a

movement behind trying to get better laws

passed and stop people from

you know,

stop politicians from passing these

terrible laws.

So I think that's also important.

But like,

you can do multiple things at the same

time.

And I think that's kind of why people

get kind of confused.

They'll be like, oh,

these laws are like always getting

bypassed.

They're so useless.

It's like, well,

there are some laws that have done

something.

Like we can all argue that the GDPR

has

had an impact, right?

Like the right to delete has become a

lot more common since the GDPR came around

and that used to be such a pain

to like delete your information from

websites.

And it's had an effect even outside the

EU as well.

So I think, you know,

there's definitely examples of things that

have worked pretty well.

So it's just a matter of advocating for

better legislation.

I think it's definitely possible that

there's a lot of bad stuff right now,

especially with the age verification

stuff.

I think in large part it's just because

people aren't getting riled up enough

about it.

I'm sure the politicians would probably

change their mind if people were

protesting outside parliament or outside

your government buildings.

So I think there's certain things we can

do to sway people on it.

But yeah, that's sort of my thoughts.

Yeah.

Agreed.

It's,

it's politicians are at the end of the

day,

we'll do whatever keeps them in power.

So if something proves to be wildly

unpopular,

they're going to find a way to walk

it back.

I nine, not a hundred times.

So.

Um, real quick,

before we move on to the next story,

uh,

Jonah gifted five privacy guides

memberships on YouTube.

So if you're on YouTube and you're kind

of like listening to us in the background

or something, uh, check that out.

You could,

you could get a free membership trial and,

uh,

get some early access to some upcoming

videos.

So thank you, Jonah.

But, uh,

if that's all we've got on that story,

um,

we're going to move and next we're going

to talk about Mastodon and, um,

Mastodon,

I think most of our listeners probably

know.

I think most of you guys,

or not most of you guys,

but I think a lot of you are

probably currently Mastodon users or have

used Mastodon in the past.

Let us know if you are a Mastodon

user.

One in the chat for yes,

two for no.

But in the meantime,

we're going to talk about some upgrades.

Mastodon got a grant from the Sovereign

Tech Agency Fund.

And so the Sovereign Tech Agency is

something from Germany.

I pulled up the Wikipedia page here.

And basically,

it's a part of the German federal

government.

It's part of their budget that aims to

promote and secure open source

foundational technologies.

It tries to make the open source ecosystem

more resilient against external attacks,

thereby enhancing cybersecurity and

resilience across the German economy.

And so in the past,

they funded things like, let's see here,

Arch Linux with, oh my God,

over half a million euros.

That's crazy.

FFmpeg, FreeBSD, GNU, GNOME.

Oh, my gosh.

All kinds of stuff.

Open street maps, open SSH, PHP,

so on and so forth.

WireGuard.

Yeah, really, really cool stuff there.

So now they have donated to Mastodon.

They've awarded six hundred and fourteen

thousand euros

And out of that total,

ninety thousand has been set aside to be

shared with other Fediverse projects that

choose to implement the protocols

developed during the work,

which we are about to talk about.

So we did write an article or Freya

wrote an article about this for privacy

guides earlier this week and focused

specifically on the on the end to end

encryption,

which I will get to that in a

moment.

But there's a lot more in here,

although that is certainly one of the more

exciting features.

So there's blockless synchronization.

I know historically that's been

A bit of a problem on Mastodon is

moderation.

A lot of people, I'm told...

There's a struggle, right?

And I don't want to get too philosophical

right off the bat,

but there's a struggle between...

We want...

freedom of speech.

And we want people to have a space

where they can say whatever they want,

even if we don't agree with it.

But also some people maybe just don't want

to do that, right?

Like someday I have days where I know

I need to like not check the news,

because I'm just so tired and so mentally

exhausted.

And I'm like, dude,

I'll check it tomorrow.

Now's not the time.

And so I understand some people may want

like an account, for example,

where they can go and just not see

anything political or whatever.

And but the point is,

it's sometimes been a challenge,

especially for people who are new to like

open source technology,

like maybe back when

Elon bought Twitter and a lot of people

were checking out other alternatives.

You know, some people were like,

the moderation is difficult and I'm seeing

a lot of stuff I don't necessarily want

to see.

And that's been a thing.

And so now that's one of the things

they're working on is enabling Mastodon

server administrators to subscribe to

shared block lists,

which this is totally optional.

I think one of these days I floated

the idea of we do want to do

a Mastodon tutorial,

like how to self-host Mastodon,

your own instance.

And I definitely got the thumbs up from

Jonah.

We just haven't gotten around to that one

yet.

That one's in the works.

We have a lot of great ideas for

videos, but...

Anyway,

so that's one of them is a blockless

synchronization.

Remote media storage.

This is more behind the scenes stuff,

but it'll just make it easier for server

administrators.

They won't need to have quite so much

storage on hand.

Mastodon hasn't been too crazy for me,

but also my instance is a lot smaller.

So yeah.

In regards to the spam thing again,

they have automated content detection,

which is specifically for like spam or

illegal materials.

I...

I'll come back to that one actually.

End-to-end encryption, I mentioned that.

So they're going to use,

I believe it was messaging layer security,

MLS.

I believe I read that in Fria's write-up,

but I apologize if I'm wrong about that.

But yeah,

they're going to add end-to-end encryption

to DMs,

which is great because that has

historically been

one of the negatives of mastodon is the

dms are not encrypted and a uh an

administrator could still look at your

messages if they really wanted to they're

going to improve the documentation and i

believe they said they're trying to get

most of this stuff done by the end

of the year and then again there's that

ninety thousand that's bookmarked to help

other instances or other projects that

want to take advantage of this so maybe

someday we'll see end-to-end encryption

between like mastodon and pixel fed for

example or something like that so

I think that's super cool.

The last thing I wanted to add is

this automated content detection.

I could see the argument,

and this is just me kind of thinking

out loud.

I could see the argument where like,

we're not usually fans of this, right?

Because how long does it take?

You know,

maybe illegal material for now means like,

Um,

child abuse material or like in Iceland,

I found out in Iceland,

technically adult material is illegal.

I don't think anybody actually enforces

it,

but let's say you wanted to err on

the soft side or err on the side

of caution and say like,

I just want to block anything that's

adult, right?

You, you could use this for that.

I could see how it could get a

little bit tricky if there starts to be

some kind of pressure to scan for, um,

protests or something more political,

but also at the same time,

that's one of the beauties of things like

Mastodon, right?

Is if you start to feel like this

instance is getting a little bit too

heavily moderated in a way I don't like,

you can move to another instance or you

can self-host your own instance.

