GrapheneOS has a Hardware Partner!

A major Android OEM agreeing to create a

future Graphene OS compatible phone,

ProtonMail sharing data with the FBI,

the OpenAI Pentagon deal, and more.

These are the stories that we'll be

discussing in this episode of This Week in

Privacy,

our weekly live stream where we discuss

the latest updates within the Privacy

Guides community,

and this week's top stories in the data

privacy and cybersecurity space.

I'm Jonah,

and with me this week is Nate.

How's your week been going, Nate?

Been keeping really, really busy,

but could be worse, so I can't complain.

Oh, good.

Let's hop right into it.

We'll start off with the biggest news

story I think that we've seen in privacy

and security from the past week.

Of course,

it's Motorola confirming Graphene OS

support for a future phone.

and bringing over features to their

lineup.

This article we have is from Nine to

Five Google.

They published it on March first,

and they said,

following rumors swirling for quite some

time,

Motorola has announced a partnership with

Graphene OS that will see the

privacy-focused,

de-Googled version of Android

pre-installed on upcoming Motorola

devices.

A new long-term partnership between

Motorola and Grafino S was announced at

Mobile World Conference,

earlier this week on Monday,

with plans for both a future smartphone to

have Grafino S pre-installed and certain

features from Grafino S coming over to

other Motorola devices,

the company said in a media briefing in

Barcelona.

In a press release, Motorola said,

Motorola is introducing a new era of

smartphone security through a long-term

partnership with the GrapheneOS

Foundation,

the leading nonprofit in advanced mobile

security and creators of a hardened

operating system based on the Android open

source project.

Together,

Motorola and the GrapheneOS Foundation

will work to strengthen smartphone

security and collaborate on future devices

engineered with GrapheneOS compatibility.

In the coming months,

Motorola and the Graphene OS Foundation

will continue to collaborate on joint

research, software enhancements,

and new security capabilities with more

details and solutions to roll out as the

partnership evolves.

All of this comes after some leaks at

the end of February that we saw on

Reddit and also discussed on our own

Privacy Guides forum where some Motorola

or Lenovo media slides were

leaked ahead of this showing Graphene OS

being referenced in their roadmap for

future devices.

And so those rumors did prove to be

true this week.

It's not...

It's unclear how this partnership is going

to work,

especially with Motorola saying that

they're going to be bringing over features

from GrapheneOS into their devices.

We do know right now that all of

Motorola's current devices will not be

compatible with GrapheneOS.

That will be coming as a future device.

We've seen social media updates from the

GrapheneOS team confirming that none of

Motorola's

devices currently meet their security

standards.

And they're saying that a future Motorola

device that can run GrapheneOS will have

similar specs to the flagship end of

Motorola's devices,

like the Motorola Signature,

but the current Motorola Signature will

not be supported.

GrapheneOS

social media team members have also said

that we can expect a device to come

out in twenty twenty seven.

So this is not an immediate launch by

any means,

but it is now confirmed that they will

be working with Motorola,

putting to rest all of the rumors

of all the other OEMs they could possibly

be working with.

I know there's a lot of speculation for

the past few months since Graphene OS

originally announced they would be working

with an unnamed hardware device partner.

And now that's confirmed.

But yeah,

this will definitely be a big shift for

Graphene OS and how they've always done

things in the past.

So Nate,

you've taken a look at this story.

It's been big news throughout the week.

Was there any key takeaways that you

wanted to discuss here?

Um, no,

I think you kind of covered it.

I mean, at this point,

it's still so early on that there's,

I mean,

I don't want to say there's a lot

of speculation.

I mean, it is,

there is a lot of speculation.

Like, um,

you kind of covered everything we know for

sure.

Um, I, I'm interested.

I, you know, uh,

Jordan said here in the comments that

Mortarola was an interesting choice,

which I totally agree with, but also like,

I, I'm not sure.

I'm not much of a hardware guy,

especially when it comes to phones.

I know that pixels, of course,

have like the best security,

which is why we recommend pixels.

And also iPhones have good security,

but obviously that's never going to

happen.

That would be interesting.

But I think I'm notoriously critical of

Samsung security.

So I've seen some people saying like, oh,

I wish they'd work with Samsung.

I cynically do not see a world where

Samsung security will ever be good enough.

to run a graphene device, in my opinion.

They would have to really do a lot

of work there.

But yeah, it's really just...

I can't think of anybody off the top

of my head that I'm like, oh,

it's weird they didn't go with these

people.

I definitely was not expecting Motorola,

but again,

I don't know who I was expecting.

I think I will be really impatient to

see what comes next.

I'm really interested...

Because Motorola's official announcement

for this had a very heavy emphasis on

enterprise features.

And I know that's historically something

that's been missing from a lot of FOSS

projects.

With all the stuff about age verification

going on,

a lot of people have pointed out that

a lot of FOSS projects like Linux are

missing...

parental controls.

And so it kind of makes it harder

to, uh,

pull yourself out of those systems,

but still maybe monitor what your kids do.

And so where I'm going with this is

I will be interested to see if maybe

graphene is able to pull, uh,

some of those optionally, of course,

some of those like enterprise features to

create like some kind of parental control

thing in a secure way.

Um, or anything I will be,

I've seen some rumors that

there's not necessarily a guarantee that

these phones will come pre-shipped with

graphing,

but they will be graphing compatible.

I've also seen other rumors that graphing

will be an optional,

like when you buy it,

you can select graphing.

I hope that will be commercially available

and not just for enterprise users.

Um, so yeah, it's, uh, I dunno, every,

again,

I feel like a lot of things we

could say at this point would be

speculation, but I'm really hopeful.

I'm really excited to see where this goes.

I'm happy that graphene has access.

I'm assuming they now have access to

Android.

Um, in a,

in a more stable kind of way.

Cause I know that was a big thing

is Google's been locking down Android

slowly and making it less available and

less open source in practice,

if not officially.

Um,

and a lot of ROMs have struggled with

trying to get ahold of Android so that

they can modify it and get it ready

for releases.

And that's been slowing down cycles.

So I'm assuming now they have better

access to that kind of stuff.

And they'll, you know,

of course they'll have,

I'm assuming access to the hardware to be

able to like modify that and they don't

have to reverse engineer things.

I'll be interested to see if they continue

to support the pixel or not.

So just a lot of questions, but I'm,

I'm really hopeful to see where this goes.

Yeah, for sure.

I've definitely seen a lot of conflicting

reports on this.

I know the nine to five Google said

that Graphene OS would come pre-installed.

I'm not sure if Motorola said that because

they didn't mention it in their press

release,

but maybe they did at the in-person event.

I wasn't at Mobile World Conference,

so I wouldn't know.

I do think, yeah,

I'm definitely interested to see what this

phone looks like because Graphene OS has

for a very long time touted the idea

of

like the the the titan security chip in

pixels being like the gold standard for

for smartphone security and a lot of their

features do rely on that whereas um all

of these other existing devices don't

really have a comfortable security chip in

place that has all the same features so

if we look at like all of motorola's

devices right now which use qualcomm chips

You know,

Qualcomm has some sort of secure element,

which the name of is escaping me off

the top of my head,

but it's not as comprehensive as the Titan

M chips in the Pixels.

in terms of what they can do.

And so I'm really interested to see if

Motorola is going to be able to provide

an alternative in these future phones and

what that will look like.

I don't know what sort of secure element

requirements

would be needed in this case.

I don't know what commercially available

options there are for Motorola to choose

from.

That's kind of... Oh,

that would be above my pay grade,

but I'm sure Grafino S and their team

is figuring all that stuff out and

probably...

has been working with Motorola on this for

quite some time.

I mean, obviously,

this news was released today,

but GrapheneOS has been talking about this

for a while.

And they've obviously been planning this

behind the scenes for quite some time.

It's also,

it's an interesting relationship that they

seem to have with Motorola.

And I think it explains why they haven't

gone with other OEMs because I've seen

Graphene OS representatives on social

media say that Motorola essentially came

to them asking for the partnership and

committing these resources as opposed to

them reaching out and trying to find one

that's most suitable for them.

Which makes sense because you would really

need

a pretty high level of buy-in from

whatever OEM you partner with to take on

a lot of the responsibility.

GrapheneOS is of course a very small team

still and can't exactly make all of these

hardware decisions and software changes to

support a new device just like

on a whim, resources are limited.

So being able to work with Motorola and

kind of maybe direct their team in a

security-minded focus is really

interesting.

And it's a really cool opportunity for

them.

Yeah,

I think we'll just have to wait and

see what this looks like.

I know I've seen some people disappointed.

The OEM wasn't some of the other top

picks.

I know people were hoping for OnePlus or

nothing or perhaps Sony.

But I don't think Motorola is the worst

choice out there.

And I think it's a very positive sign

that Motorola...

seemingly initiated this partnership or at

the very least is very invested in making

this happen so um it's a good level

of commitment on on their end as far

as we can tell yeah i agree while

while you were talking i was thinking

about some of the more um

The more, I guess,

open source aligned phone makers out

there,

like nothing isn't really open source,

but I think they have the whole modular

thing going on.

I might be thinking of somebody else,

but like Fairphone, Purism,

what's the other one?

The Pine phone,

which I know those were probably never

even on the table for security reasons.

But yeah, I mean,

it's one thing worth noting is I did

see a video this week that dove into

this topic a little more and showed also

the,

the hacker news y combinator uh forum

where daniel was pretty active responding

to some people and he made a point

of saying like this is not an exclusive

partnership so he said at this time

there's no plans for graphene to work with

any other oems but it's not off the

table and i actually didn't know that

about motorola coming to them but um i

think i mean i'm sure you said this

and i'm sure this is a given but

like i think this is great for graphene

i think this is great for

open source.

I think this is great for, uh,

the general consumer to have this easily

accessible, um,

potentially ships with graphene device,

uh, especially if that is again,

a consumer accessible option at checkout.

So I think if this phone does really

well, um,

I think that will show other OEMs that

there is an interest in this and being

that again, graphene,

this is not an exclusive relationship,

then that would be, uh,

that would potentially be on the table

that they could go to graphing and be

like, oh,

we want to work with you to make

our phones graphing compatible as well,

which would just give us even more option

for other manufacturers.

So, I mean, I know I'm getting really,

really ahead of myself.

This is probably years down the road if

that ever happens, but, you know,

we can dream, right?

So...

Yeah, absolutely.

I know I see some chats here about

PinePhone.

It would have been nice certainly to see

a partnership with a more niche or

especially like repairable phone.

Fairphone, I think,

would have been a top choice for a

lot of people for sure,

especially in this community,

because a lot of these values, I think,

go hand in hand a lot of the

time between open source privacy security

repairability like a lot of people are

very passionate in this community in this

community about all of those things um but

yeah no matter no matter which way you

look at this um any sort of partnership

i think with uh with an oem and

especially one that's big name as motorola

is is huge for any custom rom but

especially graphene os it's definitely

The Android realm of choice that we would

want to see partnering with OEM versus a

lot of the other options out there.

So yeah, it's very cool news.

Yeah, I don't have much else to add.

Like I said,

everything at this point is kind of a

speculation.

We'll just have to wait and see where

things go.

Yeah.

I think in the meantime,

we can talk about a different phone if

we're ready to move on,

which is the iPhone.

And this is pretty exciting news,

but apparently the iPhone and the iPad are

now approved to handle classified NATO

information.

Um, I'm not gonna lie.

This is kind of a headline says it

all.

This is a, for audio listeners, uh,

this is a new press press release directly

from Apple.

So, um, it kind of,

there's a little bit of information in

there, nothing super technical,

but you know,

Apple kind of touts all of the security

features they built into their phones

recently.

Like, um,

Biometric authentication with face ID,

memory integrity enforcement.

They say best-in-class encryption.

I mean, I guess.

Government has struggled to crack lockdown

mode, and even in the past,

just the regular encryption.

So that's probably not terribly

misleading.

Um, yeah, they say that, uh,

they have gone through,

did they say there was an audit here?

I mean,

I'm assuming there was some kind of audit

certification process, but, um, yeah,

iPhones and iPads running iOS and iPad OS,

OS are certified for NATO use in all

nations.

Um,

I don't think I have too much to

add to that.

Again,

it's a pretty self-explanatory headline,

but I think it just really,

really attests to Apple's security,

which this is going to come up again

later in the show.

But I want to remind everyone watching

that privacy and security and anonymity

are all very different things.

They're very distinct things.

And they do complement each other.

They do work together.

And some of them,

like security is how we enforce our

privacy wishes, right?

You know, with things like...

just as a really low hanging fruit

example,

a password at its most basic form is

designed to control who has access to an

account.

So that is kind of a form of

privacy controlling who has that password

in theory, at least.

So yeah, Apple,

we would definitely like to see them do

more on the privacy front.