So I think that's definitely one of our

favorite things about the Fediverse.

Jordan,

was there anything in this announcement

that you jumped out that caught your

attention or you thought was interesting

or wanted to talk about?

Um, yeah,

I think the block list synchronization

thing is definitely going to be somewhat

controversial.

Like you said, like there was,

I think I've talked to people about this

a decent amount, but like, you know,

people kind of get frustrated that there's

almost like censorship in quotations of

like, you know, certain people, um,

And I think that, you know,

a lot of times,

maybe sometimes that can be the case,

but I think the biggest thing here is

the.

um, you know, uh, the, the,

the small server operators who don't have

a lot of time.

So maybe, you know,

like I know you run your own master

on instance,

I'm sure that can sometimes be kind of

frustrating to see, like, you know,

CSAM and like awful stuff popping up.

Um, because, you know,

a lot of administrators are basically

having to take care of that themselves.

Um, so, you know,

kind of offloading that a little bit to,

allow that to be a sort of community-based

effort is a decent way to go,

I think.

But I think, you know,

some people are still going to have a

problem with this because, you know,

it can kind of make things become a

bit like group-thinky, I guess,

where everyone is sort of

blocking people based on,

I know it's not very common,

but there are a couple of instances that

have just like de-federated with other

ones because of, you know,

beef that they have with each other,

which is, you know,

it happens on every platform.

I think people are like that.

So I don't think it's really,

an issue with Mastodon specifically,

but I do think it's still in a

better spot because even if you find that

to be an issue,

you can start your own instance or you

can just join one that doesn't have those

restrictions.

But I do think it could be better

to make it more obvious what information

is being blocked to users of your

instance,

because a lot of times it's not exactly

clear

what block list, I mean,

I hope it's clear once this gets

implemented,

but also just like being able to see

what is actually blocked by the server so

you can make a better choice if you

prefer to join a server that doesn't have

as many blocked things.

But yeah, all the other stuff seems

reasonably interesting i think i'm not

really a big fan of like the automated

content detection but i think i guess it's

kind of needed once the network gets to

a certain point do you have any thoughts

Yeah,

I think the automated detection thing,

I think it's a blessing and a curse

because like I said,

there is the one argument of like,

this is the same thing that we would

criticize like Apple or Google for, right?

But at the same time,

I think historically,

Mastodon has had a huge problem with spam.

And...

a lot of that, I mean, this is,

there's,

there's pros and cons to decentralization.

Right.

And that's one of the cons is like

their entire servers out there that are

just like abandoned.

Like,

I don't know why the owners are still

paying for server space,

but apparently they are.

And they've got open registration and,

And I've seen this happen a few times.

I've been on Mastodon long enough that

I've seen this happen more than once,

where for some reason,

a whole bunch of bots will just go

and join this one instance that's like six

versions out of date.

The admin is clearly checked out five

years ago and registrations are still

open.

And so everybody,

they send their bots and the bots start

harassing everybody and posting spam.

And usually it's in another language and

it's like,

links to gambling sites or another common

one that goes around is like,

this is Mastodon support.

You need to verify your profile,

which I hope most Mastodon users are too

tech savvy to fall for that.

But at the same time,

I think there's a,

not to get too in the weeds here,

but I think any sort of a platform

needs to have a philosophical question of

what's their end goal.

Because I think if your goal is to

be like, oh,

all of our users are too tech savvy

for that.

They're not gonna fall for that.

Then you don't really need to worry about

weeding out the spam, right?

Like at this point, it's buyer beware.

You're expecting your users to have that

level of tech savviness.

But if you want something to be,

what's the word I'm looking for?

If you want something to be accessible to

everyone and to gain mainstream traction,

then these are the things you have to

think about.

And so I would certainly appreciate some

better moderation tools.

I have my instance set to approval.

I have to approve everyone.

I usually do,

unless I think it's an AI bot,

which they're usually pretty easy to spot.

But if you're a real user,

I don't care why you're here.

But I think...

I can't help it when other people are

spamming, right?

And, you know,

I can't be on Mastodon to manage that.

So it is kind of annoying.

Yeah, I don't know.

It's got pros and cons.

Although again, like I said,

with the whole,

we would criticize Apple and Google for

this, Mastodon's decentralized.

You know,

the US government could theoretically come

up to me and be like, hey,

you need to start blocking, I don't know,

anything from anything in Arabic because

we're beefing with Iran right now, right?

But alternately, if you're,

if you're a German instance,

like the U S government has no power

over you.

So it doesn't,

I wouldn't go so far as to say

it doesn't matter, but it's,

it's a lot harder for that kind of

censorship to like really take hold,

which I think is,

is an advantage for sure.

But,

Yeah.

And then I've,

I've also got thoughts on the free speech

thing, to be honest, but I'll just,

I'll leave that there.

Um, like you said, the advantages,

you can always just go start your own

instant,

which Mastodon is one of the more

user-friendly things that I've looked into

hosting.

It's certainly not,

I wouldn't describe it as like your first

project.

I think there's definitely easier things,

but it's easier than next cloud for sure.

Um, it's,

it's definitely easier than a lot of

other, um,

a lot of other projects in my opinion.

So

Yeah,

and I do think it is good with

Mastodon because if you disagree with any

of these things,

like if you don't agree with blockless

synchronization, that's fine.

You can use like any other Fediverse

system, right?

There's loads of other ones you can use.

You don't have to use Mastodon.

I just think it's the most popular or

one of the most popular, I guess.

I think so, yeah.

So that's kind of why it has...

most features it's the most feature rich i

guess and this is just kind of adding

to that um it is interesting here i

did notice the timeline for the end-to-end

encryption for private messages is twenty

twenty seven and i just think you know

we're gonna be on the side of don't

use that so we don't really want that

but like i mean i don't really think

that's that important i think you know if

you people already i already see people

doing this on maston but they link their

signal account

We would suggest that much more than going

and using end-to-end encrypted private

messages.

Yeah,

I think actually somebody here did

mention, yeah, on YouTube,

Seismic said finally,

and chat besides Signal that I can use.

I mean,

we're going to have to wait and see

what this looks like in the final version.

I highly doubt it's going to be something

that we would recommend over Signal or

even alongside Signal.

But I always think it's great to have

more protection wherever possible.

And I think it is really good that,

because, you know, there may be,

times that I want to message somebody.

And especially in, you know,

one of the problems that a lot of

these, uh,

decentralized services have is there tend

to be like one or two or a

handful of servers that get like a massive

amount of users.