There is of course room for improvement,

but again, they are,

they do make incredibly secure devices.

And I think this is just kind of

a further testament to that.

One thing that's interesting is they say

that this is the first consumer,

first and only consumer devices in

compliance with the information assurance

requirements of NATO nations.

So yeah, like I said,

I don't have too much to add to

that.

Jonah,

did you have any thoughts on this story?

yeah so um it's very cool i think

like you said according to this press

release and as far as i know these

are the only consumer devices that can

handle any sort of nato classified

information um which is a big

accomplishment for for apple the auditing

process um for any of this is uh

fairly extensive and i think it's probably

no

surprised that one of the best phones we

already know for in terms of security can

pass this.

But it is just more evidence that a

lot of the safeguards in place on these

devices are functional and work as

expected and can be trusted.

audits like this aren't the end all be

all of security by any means.

And they mostly make sure there's no like

super obvious mistakes,

but they don't test for everything.

And so it's not like a complete assurance

that these phones are unhackable.

And indeed,

like if we look at the level of

classified

data that these phones are now able to

handle,

which is the NATO restricted level.

That's out of the four classification

levels that NATO has.

That's the lowest one.

You don't even necessarily need a

specialized security clearance in order to

access NATO restricted information.

So

you know,

the most top secret governments are the

most top secret documents that NATO has

are not going to be stored on iPhones

anytime soon.

But it is interesting that like a full

operating system and especially a consumer

one is now able to handle this data

because typically you would see like a

NATO restricted classification limited to

something like a

A lot of those USB drives that have

hardware encryption and a pin that you

enter,

some of those will be NATO-restricted in

terms of security, which is good,

but those are obviously much simpler

devices.

They just have to handle encryption,

and that's pretty much it.

Whereas an iPhone is a...

complicated device and obviously more

challenging to guarantee the security of

those documents on it.

And so yeah,

it is a big step for Apple to

have this done.

I don't know what the process is for

like a company like apple or a os

developer to get nato certified i don't

know if that is something that um like

the company itself would have to reach out

for and pay to get certified i would

imagine um it typically is and so thinking

about like this being the first consumer

device to be to be certified to handle

nato restricted information

That might not be that surprising because

I would imagine a lot of consumer devices

probably are not willing to undergo the

effort to get this certification and audit

in the first place.

Thinking about like Graphene OS we just

talked about,

I can't imagine they would have the

resources to do like a comprehensive audit

to be certified to handle NATO restricted

information,

even if the operating system is

theoretically secure enough to do that.

So there is that takeaway that I would

think about.

I don't think

And for that reason,

I wouldn't consider iPhones to be the most

secure devices in the world now or

anything like that.

But it is certainly a good sign for

them at the very least.

For sure.

I don't have anything to add to that,

but we did have a few questions in

the chat I thought might be fun to

talk about.

Yeah.

Dyson Fan said,

do you think this will be affected by

the war in the Middle East?

I don't think so.

I think overall,

I know there's a big push in Europe

right now for digital sovereignty.

I think one of the reasons that NATO

would view Apple as a maybe less risky

company compared to someone like Microsoft

is...

Putting aside the fact that Microsoft has

been hacked by China more times than I

can count.

I think Apple does have a history of

pushing back.

Not all the time.

Definitely not all the time.

I'm not defending Apple here.

There's times they should have pushed back

that they didn't.

But they do have a history,

especially in the U.S.,

of pushing back against government data

requests.

And I don't know.

I would just imagine that kind of...

makes the the geopolitical landscape a

little bit more uh nuanced i guess um

in terms of why they might be willing

to trust someone like apple but um and

then yeah jordan just real quick said i

wonder what they use for computers because

mac wasn't included i don't know that's a

good question i know uh germany

specifically i know there's a few states

in germany that are like switching over to

linux and and uh libra office and stuff

like that but i don't know about nato

as a whole that is a really good

question so

yeah i'm not sure i mean as far

as like the war in the middle east

i nato is i know the us is

a part of nato but the us typically

when it comes to like classified

information or military stuff they

kind of do their own thing and they

have their own requirements for all of

this.

A lot of the NATO specific stuff like

this certification, for example,

is going to apply more to European

countries than the U.S.

in its own interest.

So...

There is that to think about too.

I believe iOS and other Apple devices have

been certified for a variety of US

government security standards for quite

some time,

but I don't remember exactly what level

they would be certified at or if it's

comparable to this.

I'd have to do more research into that.

Cool.

Yeah.

I mean, that was a pretty quick story,

but

That was all I had on that one.

Yeah, before we go on... Oh, yeah.

Let's talk about this.

So this story was reported by TechCrunch

here.

Meta sued over AI smart glasses privacy

concerns after workers reviewed nudity,

sex, and other footage.

According to TechCrunch,

Meta is facing a new class action lawsuit

over its AI smart glasses and their lack

of privacy after an investigation by

Swedish newspapers found that workers at a

Kenya-based subcontractor are reviewing

footage from customers' glasses,

which included sensitive content like

nudity, people having sex,

and using the toilet.

Meta claimed it was blurring faces and

images,

but sources disputed that this blurring

consistently worked.

The news prompted the UK regulator,

the Information Commissioner's Office,

to investigate the matter.

Now the tech giant is facing a lawsuit

in the United States as well.

In the newly filed complaint,

plaintiffs Gina Barton of New Jersey and

Mateo Canu of California,

represented by the public interest-focused

orcs and law firm alleged that meta

violated privacy laws and engaged in false

advertising um

So, I mean, looking at this story,

my immediate reaction is like, well, yeah,

of course this would happen if you strap

cameras to your face that are constantly

streaming to a big tech company.

And this is really a problem that we've

seen over and over before.

The one that most immediately comes to

mind is

was pretty much a very similar situation

with Siri recordings.

And those weren't video at the very least,

unlike this,

but they were being sent to a bunch

of contractors for review when that was

not clearly stated in Apple's privacy

policy.

I believe there have been similar cases

with other voice recording systems like

Alexa.

And so

it's it's just a sign that these these

big tech companies they're not going to be

treating your data properly and they're

not going to be giving it the production

that it needs because they are more

interested in consuming all of this data

as much as possible and like having a

bunch of random people contractors whoever

review all of it to supposedly probably

improve their ai services and other things

that they

that they're working on just with complete

disregard to your own privacy or personal

data.

And so, yeah,

hopefully there's a big punishment for

meta here,

but I can't imagine a lot is going

to change.