And so it's a lot of people criticize,

they're like, well,

it's not really decentralized because

everyone's using that server.

Um, but regardless, you know,

it's still like,

if you're talking to somebody,

like if I message somebody,

there's a good chance they're going to be

on like the mastodon dot social.

Right.

And so maybe I'm comfortable telling that

person like my date of birth.

but I don't want to tell everybody.

And I don't know who the admin is.

And I don't necessarily know if I trust

the admin and, and, you know,

some Mastodon instances even have like an

admin account where there may be more than

one person that has access to it.

So I think it is really good that

they're adding this level of privacy,

but yeah, I don't,

I doubt it's going to be implemented in

a way where we're like, well, shoot,

this is just as good as signal.

Everybody just use that, you know,

but it's still nice to have that extra

layer of protection for sure.

So yeah, that is a long ways off.

So

Definitely.

I think, yeah, you're right.

I think it is important, like you said,

to have more than just have everything be

have some level of protection rather than

nothing.

Right.

Definitely agree.

And I also saw real quick, somebody asked,

why are people chatting numbers?

We were running a poll.

I think it got moved off when I

started showing comments,

but we were running a poll about

if you were a Mastodon user or not.

And so you would comment in the chat,

one for yes and two for no.

But we'll try another poll in the future.

So I think for now,

that's all I've got on that story,

if we want to move on to the

next one, unless you have final thoughts.

Awesome.

Yeah, no,

I think we kind of talked about that

quite thoroughly here.

So let's move on to the next story

here.

And this one has been kind of a

hot story this week.

Cal.com is going closed source.

Here's why.

So I guess first, you know,

I think a lot of people in our

audience may not be familiar with this if

they're not really into like

uh, meeting scheduling,

self-hosting meeting scheduling sort of

stuff.

So basically cal.com was, uh, well,

it is still a thing, right?

Um,

there's basically a way to organize

meeting times with people.

So you could send someone a link and

it would have your availabilities.

And then the other person could select the

time that works best for them, which,

you know,

Personally,

I've had to do that because we communicate

across time zones now.

This is like a global economy.

So people have to sort of find the

best time.

And that is oftentimes across different

time zones.

So, um, the,

the thing here with cow.com is they have

decided to move to going closed source.

So originally there was a,

they had a self hosted version.

And I think the whole thing with that

was that it was a full, uh,

it was a full open source version of

their, uh,

service that you could self host yourself.

And basically they've announced that they

are diverging from that project.

And they have been for some time now

they've actually been working on a closed

source version.

Um,

and that's the version that runs on

cal.com and they have introduced a new

service, which is cal.diy, which is,

self-hosted version and i do want to talk

a little bit about that but first let's

kind of talk about the reasoning behind

going to this closed source model so they

posted a video here um saying that ai

is killing open source stating that you

know open source vulnerability scanners

are basically making it really hard to

keep up with patching vulnerabilities

because, you know,

they're able to scan the software and find

vulnerabilities much easier than spending

hours and hours as a, you know,

professional hacker or whatever, you know,

like a threat actor,

a proper threat actor.

They can kind of find these

vulnerabilities without

Being that technical is what I'm trying to

say.

So basically that's kind of their

reasoning behind this.

Their reasoning for moving to closed

source is security.

And I think that's kind of where we

kind of fundamentally disagree with this

because I think the source model of your

software doesn't actually have an impact

on security, right?

There's still ways to, you know,

analyze software that is closed source.

There's still ways to, you know,

test software, crash software,

find vulnerabilities.

So that's an interesting take.

I think

One thing that Jonah brought up, you know,

we have like a staff group chat,

he brought up that the cal.diy project

looks kind of sus.

If you go to the website cal.diy,

there is actually a lot of warnings all

over the page,

which kind of makes it seem like they

may not be following,

they may not really be updating this.

This seems like, you know,

something that is sort of

risk,

they're kind of making it seem like it's

extremely risky to use.

Um, so this is kind of strange.

I think, uh,

I don't really know why they're have such

a large warning on like every single page

or like at the top of the introduction

page, um, saying use it.

Your own risk is open source community

edition and is tended for users who want

to self host their own CalDIY instance.

It's strictly recommended for personal.

non-production use please review all

installation blah blah blah like it's it's

quite um strange uh and it says um

below that there's like an ad for their

um for their commercial service which is

closed source now um so you know we

we've always kind of been

are saying that, you know,

there's the source model I don't think has

an impact on the privacy or security.

And yeah,

like Jonah said in the chat here,

literally fearmongering about open source

actually.

Like this is like the silly arguments that

we hear from like people who don't really

know what they're talking about and who

say like,

open source that's like so much worse

because like then everyone can see the

code and like hack you it's just like

not really it just it just means there's

more scrutiny um and i think you know

it doesn't really make that much sense um

to do this it's we kind of talked

about this a little bit in our group

chat but the the the this company itself

cal.com is venture capital backed and

basically what that means is there's

people who

invest money in the company to, you know,

gain a stake in the company, I guess.

And they want to be able to earn

a return on that money that they've

invested.

And in a lot of cases, you know,

open source software opens the company up

to having their ideas and direction

possibly copied by a competitor or to

allow insights into their company from a

competitor.

And I think,

This is kind of a little bit silly.

I think, you know,

if you're making a really good product,

which I think cal.com is making a really

good product,

then you shouldn't be concerned about

someone stealing your ideas.

Like I'm,

I'm kind of not very familiar of that

ever being the case.

Um, I think it keeps the,

it keeps your company kind of, uh,

You don't even like you can have an

open source license that doesn't allow

people to use it for commercial use.

You can still have the software be open

source.

You can have the source available source

code.

So that's why I'm kind of confused by

this.

this move here but I did want to

hand it over here to Nate because there

was actually a bit of a clap back

here from discourse which is basically the

forum software that we use for our forum

but I'll just hand it over to Nate

here to kind of tackle that

Sure.

Um, yeah.

So quick shout out to our forum,

discuss stop privacy guides.net.

Uh, we are powered by discourse, which,

um, I,

it seems like a nice piece of software

as far as I can tell.

I haven't had to deal with it behind

the scenes.

Jonah does all our, our hosting,

but it seems to work pretty great.

And, um,

I mean, I'm not going to mince words.

This was absolutely,

like a clapback was a good way to

put it.

This was a response.

But I want to give a shout out

to Discourse because to me,

this felt like a very,

it was very direct.

It was not watered down.

but it was also not overly aggressive or

unprofessional.

And I feel like I don't see that

a lot of days,

a lot of the time these days,

and I just really appreciate that.

So thank you, Discourse.

This did not pull any punches,

but was also...

I don't know, just very professional,

in my opinion,

as professional as calling somebody out

can be.

But yeah,

so discourse literally said discourse is

not going closed source,

which I think the cal.com was cal.com is

going closed source.

Yeah, that was a direct quote.

And basically,

they kind of said everything that Jordan

said, actually, which is, you know,

they said here that like,

their reasoning is that AI has made open

source too dangerous for software as a

service companies,

codes get scanned and exploited at

buy AI at near zero cost.

Actually real quick before I dive into

that,

the cal.com one did have one statement

that I did want to kind of sympathize

with them a little bit.

So they talked about in recent months,

we've seen a wave of AI security startups

productizing this capability,

which they're talking about scanning the

source code.

Each platform surfaces different

vulnerabilities,

making it difficult to establish a single

reliable source of truth for what is

actually secure.

So the way I compared this,

I don't remember where I said this,

but the way I explained this to somebody,

or I kind of summarized it is like,

if you're at home,

like let's say you just moved to a

brand new country, right?

Like not even a state,

you're in a totally unfamiliar place.

And all of a sudden,

a bunch of like salespeople come knocking

on your door, insurance salespeople.

And this one guy is like, hey,

you need flood insurance.

And the next guy is like, no, no,

no, no, no.

There's a lot of wildfires.

You need wildfire insurance.

And the next guy is like, no,

you need tornado insurance.

And the next guy is like, no,

you need earthquake insurance.

And you're like,

I don't know what insurance I need.

And so Cal.com was basically like,

I'm just not going to get any insurance.

I'm just going to stop answering the door

is basically what they did.

Yeah.

So I want to give them a little

bit of credit because I understand how

that could be frustrating when you've got

so many different companies and they're

all giving you conflicting results.

And it's like, well,

now I've only got so many people.

I've only got so many hours in the

day.

We can only fix so many things.

However, you know, discourse here,

they said,

I understand where they're coming from.

The industry is changing fast.

New AIs with capabilities are being

released every few weeks.

It's a scary world.

And I completely agree that open source

companies need to adapt.

I do not agree with the decision that

closing source is the solution.

and um you know they they basically had

two main points one of them was exactly

what jordan said like going closed source

is uh for anybody who's new here it's

what we like to call security through

obscurity and that basically means like

it's the code equivalent of hiding under

the bed right like if i hide under

the the sheets the monsters can't see me

and that's basically what it is and they

point out here in this this blog post

they say that um

Closed source has always been a weaker

defense than people want to admit.

A web application is not something you

shimp wants to keep hidden.

Large parts of it are delivered straight

into the user's browser on every request.

Things like JavaScript, API contracts,

client-side flows, validation logic,

and feature behavior.

Attackers can inspect all of that.

And then there was another spot.

Did I already pass it?

Oh,

those same AI systems don't actually need

your source code to find vulnerabilities.

They work against compiled binaries and

black box APIs.

I will admit that I do not know...

a lot about technical stuff and code but

i do know that i see a lot

of um

I see a lot of people reverse engineering

apps, right?

Proprietary apps.

And they decompile it and they find ways

to get in there and go, oh,

look at what this app is doing.

Look at all the calls home it's making.

Look at the fact that the traffic is

not encrypted.

What's this server it's contacting?

So clearly this is not,

like the blog post says,

it doesn't need to be open source.

People can find ways into this stuff and

they've been doing it for years.

And so that doesn't actually stop

anything.

It's just security through obscurity.

And it's...

I think security through obscurity can be

part of a larger defense.

I don't know about in this case,

but in general,

I think there's times when it can be

like a data removal, right?

If you pay for a data removal service,

like Easy Opt-outs is one that we

recommend on the website.

That's a good start.

But also like...

using a PO box whenever you're able to,

like not putting your address in every

single form online.

Like, you know,

it's part of a larger defense.

I wouldn't rely on that by itself.

And so the other point they made,

this is a very, very long post.

They said that, yeah,

Basically, they think that this is a...

The security argument is a convenient

frame for decisions that are actually

about something else.

So one is, you know,

Jordan mentioned that competitors can read

your architecture and your product

thinking.

And then there's governance.

They said open source communities push

back.

They file issues about decisions they

don't like.

They fork.

It's exhausting to manage.

I mean, fair.

I will be the first to admit that

every once in a while,

I do get burned out on the community

and I need a break.

But I don't know if that's a good

enough reason to close source your code.

So yeah, it's...

And just to go back to the it's

competitors thing,

Jordan pointed this out too.

There are a lot of companies that are

open source and they're thriving.

Look at Bitwarden, for example.

I mean, granted, they do have investors,

but they're still open source.

You can self-host Bitwarden.

They have instructions on how to self-host

Bitwarden.

There clearly is a way to do both.

And I do wonder if...

cal.com explored any of those options uh

it does sound kind of like there was

just a lot of investor pressure and this

was just the easy button right like if

we go closed source that's going to make

it harder for people to self-host they're

going to have to pay for us we'll

slap a bunch of scary warnings on our

diy page which yeah that's that's not cool

and actually to make that even worse if

i can go back to their blog they

did say that um where did it go

here um

God dang it.

Okay, yes.

While our production code base has

significantly diverged,

including major rewrites of core systems

like authentication of data handling,

we want to ensure that there is still

a truly open version.

So basically,

the cal.diy version is completely

different from the cal.com version

Which raises a lot of questions for me.

And they also make it sound like,

I don't know if they're actually doing

this,

but they kind of almost made it sound

like, here's Cal.DIY.

We'll update it if we feel like it

every once in a blue moon.

But otherwise, like, we don't care.

This is just kind of shut up the

purists, which, again,

is a really crappy take from a community

you claim to have...

valued and whatever but yeah so um this

is a really long blog from discourse but

it is worth a read and again i

i really applaud that like they pulled no

punches but it also wasn't uh you know

just like a like oh it's a pr

opportunity like here's our facts here's

our our experience our reasoning um so i

really give them a lot of credit for

that one but yeah that was a

It's such a wild story, and it's so...

I hate to assume malice in a company,

but yeah, it's so... What turned me off,

I think, was just the fact that, again,

that's all it was,

was we're just going to go closed source,

and that's going to fix all our problems.

And almost immediately,

I saw everybody was just kind of like,

is it though?

Is that really what this is about?

And it just kind of...

I think that's going to do a lot

more damage than if they had just admitted

like, hey,

this business model isn't working for us

and we're going to try something else.

I think they might end up losing a

lot more customers because of the way they

handle this.

I don't know.