Unfortunately,

I think that we need to be aware

of these dangers and we really need to

just eliminate devices like this from

everyday use.

it's a bit crazy to me um how

much things have changed in the past ten

years because i remember back when um

google glass originally came out um and

there was this glass holes term for people

who wore it and were constantly recording

in public spaces and now all of this

stuff is kind of being normalized

unfortunately and there isn't as much

pushback anymore and i think that we

need to revisit that because I don't think

we were we were wrong back in those

days.

I think that we we were on to

something and maybe we should remember how

much we dislike products like this again.

Yeah, totally agree that.

Honestly,

that was something that really confused me

too.

With the whole like you mentioned Google

Glasses.

I remember when when those came out,

and they were such a flop.

And so when Meta announced their AI

glasses, I was like, okay,

we've already been down this road.

And I know, I think even before Meta,

I think Snap had announced their glasses,

and then I never heard of them again,

which I think those exist.

But I don't know.

I never hear about them anymore.

So my point being, I was like, oh,

this isn't going to go anywhere.

And now I think this article said that

last year they shipped like seven million

of these things.

Hold on, where was it in this thing?

But...

Yeah, while I look for that,

it just blew my mind that it's like,

wait, yeah, in twenty twenty five,

over seven million people bought meta

smart glasses.

And it's like,

how did it like what's different this time

that it worked when it did not last

time?

I'm very confused.

I think it's got to be like.

Are they making it fashionable?

I know the Ray-Ban partnership must have a

lot to do with that.

Are people willing to give in and use

it?

Yeah, if they're partnered with like,

more recognizable brands.

Kind of an unfortunate way to shop,

but I think that might be it for

a lot of people.

I mean, that does, yeah,

that could be it.

I mean, maybe it's the AI part.

Like, I have said before that, like,

I get on paper, I get the idea,

because I'm convinced I have, like,

a mild form of face blindness,

and I run into people all the time.

I mean, not obviously, like,

with someone like you that I work with

all the time and I see every week,

I know you, but, like,

I run into people all the time that

they're like, oh, hey, Nate, it's me,

so-and-so, and I'm just like,

who are you?

And then when they're like, oh,

we like did this thing together.

And I'm like, oh yes, yes.

Like I'm a contextual person.

When you tell me like how I know

you, then I remember,

but I'm so bad with names and faces.

So I would love the idea of like

AI glasses that tell me like,

do the facial recognition, like, oh,

you know, this person from this,

like save me that whole step.

But I don't want it pinging back to

the cloud,

which of course it would have to do

to do that.

But my point being is like,

I get it on paper,

but I still can't believe that like they

managed to

to actually like make it stick this time

it's so weird to me well and i

mean it it doesn't have to do that

necessarily ping to the cloud i know not

that i would advocate for this product to

exist necessarily but certainly facial

recognition that's something that has been

around for for quite some time and

well,

you would need to have a local database

in your contacts or whatever.

I do think a lot of people will

already use this feature in the Apple

Photos app or the Photos app on their

Android phone that automatically

classifies faces and you can put a name

for it.

I think that's a fairly popular feature

that runs entirely locally.

And extending that to a basic device like

this,

even if it has to ping your phone

to run this computation,

Certainly it's not necessary to ping

servers if you don't want it to,

but big tech companies are very

disincentivized to do anything locally

because there is so much data that they

can slurp up with their servers and use

for all sorts of AI and other purposes.

And of course,

we'll talk about a future story here in

the show about these AI companies

partnering with people who you probably

don't want them to be.

So that's the kind of direction that all

of this puts us in.

And yeah, it's not great.

And it certainly doesn't have to be this

way.

Just because this is the way that Meta

has decided to make this product doesn't

mean it's the only way that this product

has to exist.

And I think that that's really important

to remember.

For sure.

Yeah,

two things I wanted to add real quick

in response to redacted,

said someone needs to make glasses that

beams lasers at cameras as you walk

around.

That's probably destruction of property.

There is an app,

this is not an official recommendation

because we haven't really vetted it,

but I know there is an app that's

supposed to warn you if there are people

nearby wearing smart glasses,

not just the meta ones,

but also the snap ones and

Apparently,

there's more than just those two,

but I do have it on my phone.

It has not pinged me yet,

although I don't know if I live in

an area where people are not using them.

I don't know if it's maybe just false

negatives.

Your mileage may vary,

but it is fully open source.

You can go take a look at it.

I will say,

I've never seen any of these in person

myself.

I don't know what area these are super

popular in, but not around me yet.

Yeah,

and I've had situations where somebody's

got the big glasses and there's a screw

in the front, and I've asked them,

and I try not to sound like I'm

upset about it,

because if they think I'm angry,

they're definitely going to say no.

But I've asked people, I'm like, hey,

this is totally out of left field,

but are those the meta smart glasses?

And they're always like, no, no,

they're just whatevers.

So I haven't run into anybody yet,

but yeah.

And then the other thing I was going

to say just real quick to add some

context to this article,

it says that the reason there's a lawsuit

is because Meta's advertising specifically

says, and I quote,

you're in control of your data and

content.

And then there was like another quote

there too.

Yeah.

I don't know.

I lost it.

Oh, built for privacy,

designed for privacy, controlled by you.

So, yeah,

it's it's I think they've got it.

I hope I'm not a lawyer,

but I feel like they've got a really

solid case here that if Meta is going

to.

And I mean,

all of the veterans listening know that

this is like, oh, no, Meta lied.

Like the what's the Captain Kirk William

Shatner like?

Shocked face.

But when you explicitly say in your

advertising that like you control your

data and then find out that there was

no toggle not to submit the footage and

people are reviewing it.

I think I put this in the newsletter

that went out actually for this episode

that.

As much as we've talked about these

things,

we kind of blew over that part where

it's like part of training AI is that

people have to review it,

even if only every now and then.

People have to review it and make sure

it's working and correct it,

which is a whole other thing.

worm bag of worms that we're not going

to get into right now but i i

think it's funny that like for you and

you and me like that never even came

up once because we just thought that was

kind of a given i guess or for

whatever reason like we never even thought

to mention that that like hey by the

way there is no world in which people

will not see so at least some of

the images and footage taken by these

videos so yeah

um one of our team members uh jordan

asked sorry i'll let you do it what

protection do people have against being

recorded in public um which is a great

question unfortunately i think the answer

in most countries including here in the

united states is not much but i think

that this is a good example of

um i think why data privacy concerns are

certainly not only a technical issue

because people very often get caught up in

this um trying to think of technical

solutions and i do like unredacted

suggestion of lasers being beamed at

cameras as you walk around but at the

end of the day um the the best

way to prevent something like this is to

get strong data privacy laws

out there that would prevent people from

doing this and using your data without

your consent.