Do you have any additional thoughts to the

discourse response or anything?

Yeah,

I just think trying to pass this off

as selling for security reasons,

I think is

to people that actually follow and

understand security is just laughable.

And I think unfortunately those people are

in a lot of cases,

they're going to be the people that self

host this software.

So they're going to be the ones that

realize you're being kind of crappy about

it.

Right.

Um,

I think they should have been a bit

more clear about the reasoning because,

you know,

we don't know if there's another reason

why,

like we were talking about with the VC

investors.

But I think, you know,

especially when we have like, you know,

so many ways to analyze software um that's

closed source even um so you know people

can do like fuzzing they can feed programs

a bunch of random data to get it

to fail they can um do binary analysis

so you can inspect memory dumps of like

applications when they they run uh like

reverse engineering stuff so you know i

think it's

kind of a little bit, uh, it's, it's,

it's feels a bit disingenuous.

That's the word I was looking for.

Thank you.

Um, but yeah,

like we see this a lot,

like even the opposite way around,

like there's,

there's malware that we see and, you know,

we're able to analyze that malware,

stuff like that, um,

to see what it's doing and to understand

what

what the code might be.

So anyway,

I don't think them switching to closed

source is going to make it any,

I mean,

surely maybe a little bit possibly to

these,

to these basic AI vulnerability things,

but I don't think it's a good enough

reason to switch this because yeah,

I think it's, yeah,

it just feels really not great when

they're trying to make up a reason that

doesn't really exist.

Yeah, and I mean,

something that just popped into my head

is, you know, one of,

there's a lot of reasons you might make

something open source or even source

available, like you mentioned.

But one of the reasons I think is

that

it increases the chance that somebody

could find a vulnerability, right?

I want to make it clear real quick

that open source does not automatically

mean that something is more secure or more

private.

It just means that the opportunity is

there.

And I think there is a certain critical

mass where when we're talking about these

bigger projects like Bitwarden or maybe

Proton or some of these,

because I know Proton,

some parts of them are open source,

some parts aren't.

But you know what I mean?

When we're talking about big projects like

that, then...

I think odds are it probably is more

secure just because they're a big project

and they've got a lot of eyes on

them.

But especially for some of these smaller,

like mid-level projects,

I don't know how true that necessarily is.

It's probably not true,

but the opportunity exists.

And where I'm going with that is I

think, especially in this community, um,

There's such a dislike for AI.

I think they're almost going to reverse.

They're almost shooting themselves in the

foot.

If this really were about security,

they're kind of shooting themselves in the

foot because the bad guys are still going

to use AI.

They don't care.

They're going to use any advantage they

can to get ahead.

They don't play by any rules.

The good guys,

not all of them will be using AI.

Right?

And they're playing by a different set of

rules.

So you almost need to like...

Like we've been said a million times now,

the bad guys are going to find the

vulnerabilities no matter what,

whether it's open source or not.

By making it closed source,

the only people you're stopping are the

good guys who are not using AI.

So yeah, that's... I don't know.

That just kind of popped into my head.

Yeah, I think...

I'm not sure if I a hundred percent

agree on the privacy and security aspect.

I think it's more like a transparency

thing, which I mean...

is good uh for like trust and like

stuff like that but like uh i mean

i i think there's definitely there could

be closed source software that's just as

private as some open source software or

they could be closed source software

that's just as private as

open source software.

So, you know, it's, I don't know.

Uh,

it just seems like a really silly reason

to me, but I think we,

obviously we're going to,

we're going to push for transparency.

Like transparency is important, um,

rather than kind of a black box,

which we have to work out things

ourselves.

Um, so yeah.

Agreed.

Um,

Alrighty.

Well, before we dive into,

we have a story coming up about, uh,

Well,

some updates to age verification or

identity verification,

let's put it that way.

But first,

we're going to pause and talk about some

updates with what we've been working on at

Privacy Guides this week.

So in the video department,

we're really excited.

Bit of a soft announcement here.

On Sunday,

we're going to release an interview with

Carissa Veiles.

And if you guys don't know who that

is, you definitely should look her up.

You're missing out.

She wrote this awesome book called Privacy

is Power.

I'll grab it in a minute,

but I actually have it on my bookshelf

back there.

And it's honestly,

like I could gush about this book because

it is so accessible.

You know, it's so like,

I don't want to take drive-bys at other

authors,

but some other authors have written some

very seminal works in the space that were

very academic and kind of hard to read

and pretty dense.

And Carissa Vales is, I mean,

she's a professor of ethics at Oxford

university.

So she is very academic as a person,

but her writing is so like plain English

and down to earth.

Like I could give this book to anybody

and maybe they wouldn't read it because

it's not their cup of tea,

but they absolutely could read it because

it is written so plain English and it's

Um,

but in still like full of useful

information.

So yeah, I, as you can tell,

I'm a huge fan, but, uh,

we got to interview her and we talked

about her focuses on AI and ethics and,

you know,

what is AI going to do for the

future of, of our society?

Uh,

we did talk about privacy a little bit.

Um, I mean, it was a,

it was a great conversation.

I, uh, again, not to like

fanboy too much,

but I was telling people like,

I felt like I was smarter just for

having been in the same figurative room as

her.

Um,

unfortunately this was a remote interview,

not an in-person one, but, um, yeah,

so that's going to be out on Sunday.

She's absolutely awesome.

Go read privacy is power.

If you haven't, uh,

I've already pre-ordered her new book and

you will get a taste of that on

Sunday.

So definitely subscribe on YouTube or peer

tube.

And we'll be posting that when we come

out or when it comes out,

I can't talk tonight.

Yeah, no,

I'm really excited for the interview to

get released.

I've been working on like the editing side

of things.

Oh, there it is.

There's the book.

It's kind of a very recognizable cover as

well.

But yeah,

I definitely am a fan as well.

I think, yeah.

And Nate asked some,

some really good questions in the

interview about a lot of things that she

hasn't talked about publicly,

I would say as much.

And a lot of stuff that was in

the book itself.

So it's like a teaser,

like she's going to talk about some of

the stuff in the book and, you know,

I think it's interesting, yeah.

So she's got a new book coming out

called Prophecy,

which is about AI prediction stuff.

So, yeah, that's also pretty interesting.

So that could be interesting to check out

as well.

I think it's on pre-order until April XIX

or XXI, XXI, April XXI.

So it is looking quite interesting for

that.

But this week we also had some privacy

guides news posts.

So we had,

looks like we had a couple from Freya

and also a couple from Nate as well.

So Nate did one on HackerOne pausing its

internet bug bounty.