Because I don't think that just being out

in public or walking around is necessarily

consent to be recorded and filmed and that

footage stored permanently for the rest of

time, right?

It's

We really have to rethink our relationship

with technology and privacy.

And we can't just apply past norms to

the current state of what we're in.

But of course,

there are so many incentives to not do

this that I think people need to be

more vocal about.

You know,

we've talked about this in the past few

episodes,

but even governments are getting in on

this like constant mass surveillance via

companies like Flock, for example,

just constantly trying to collect as much

data as possible and seeing

what they can do with it.

And in a lot of cases,

I think they don't really know what they

can do with it yet.

I think meta with these glasses probably

doesn't know what they can do with the

data yet.

But they're collecting it all in the hopes

that they can do something with it.

And that that's, that's not good.

And I don't think we should allow that.

So hopefully, so hopefully,

that can change.

Yeah, the only technical solution,

quote unquote solution that came to mind

was I really want to buy some and

review them one of these days.

But I know you've probably heard of

there's a company that makes glasses that

they've got a few different models and one

of them is supposed to reflect IR.

So they look like relatively normal

glasses,

depending on how you feel about the style

of them.

But the frames are designed to very

invisibly reflect light back to a camera.

And it's mostly for facial recognition if

I've read... Granted,

this all came from their website,

so it may not be a hundred percent

accurate.

But according to their marketing

materials, it's like some cameras,

like surveillance cameras,

They'll use IR to like better map your

face for facial recognition purposes.

And it's designed to throw those off.

But the nice thing is, again,

if I pose for like a family photo,

my glasses look normal as opposed to they

have another model that like will

explicitly like if you take a flash photo,

it'll reflect and block you.

And so anyways,

my point is like something like that comes

to mind.

But I mean,

that comes with so many like let's just

assume it works for the record.

But you shouldn't have to like if you

don't wear glasses,

why are you going to buy them just

to throw off facial recognition?

You shouldn't have to buy them because I

think they're pretty expensive.

The frames are like two or three hundred

dollars,

which I guess is how much frames normally

cost without insurance.

But either way,

it's it's I guess my point is like

it's one of those like I agree with

you.

Like I don't like.

When ordinary people just trying to live

their lives,

have this unnecessary burden put upon

them, and I understand that like.

Like it.

I understand that there's a limit to that,

right?

Like we're not all entitled to like free

DoorDash or anything like that, right?

Like there's gonna be times you have to

put in some work and you have to

put in some effort and learn some things.

But I mean, in this situation,

like I feel like

these companies are just so out of control

and there is no data privacy law in

the U S at least not universally.

There's a patchwork of limited laws.

Like somebody here said,

there's some states in the U S which

don't allow facial recognition without

explicit consent.

Yeah.

There's like two or three that I'm aware

of.

I think there's like Texas, Illinois, um,

probably California with the,

their privacy law and maybe like a couple

others, but you know,

overall there is no like

us version of GDPR that says like, Hey,

here's the bare minimum.

And I,

the more we go through this stuff,

the more I feel like we really need

something like that,

that just kind of sets a standard,

which for the record,

it will not be good enough.

I guarantee you that,

but at least something,

some kind of bare minimum thing so that

people,

ordinary people don't have to jump through

a hundred and hoops just to try to

have like a basic level of privacy.

It's so insane.

And it's really important that like,

you can't just claim to be working around

these privacy restrictions by like

anonymizing that data or whatever,

because in cases like this, for example,

we know that that technology doesn't

really exist or it will, like,

if you want to blur faces, um,

in all of these videos,

it probably relies on AI, which again,

I'd point out Meta said that they were

doing in this case and it didn't work

consistently.

That's just going to be inherent to all

of this technology.

You're never going to be able to.

One hundred percent, uh,

ensure that all of this data is being

handled privately no matter what Meta is

claiming about this.

And really the only solution here is to

not collect that data in the first place

and to not give Meta that data in

the first place.

So yeah,

this whole thing's a bummer because it

really puts a bad spin on AI glasses

in general,

which is probably a good thing because it

seems like every single one that's come

out lately has been...

just in the form of cameras strapped to

your face, right?

Which is always like,

that's never been what I wanted from smart

glasses, even before I got into privacy.

I've always just been a huge fan of

future technology, and I was like,

smart glasses, that could be cool,

because I would want a heads-up display to

see navigation or live translation or a

ton of stuff that does not at all

require cameras.

Recording people constantly,

that's probably...

Most of the very bottom of the list

of things I would ever want to do

with my glasses.

Um,

but that is the direction that all of

these tech companies are going in rather

than, um, something more,

more useful and less privacy invasive,

unfortunately.

So it's a shame.

Yeah.

I, I really just real quick,

I want to drill home what you were

saying about like how the face blur isn't

enough.

Like.

It takes a shockingly small amount of data

to de-anonymize somebody.

And it always cracks me up when it's

something like location, right?

Like, oh, but we anonymize the location.

And how many other people in the world

spend eight hours a night at this location

and then eight hours a day at that

location?

Like that alone tells you who I am.

And then this one with like the whole,

oh, but we blur faces.

Hi, hello.

I don't think that matters for some

people.

for audio listeners,

I'm showing off my arm tattoos.

Like even if you blurred my face, it's,

I don't, it's pretty obvious, you know?

And so, yeah.

Um, I, I could see,

I'm thinking back in my own history.

I could see a few small scenarios where

like having a camera strapped to my face

would be super useful,

but that was like three times a year

at my old job just for me.

Like,

I don't think most people really need it

that much.

So yeah.

And certainly, you know,

that could be a separate product that

like,

what if I just have a little camera

that clips onto my glasses if I want

to record something, right?

I don't need it constantly.

Yeah.

Constantly on and recording.

This is a very niche use case,

I think, for a lot of people.

Yeah, super crazy.

But on that note,

we do have some site updates before we

launch into our next story.

We are going to talk a little bit

later about ProtonMail.

I know that story just came out the

other day.

But first,

here's what's going on at Privacy Guides.

And for those of you who may not

know,

Privacy Guides is a nonprofit which shares

data privacy related information.

And we facilitate a community over on our

forum and on Matrix where people can ask

questions and get advice about staying

private online and preserving their

digital rights.

So first up, big news,

our smartphone privacy and security course

that we have been talking about for months

now.

We've been releasing videos little by

little.

It is finally one hundred percent

available in full.

No membership required.

You can go over to YouTube.

I believe it's on pure tube now.

If it's not, it will be very,

very soon.

We have,

for those of you who may not be

aware of this,

we basically built a three-part smartphone

course about how to make your smartphone

more private and more secure.

And there's a beginner, intermediate,

and advanced level.

And there is also an iPhone and an

Android version.

So yeah, whichever one you use.

And you can watch them all and you

can decide maybe some of the stuff in

the advanced level doesn't apply to me.

Maybe some of it does.

If nothing else,

it lets you know what your options are

out there and our official recommendations

at this point in time about how to

make your smartphone as private and secure

as possible.

And again, that is out now.

So go ahead and check that out.

And then some big exciting news.

Myself and Jonah next week will be in

Austin, Texas.

We are at an unofficial South by Southwest

party being hosted by EFF Austin.

We will be doing a little workshop about

how to improve the privacy and security of

your phone.

So, and, um, if,

if anyone's in the area and you have

never tried graphene and you're like kind

of worried about it,

we will actually have a little demo device

that has graphene on it so that people

can play around with it and kind of

see like, oh,

this is just like a normal Android.

Like there's nothing to be scared of.

I can use it just like an Android.

Um, so we'll have that little demo device,

but also we'll just be answering questions

and, you know,

offering our advice about how to harden

your phone.

And full disclosure,

I am on the board of EFF Austin.

So yeah,

we will be there for anyone who's in

the area.

Yeah,

come stop by if you're not and it'll

be super fun, I think.

And we'll share a link to the to

the event information meetup stuff in the

in the sources of the show.

So yeah, if you're in the area,

definitely check it out.

It should be fun.

And also, I will say,

since it will be taking place next Friday,

we will be hosting this show in person

there.

So that'll be fun for people who watch

this as well.

In other news,

we have a bunch of big stuff that

we announced on our website this week.

The biggest thing that we launched was a

new section related to privacy activism.

So if you go to privacyguides.org slash

activism right now,

you can find all of these

resources um our staff writer m has been

working super hard on getting all these up

and it has a ton of useful advice

um not for like just activists in

particular but activists for privacy

people who want to advocate for data

privacy in their local communities or in

terms of legislation or in terms of

anywhere else that you might want to be

an activist for privacy rights.

And so all of these tools are meant

to empower the kind of digital rights

community that we are in.

And the first tool that we released in

this section is the privacy activist

toolbox,

which it looks like Nate is

scrolling through now here on the screen.

Essentially,

this toolbox is a list of resources and

articles that give you advice on how to

be the most effective privacy activist you

can be and how to effectively and clearly

and sustainably advocate for privacy and

digital rights.

And so if that is interesting to you,

if you've been in the privacy community

for a while and you're wondering how to

best make a difference yourself,

definitely check out these articles.

They're extremely extensive and just a

wonderful resource.

We've gotten a ton of positive feedback

from people in this space and elsewhere

who have been reading these and learning

new things or sharing these with other

privacy activists and privacy related

organizations.

in this space.

The activism section in general is

something that we hope to continue

expanding.

We have a few things on the roadmap

and hopefully we can share a bit more

information about that soon.

But for now,

I think that all of these tips will

prove to be super helpful for some of

you out there.

And if any of that sounds interesting to

you,

definitely go to privacyguides.org slash

activism and check out that resource.

Other site changes,

we've done a few very minor things.

The most notable one was that we removed

mention of zero knowledge encryption or

zero access encryption from our site

because those terms are not very...

clear and we found them to be confusing.

So we're kind of transitioning to being

more descriptive.

Zero access encryption is kind of a

marketing term that gets thrown around a

lot.

And zero knowledge encryption is not

really technically accurate.

It doesn't make a lot of sense outside

of like zero knowledge proofs,

which are totally different things.

So

Hopefully some of our resources around

encrypted tools that we recommend,

et cetera,

are more clear and we hope to use

better terminology to describe that stuff

going forward.

That's not just marketing jargon.

That's a big thing that we want to

try to eliminate from all of our resources

as much as possible.

So that was a big change.

um related to our news section our

volunteer journalist freya has been

publishing a ton of articles lately so you

can go to privacyguides.org news and check

those out there are a lot of stories

that we don't get a chance to discuss

here on the show

but are still important nonetheless,

and that is the best way to stay

up to date with those in addition to

our community forum.

Some of the articles include a full-length

article on how to game privately,

which might be interesting to the gamers

out there,

as well as more news briefs like Samsung

TV's halting data collection in Texas,

a spyware maker going to jail,

TikTok refusing to add end-to-end

encrypted direct messages, and a lot more.

So again,

that's at privacyguides.org slash news if

you want to stay up to date on

all of those topics.

All of the stuff that we do at

Privacy Guides is made possible by our

supporters.

So you can sign up for a membership

or donate at privacyguides.org.

Or if you want to promote privacy in

your own life and you want to support

us as well,

you can buy some swag from

shop.privacyguides.org.

I think that does it for all the

updates from us this week.

So let's talk about chat GPT and the

Pentagon.

Nate, what do you got for us here?

Yes.

OK, so for those who missed the memo,

which I wouldn't blame you because there

is so much freaking news going on right

now,

it's hard to stay on top of it

all.

Like I actually forgot part one of this

story until I was reading the article and

refresh my memory.

So the Pentagon used to have a contract

with Anthropic, who makes the AI Claude,

which I've heard good things about as far

as AI goes.

I guess it's pretty good at what it

does.

But Anthropic had some stipulations in

their contract,

specifically that you could not use Claude

for mass surveillance on Americans,

and you cannot use it in autonomous

weapons.

And the government tried to pressure

Claude into dropping those stipulations

and doing whatever they wanted.

I will admit I'm not fully versed in

the nuance of this story.

So I apologize if any of my opinions

are a little wrong here,

but to their credit,

Anthropic stuck with their guns and said,

no pun intended,

stuck with their guns and said, no,

we're not going to do that.

And the government dropped them and said,

we're not doing business with you anymore.

Went on to declare them a supply chain

risk.

That's a whole nother thing that we're not

going to get into, but open AI is,

as they do, swooped right in and said,

hey, we'll do business with you.

I mean,

I don't know how else to put it.

So Sam Altman, the CEO of OpenAI,

basically he's clarifying the terms of

this deal now because he recognizes that

that was not a good look to just

come in.