So they also kind of were saying that

they were having an issue with AI bug

reports, which that's another problem,

I think.

There was a data breach roundup from Nate

as well.

which I think is important to keep on

top of, just scan the list.

Just check it out and scan the list

because you never know what you might be

caught up in.

And I think companies are getting to a

point where they are

being a bit more accountable where

they're, you know,

sending out notices to people,

but it's also good to keep on top

of that.

And there was also some articles here from

Fria, like Nate talked about earlier,

there's Mastodon getting end-to-end

encryption, private messages.

So Fria had an article about that.

Fiverr exposing information of its users

publicly on Google search results.

Oh my goodness.

It's horrible.

India dropping proposals to require

biometric ID app after strong opposition.

So yeah,

there's a lot of interesting things going

on in India regarding that.

And there was also some stuff about Google

Chrome adding protection against cookie

stealing malware.

But yeah, kind of interesting,

interesting week.

So definitely check out the

privacyguides.org slash news section.

I guess with that being said,

all this is made possible by our

supporters.

And you can sign up for a membership

or donate to privacyguides.org.

or you can pick up some swag at

shop.privacyguides.org.

Privacy Guides is a nonprofit which

researches and shares privacy-related

information and facilitates a community on

our forum and matrix where people can ask

questions and get advice about staying

private online and preserving their

digital rights.

And yep, if you want to do that,

you can visit privacyguides.org and press

the red heart icon in the top right-hand

corner.

of the website.

You'll also be able to sign up for

a membership and get sweet perks as well.

But now let's talk about the future of

warrantless surveillance in the U S Nate.

Yeah.

All right.

As the, uh, as the American,

I guess I get to talk about this

fun little topic and, uh,

that is section seven Oh two, which, um,

many of you may not be super familiar

with.

I, for the record, um,

I follow many different news sources.

The other news source that came up in

my feed was TechCrunch that covered this

story.

I know I just want to throw it

out there.

I know this headline is obviously has a

certain political leaning to it,

but it had a lot more detail in

it as well.

So that's why I went with this one.

Definitely a lot more detailed than

TechCrunch is like five paragraphs.

But anyways,

so for those of you who don't know,

here in the US,

we have the infamous NSA,

the National Security Agency.

I think for some reason,

my brain just blanked.

I know they used to jokingly call it

the no such agency because up until the

nineties,

they didn't even acknowledge it existed,

but it does exist.

And they have so many different things.

One of them is called the foreign

intelligence surveillance act,

which basically authorizes them to spy on,

um,

communications that go in and out of the

country.

And they play really fast and loose with

that specifically at section seven Oh two,

which if I remember correctly, um,

John Oliver did a piece way back in

twenty thirteen where he talked about this

and he went to Russia and interviewed

Edward Snowden.

Super funny.

I highly recommend it still holds up.

Um,

But the way he described or the way

he read Section seven oh two is it

allows for the collection of, quote,

any tangible thing, unquote,

related to like national security and like

communications,

which he points out is like so incredibly

broad,

like telling your teenager you can only

use the car for like car related

activities.

So it's like, OK, hit and run,

drinking and driving like these are all

car like street racing.

These are all car related activities,

my dude.

So yeah.

pretty broad stuff and the government has

done so accordingly.

And so section seven Oh two has been

very controversial on both sides of the

aisle.

Uh,

there have been politicians from both

political parties who have said like, Hey,

we need to reign this in at least

publicly have said we need to reign this

in because for well over a decade now

we have failed to do that,

but that might be changing might be

because, um,

Section seven Oh two is one of those

things that has to be renewed

periodically.

And around midnight,

I don't know why he did that,

but for whatever reason,

the speaker of the house,

which is basically the guy running the

house of representatives,

the head representative,

he convened a vote on,

I guess this was last Friday.

So this would have been after we recorded

the podcast last week and called in

lawmakers to vote on extending section

seven Oh two.

And it failed.

by, I believe, where did it go?

They said about a dozen votes.

And for those of you who are not

keeping up with the US right now,

first of all, I very much envy you.

But our government is incredibly divided,

potentially the most divided it's ever

been.

I don't know if that's actually true,

but everything is very partisan right now.

That is not me being snarky.

That is just true.

Everything is very partisan right now.

And on top of it, the...

what's the word I'm looking for?

The margin of control, like the ratio of,

because we have a two-party system in the

US, which is probably our first mistake.

Our ratio of like one party to the

other is like razor thin.

So everything is very contentious.

Right now, the Republicans,

which is our conservative party,

they have a slight majority,

but it would not take a lot of

votes to flip things.

And that matters because about a dozen

Republicans voted against renewing this

thing.

And that was enough to not pass it.

And they tried again anyways.

They were like, hey,

let's do another vote.

Like the same night, they were like,

let's do another vote.

And then the number went up to like

twenty.

And I think that's when the Speaker of

the House was like, oh,

we should probably stop because I'm losing

support.

So they stopped.

They did manage to pass.

Sorry, I did a control F here.

They did manage to pass a ten day

extension.

So

Previously,

it would have run out on Tuesday.

Now it's going to go basically until the

end of the month.

But even then,

it's still – the US is so weird.

It says later on here that – yeah,

right here.

The Foreign Intelligence Surveillance

Court quietly recertified the program in a

classified ruling on March

I don't know how that works.

Jonah commented on Mastodon.

He doesn't know how that works either,

and we're both natural-born American

citizens as far as I know.

We're a very confusing country.

But I think this is exciting news because

it already failed to pass twice,

and I have to assume that if it

just full-on does not pass,

like if they cannot get this thing passed

through by the end of the month –

then it's got a deadline.

And I don't know what's going to happen

when March,

twenty twenty seven rolls around since

apparently Pfizer can just decide to keep

doing it.

But I don't know.

I think to me,

I'm hopeful because this represents the

first time in like.

over twenty years i think that we might

actually have a shot of getting this thing

defeated um but that's where we're at

right now those are kind of the facts

is uh it failed to vote twice it's

got an extension until the end of the

month um it really needs to i mean

no matter where you are on the spectrum

i know i'm probably mostly talking to

people who are like good this thing should

die but i i also recognize there's some

people who are like well you know

there does need to be some stuff for

national security, right?

But this thing has been repeatedly abused

for warrantless surveillance.

Like again,

the government is not supposed to collect

data on American citizens and it finds all

kinds of loopholes to do it anyways.

This is actually the thing that like,

they use this to buy location data from

third parties.

And I think that's one of the,

it's funny is like the Democrats didn't

even want to completely kill this thing.

They just wanted to reform it.