Here's what he says.

We were genuinely trying to deescalate

things and avoid a much worse outcome,

but I think it just looked opportunistic

and sloppy.

You can take that at face value if

you want or not.

You can probably tell how I feel from

my tone,

but that's neither here nor there.

But either way,

he's clarifying that they are still

holding to the terms that OpenAI cannot be

used for mass surveillance.

Noticeably,

I don't think this article said anything

about the autonomous weapons.

But yeah,

and I think that's kind of the...

Again,

that's kind of the bare bones of the

story.

We don't know a lot more.

We know that AI,

and I'm sure a lot of our veteran

viewers know this,

but AI is so much more than LLMs,

right?

And there's a lot of people who don't

even like the term AI because it's been

around for a long time.

AI research goes all the way back to

like the sixties, I think,

which is pretty crazy when you think about

it.

But I mean,

even before it was called AI,

we've had targeted ads,

we've had machine learning,

we've had algorithms determining all kinds

of, I mean, for years,

algorithms have been determining whether

or not you get approved for a loan,

your insurance rates.

And it's just, this is like,

the next step, um,

I've had to explain that to a few

people is that like, it,

it seems on the, from the outside,

it seems like chat GPT just came out

of nowhere, right.

In twenty, twenty two, I think it was,

but I mean, it's,

it's kind of been building towards that

behind the scenes.

It's just,

that was like the next leap forward,

at least publicly and visibly.

So, um,

Yeah, AI is being used by the military,

which is, again,

probably not a shocker to our veteran

listeners, but it's being used for, again,

it's more than just LLMs and chatbots.

It's being used to identify targets.

It's being used to calculate how sure are

we that this is a target?

Where do we think this person is going

to be next?

All that kind of stuff.

And so I think

I'm not going to lie.

This has actually been on my mind for

a long time.

Back on Surveillance Report,

Henry used to tell a famous story from

Edward Snowden where it was the – I

believe it was the Boston Marathon

bombings.

It's like him and one of his coworkers

were in a bar,

and they saw the news about the Boston

Marathon bombings.

And I think it was his coworker was

like,

how much you want to bet that guy's

in our system?

Like we flagged him.

We knew he was a threat and we

did nothing.

And when they went back to work the

next day, sure enough,

they looked him up and it's like, oh,

he was in the system.

Yes, absolutely.

And I think that has long been a

criticism that I personally have heard

from intelligence people.

Not that I know any,

but I've just like,

I've seen it around in articles and stuff

is they're so inundated with data that

they cannot sort through it to make sense

of it.

which to me tells me you should stop

collecting so much data.

But I think that's one of the most

obvious uses of AI is to sort through

that data,

which raises a lot of concerns that the

article did actually address here that AI

is known for getting it wrong or

hallucinating.

Like it says right here,

AI large language models can make mistakes

or even make things up known as

hallucinating, which...

Fun fact,

that was actually my first experience with

AI.

Back in the day, I was like, well,

let me try this out and see if

it's any good.

And so what I used it for was,

this was back when I used to recommend

Threema over on the new oil,

and I was writing a review.

And so I was like, okay,

give me the pros and cons of Threema.

And one of the pros, it was like,

it has a password manager built in.

And I'm like,

can you cite your source for that?

And of course it couldn't.

And it just went, oh, you're right.

I'm sorry.

It doesn't have a password manager.

And I'm just like,

Where did that even come from?

So yeah, AI,

that's one of the big concerns with AI

in this context.

I mean,

aside from just the privacy in general

is...

I mean,

I think there's so many issues with

privacy in general, right?

Concerns about privacy in general.

Aside from the fact that it's just a

given human right,

I think it was also Edward Snowden or

somebody said that you never have to

justify why you deserve a right.

Someone else has to justify why they need

to infringe on it.

But in addition to that,

I think something that should be said is

that, and again,

we know this thanks to Snowden in

A lot of the time,

the loophole for spying on American

citizens is that once data leaves the

country's borders,

it becomes subject to surveillance.

So last year I went to Europe, right?

Suddenly you can spy on me because if

I, you know,

had to call my wife back home,

that data's crossing borders.

Or even on a much more innocuous note,

he would talk about how data centers like

Gmail, for example,

completely unbeknownst to you,

they might move a server,

like copy the data somewhere else

temporarily to like do maintenance on that

physical server, right?

And that data might go to Canada, Mexico,

whatever, or even just sending an email.

You know, the internet...

as far as I understand,

like it tries to optimize and take the

fastest route to something,

which let's say hypothetically,

for some reason, the fastest route from,

I don't know,

Texas to California is jammed up.

It might, again,

bounce over to a server in Mexico and

then bounce back over to California to use

the fastest route.

And now again,

your data is open for interception.

So it's, yeah, there's just so,

so many privacy concerns with AI.

And the fact that they...

The fact that this is even a discussion

or a question from the military of like,

well,

can we use it for mass surveillance on

Americans?

Why?

Just, yeah, I don't know.

That's...

I think that's kind of all my thoughts

on that one.

Yeah, I...

I would definitely and you said we

wouldn't talk too much about this,

but I would want to highlight the the

idea that the US government was going to

flag anthropic as a national security

threat or for making these demands.

I think it is very concerning that the

US government was so insistent originally

that like the ability to spy on US

citizens domestically was like a hard line

that they needed to have

not roped enough in this application,

especially because this is an agreement

between AI companies and the military.

Certainly not the people you would want

surveilling on your own citizens.

But

Yeah, I mean,

there's problems with AI everywhere.

I think Jordan brings up a good point

here that even if there are safeguards

against US citizens that eventually get

added on, all of this technology,

which we already know is extremely

unreliable,

is going to be used in military operations

around the world.

And all of this AI stuff,

like you mentioned,

It's come out very recently.

I mean,

none of this stuff is like super well

tested by any means.

It's all just a lot of tech companies

really trying to jam this product into as

many possible segments as they can.

And of course,

that would include the government and the

military.

And it's all about getting a return on

this massive,

massive investment that they've all made

into AI development.

it just it's it's becoming an actively

dangerous situation i think we can see

from from this story here and i totally

agree with you that it really makes no

sense that um this ai use and all

the data collection that they're doing

will make a real difference in terms of

like stopping terrorist threats or plots

or like affecting people's everyday lives

um

And this is an argument that people have

known about and people have been making

for literal decades,

even before like the Internet and

computers were commonplace or used by

everyone.