They're like, require a warrant,

stop buying data.

And the Republicans were like no.

So I'm glad to see at least some

Republicans agreed with this.

So I think the one thing I wanted

to add is where did it go?

There was – basically they did – the

Republicans did try to introduce some

quote-unquote reforms,

which were already existing things.

Like where did it go here?

Yeah.

So the amendment contained a provision

that was in essence a fake warrant

requirement.

It would have prohibited government

officers from intentionally targeting

Americans' communication without a

warrant, which is already in the statute.

It also offered the government a warrant

path if agents had probable cause to

suspect the subject is an agent of a

foreign power,

an authority that already exists.

So basically they just wanted to reiterate

things that were already in there without

actually doing anything meaningful to rein

it in.

And just to drive home the point,

ready to go.

The FBI has used Section seven oh two

to run warrantless queries on a U.S.

senator,

nineteen thousand donors to a

congressional campaign,

Black Lives Matter protesters and both

sides of the January six capital attack.

So.

I don't know what to tell you.

To me,

this is pretty obviously unconstitutional

and needs to be reigned at very least

needs to be reined in regardless of where

your political leaning is.

But it might just die altogether.

And I don't know.

I guess we'll see what happens if it

doesn't pass in March of next year rolls

around.

But yeah,

I think that's all of that story.

Did I did I miss anything, Jordan?

I guess I just have questions that maybe

people in the audience might also have.

Yeah, go for it.

I'm not a lawyer,

but I'll do my best.

Yeah.

So like,

I guess my question would be like,

I thought that you did need a warrant

to surveil people.

Is this like a specific special case that

people have to use like specifically or.

Yeah.

So section seven Oh two authorizes

warrantless surveillance on non-Americans.

And I know we've talked about this briefly

in the past in relation to other stories.

The loophole is that like the,

When I text you, for example, I mean,

we use Signal,

so they can't see it anyways.

But when I text you,

since you're Australian...

our communication crosses international

borders and that's the justification the

NSA uses to scoop up that surveillance or

to scoop up that communication and say,

we get to collect this.

And in theory,

they're probably supposed to throw away

like my side of the conversation or

something, but it, you know,

it doesn't stop them from basically spying

on me without a warrant to be just

because I'm talking to you,

even though they might not have a reason

to suspect anything.

They just,

it crosses international borders.

So yeah.

Yeah.

So wait, okay.

So I,

but they wouldn't be doing that to

everybody automatically, right?

Like it'd have to be like,

if I was on a watch list,

maybe they would consider doing that,

right?

Like, no.

As far as I know,

it's a like carte blanche across the

board.

They do not need a warrant to spy

on any non-American citizen.

Wow, okay.

Yeah, which is kind of,

it is very horrifying.

And it's also kind of crazy to me

that, you know,

when I think about like the US landscape,

like conservatives are so like,

and I don't even mean this as a

ding,

like conservatives are so like

pro-American, like Americans rights,

like I'm a US citizen.

I get all these wonderful freedoms and

rights.

Then why can't we agree on the basics

of like,

stop spying on your own citizens without a

warrant?

But for some reason,

apparently we can't even get that far.

So I don't know.

I mean,

I feel like spying on people that aren't

American citizens is also kind of

problematic too.

I mean, I agree,

but I'm trying to think of like the

bare minimum base floor that we could all

get to agree on.

But apparently, you know,

I guess the bar is in hell.

It's so low.

So I don't know.

I'm very cynical about this stuff.

So I guess another question that I have

is, like,

it seems like in this case it was,

like,

a lot of Republicans who were voting

against this to block this.

Is that normal?

Is this, like,

sort of somewhat of a bipartisan thing,

like,

wanting the NSA to surveil everyone or...?

Yeah, so our – again,

for foreign listeners,

I know the US doesn't truly have like

a left-wing party,

but our Republicans are our conservative

party and the Democrats are our more

liberal party.

I'll put it that way.

And everybody – again,

I hate to say it,

but it is true.

Here in America,

things are so partisan that people

typically vote along party lines.

And so the Republicans,

because they are more conservative,

they tend to be a lot more like

–

you know, we, we need to give the,

you know, the, I feel bad saying this,

but this is their logic.

And I swear to God,

I'm not like trying to ding anybody.

Um, they're very pro troops.

They're very pro police.

They're very pro,

like our intelligence community is

protecting us.

And so we need to give them all

the tools they can to protect us.

And I've literally seen,

I am still mad about this to this

day.

I literally saw there was a, uh,

An opportunity,

I don't remember how it got there,

but basically there was a moment where

somebody actually got a law all the way

up to,

or a bill all the way up to

our Congress that basically said like,

require, yeah,

require police to get a warrant instead of

buying data.

It was literally that.

And one of the Republicans who voted

against it literally said, he's like,

well, our enemies like China, for example,

they can start up a shell company or

they don't even just start up shell

company.

They can buy this data from any data

broker, right?

Just like we can.

So if we require our people to get

a warrant,

that puts us on unequal footing.

And I have never wanted to scream at

my screen so hard because I remember

thinking, I'm like,

then the solution here is to pass an

actual data privacy law so that nobody can

buy the freaking data.

But apparently that's just, I don't know,

that requires too many IQ points, I guess.

But anyways, personal opinion aside, like,

yeah, that's, it's...

Republicans generally tend to be a lot

more lenient on military and intelligence

and law enforcement and argue that we need

to give them as much help as they

can to do their jobs,

which includes putting as few restrictions

on them as possible.

So, yeah.

I see.

Okay.

Yeah,

I did mention in here was like the

House Freedom Caucus Republicans.

So I don't know if that sounds like

they might be like a libertarian type

people.

I'm not really sure.

Yeah,

I'm not super familiar with them either.

I saw that too.

It looks like I'd have to look more

into them.

Well,

it's good that they voted against it

anyway.

I think, you know,

if we can put aside all the other

partisan stuff and be like, you know,

privacy is an issue that's important.

Let's not surveil everybody and collect

all their information unnecessarily.

I think we should try and

against that which is uh unfortunate i'm

sorry this i'm sorry it's so partisan yeah

um because i think that definitely does

make things more difficult you know if

there's one party that's trying to get

something passed it's like we don't want

to do that because it's by those people

it's like uh that's not really the point

but it should be based on the merit

of what they're trying to pass not like

you know the party yeah it's

It's extremely frustrating because that's

exactly what's happening is like somebody

will put like this and, you know, like,

hey,

spying on people without a warrant is bad.

Well, I don't like you,

so I don't like your bill.

And it's like, dude, come on.

But I do want to point out on

that note,

there are some pretty big names in here

that I think are really telling.

Yeah.

Not to get too deep into politics,

but like Thomas Massey of Kentucky,

I'm going to assume he's a Republican

because Kentucky is a very deeply red

state.

Chip Roy of Texas is a Republican.

Lauren Bober,

who used to be like one of Trump's

biggest supporters.

I don't know if she still is.

He's kind of losing some of his key

supporters.

But I just point that out as like,

man,

these are big people that I would not

normally expect to like.

vote against the party line.

So that's probably more indicative of like

larger us politics,

but it's good to see that.

Like you said,

like there are some people who are just

like, no, this,

this is not a partisan issue.

We need to fix this.

So hopefully it won't pass and then we'll

see what happens.

Yeah, I think it is kind of frustrating.

But you know, I hope it doesn't.

I guess we're looking at that on Tuesday.

Oh, no, sorry, not Tuesday.

Sorry, at the end of the month.

So hopefully we get an update for that

in a next This Week in Privacy episode.

um but yeah i think we're trying to

stay tuned for updates definitely make

sure to subscribe and uh add this to

your podcast app um but i mean yeah

i think it's uh it's important we're

trying to stay um when we talk about

this sort of stuff you know we're just

talking about this from the privacy angle

um so you know we're not trying to

Because I know I personally don't talk

about US politics because I just feel like

I'm going to offend someone.

I'm going to always offend someone if I

say something.

So thanks for kind of explaining that

because...

I definitely have less experience.

I mean,

I know a bit about US politics because

it's kind of unavoidable.

So yeah,

but I think it's good to explain things.

But I guess moving on to this next

story here,

unless you have anything more to add.

Nope, that's all I got.

All right.

So this next story here is about the

EU age checking app.

So basically...

Yeah, we talk about this a lot,

you know, age verification stuff.

And now there's basically a movement in

the EU to keep kids safe online with

this new EU age checking app.

Quoting from the article here from

Politico,

the European Union's age verification app

is ready to be rolled out to protect

kids online.

The Bloc chief Ursula von der Leyen said

Wednesday, sorry if I messed up your name,

our European age verification app is

technically ready and will soon be

available for citizens to use,

the European Commission president said at

a press conference.

And basically, according to this article,

the app is a critical part of the

EU's plans

to keep children safe online.

The technology would allow people to prove

their age through the government approved

verified systems.

The EU said it has ensured it would

also protect citizens' privacy rights and

personal data.

Now,

I think that last sentence right there,

that remains to be seen because basically

every single age verification system we've

seen so far has been not great from

a privacy perspective.

And quoting the article again,

we're holding online platforms accountable

that do not protect enough of our kids,

maybe.

Might have been a misquote there.

The new age verification solution and the

enforcement of our rules go hand in hand.

so basically uh this app is ready to

be downloaded um and just kind of

highlighting a post here um someone on our

forum posted a link of their blog

basically going through sort of the uh the

new eu age verification app um so if

you haven't heard of them before privacy

dad they do sort of like parenting related

privacy stuff um and they've been

you know, posting, uh,

an update here about, uh,

the EU age verification app.

So you can kind of see what the

flow will look like.

Um, and apparently according to them,

they were able to download the APK and,

you know, test out the app.

A lot of the features aren't a hundred

percent ready and it was, you know,

has a testing mode,

which you can basically see how it would

work.

Um,

It does seem like you need to scan

your ID into this app.

So I mean, that's fine, I guess,

if you're sending it directly to the EU

government and there's no third party

company involved here.

But I guess that would be like a

separate governmental body that's been

established for this.

I'm not entirely sure about the whole

process behind this.

but you can kind of see the age

verification credential stuff.

Um,

so basically how it's meant to work is

you visit a website or an app and

you can use this, uh,

use this app to basically prove that

you're over eighteen.

It doesn't share your age,

it just shares the proof basically.

Um,

But it does look like you need to

take a photo of your identity document and

record a video of yourself.

So that's not great from a biometric

standpoint.

So yeah, that kind of sucks.

There's a lot of different things here.

So basically it's just a move to basically

change the...

Oh,

there's someone in the chat who asked a

question here.

Probably outside the stream subjects,

but I noticed that hosts are using Apple

products.

Is there a privacy related reason or just

personal preference of hardware?

Personally,

I'm not going to talk about personally,

but I'm just going to say for work,

this is, you know,

I need to use DaVinci Resolve.

I need to use...

applications that aren't available on

Linux, which I would love to use Linux.

I think it'd be great if I could

use Linux.

But as far as I'm aware,

there's still a lot to go on DaVinci

Resolve.

It's quite annoying to use on Linux.

It's missing some stuff.

It is less stable.

It's less supported.

I use Affinity for all the graphic design

stuff we do here at Privacy Guides.

And

As far as I'm aware,

that is also quite finicky.

Generally,

I want to be focusing less on the

technical issues,

like having a bug happen in DaVinci

Resolve where like I can't render a video

or like something like that,

less if possible.

So, you know, I think

you kind of have to use what you

have to.

I mean,

I don't have any personal information on

this computer.

It's like a work computer.

So I'm not really that bothered by using

an Apple product to do this.

Um,

So I think you just have to

compartmentalize things.

But sorry, I kind of got off track.

I just wanted to quickly answer that

question because I guess Nate has got a

MacBook and I'm using an Apple avatar.

So I guess that was kind of a

question that needed to be answered.

But yeah,

do you have any thoughts on that or

on the EU age verification stuff?

Um, well,

I guess let me start with the question.

Um,

so I am fortunate enough to have one

of each computer and this is also a

work computer.

This was,

this was given to me by privacy guides

because my windows computer is from,

I think.

So in tech years,

it's starting to get up there.

I've had a couple of close calls with

it already.

And so this was kind of like, Hey,

We should get me a MacBook just in

case the day comes when my Windows

computer doesn't boot and I'm not

completely up a creek.

So this is kind of my backup,

my computer.

But then also like my Windows computer is

like I've got all the cables dressed in

and it's really nice.

So it's like, cool,

the Windows computer can stay there.

And then I'll use this one when I

travel or for the podcast or something.

Um,

cause I probably should do more work at

a standing desk, but I don't cause my,

my actual desk has like three screens and

well,

two plus the laptop and I have studio

monitors and stuff.

So yeah.

Um,

I try to use Linux more for the

actual, um,

like basically anything that doesn't

involve editing or gaming.

I, um,

honestly,

I prefer windows just out of habit just

because I'm so used to it.

And also, again,

I do some gaming and windows generally