It reminds me of like all of the

reports that came out following nine

eleven in the US about how certain

government agencies had intelligence that

indicated this might be happening,

whether or not that was passed along to

the FBI.

Like before this happened,

were people aware?

i think the general consensus there was

like you know nothing was as definitive it

wasn't completely reasonable for like

anyone to expect that that event was going

to happen ahead of time but certainly like

these people were in the systems and that

data didn't lead to anything actionable

happening and it's similar to the to the

case you talked about um where where the

perpetrator was in their systems and was

already flagged

And that didn't lead to anything being

stopped because all of this data

collection,

it isn't leading to any positive outcomes

here.

They're using national security, I think,

as a front for what they really want

to do with all of this data.

But much like a lot of

security protections that we have,

like the TSA, for example.

This is just a matter of security theater

in a lot of cases that isn't actually

doing the things that it sets out to

do.

You know,

they have plenty of other reasons to want

this data.

And I think national security or stopping

threats or stopping terrorists or

protecting children or whatever excuse you

want to you want to come up with

these days.

All of that is just an easy way

to put a bow on things and describe

it without having to really get into the

details.

But if you did get into these details,

you would see that all of the stuff,

the AI stuff that we're introducing into

the military,

all of the data collection that we're

doing on US citizens and people all around

the world, really,

all of this stuff is just completely

unnecessary.

And it's

bad it's bad for citizens of the us

it's bad for for everyone else in the

world and it's becoming actively dangerous

um and i think more people need to

be concerned about all of that yeah i

mean we could make a whole podcast like

not even just an episode we can make

a whole series out of all the problems

with ai but um

One of the things also that Jordan said

that I thought was pretty good is AI

is pretty biased based on its training

data.

That's historically been a big problem,

especially in a policing context,

is a lot of people have accused it

of...

One thing I've learned is if you go

looking for a problem, you will find one.

Generally speaking,

whatever you go looking for, you find.

And so if police, for example, feed it

uh feed ai like all these uh these

arrest records right and let's say they

all happen in the east side of town

then these this ai is going to be

like oh all the crime is in the

east side of town more cops are going

to go to the east side of town

they're going to find more crime because

there's more cops meanwhile the west side

of town is where all the white collar

crime is happening um but you know it's

it's just it's such a it's such an

imperfect thing and

There have been, so far,

there have not been any studies that have

shown that all this mass surveillance

actually stops crime or has any meaningful

impact on lowering crime rates.

And one of the big things that concerns

me with relying so much on AI for

everything is,

if you guys have never seen the movie

Brazil, I highly recommend it.

The ending's a little bleak,

I'm just gonna warn you.

But it's basically this very absurdist

sci-fi movie where this guy gets

wrongfully arrested

And his neighbor witnesses the arrest and

he's like,

I don't think they got the right guy.

Like I've lived next to this guy for

twenty years or whatever.

He's never been an issue.

And so he basically goes off on a

quest to try and deal with the bureaucracy

of like you arrested the wrong guy.

And he keeps running into people who are

basically just like, well,

that's what the computer said.

Like, that's what my paperwork says.

That's that's just like, no,

but that's what it says.

And like,

that's one of the big concerns that I

have with all this stuff and all this.

letting the machines do the thinking for

us shout out to the dune fans in

the room is that like we're entering this

world where it's like when the ai gets

it wrong what happens they're just going

to be like well that's what the computer

said yes but the computer's wrong yeah but

that's what the computer said it's like oh

my god dude so yeah it's it's a

very scary time we're entering into yes

We are going to get into some questions

from live streamers in a bit.

But before we do that,

we have an article here from four oh

four media.

The headline is proton mail helped FBI

unmask anonymous stop cop city protester.

A court record reviewed by four of our

media shows privacy focused email provider

ProtonMail handed over payment data

related to a stop Cups email account to

the Swiss government,

which handed it to the FBI.

So I'll read the beginning of this article

quick.

Privacy-focused email provider ProtonMail

provided Swiss authorities with the

payment data that the FBI then used to

determine who was allegedly behind an

anonymous account affiliated with the Stop

Cop City movement in Atlanta,

according to a court record reviewed by

Foro Fori.

The records that they reviewed provide

insight into the sort of data that

ProtonMail,

which prides itself on both its end-to-end

encryption and that is only governed by

Swiss privacy law,

can and does provide to third parties.

Um, so pretty much this,

this entire story, um, I,

I kinda disagree with,

with the headline a bit,

although obviously FBI involvement was

here.

It is important, I think,

to draw this distinction, um,

between like, uh,

a foreign government asking proton for

this information versus, um, the,

the Swiss courts.

asking Proton for this information because

in this case,

the FBI did go through those channels and

the Swiss courts demanded that Proton hand

this data over.

And I think that this is a big

difference from a lot of like big tech

companies, for example,

which will comply with court orders from

from other countries where they're

Like they might not necessarily fall under

their jurisdiction,

but they will comply with them anyways,

rather than like demanding everything go

through the U.S.

in a lot of big tech cases.

And so.

There is I do think you have to

draw this distinction because.

You know,

the Swiss courts do limit a bit.

as far as like what what information can

be requested.

But obviously we've seen a number of times

that they have been willing to demand the

data of activists in this case who aren't

necessarily

doing anything illegal.

I don't know exactly what these people are

being accused of,

but I do know that charges against a

lot of the people in this case,

according to for media in this article,

actually,

they said that they've been dropped.

So it's not clear like who's involved or

like what level of certainty the FBI even

had in the first place as to like

what crimes the person behind this email

supposedly committed.

At the end of the day,

kind of similar to the big story with

Proton revealing the IP address of a

French activist a little while ago,

the issue isn't necessarily the fact that

they're handing over information,

although it's certainly not great that

they have this information to hand over in

the first place because we can look at

court cases

from signal for example where the amount

of information that they have and do

handover is extremely extremely limited

whereas it seems like a lot of uh

data that proton has is is not protected

as you would expect um but i think

it really just highlights the importance

of

understanding what data you have is

protected and isn't protected when you use

any service, including Proton.

Because the encryption that is used in a

lot of cases,

and certainly in the case of Proton,

which is an email provider,

which is already not a great technology

for protecting this sort of metadata.

The encryption that's used even in

end-to-end encrypted products varies

widely.

So we could think about Signal again,

just for a simpler example,

compared to WhatsApp.

They actually use very similar encryption

technologies.

WhatsApp has famously used the Signal

protocol to encrypt those messages for a

while,

but

unlike signal,

which has put in a lot of effort

to minimizing the amount of metadata that

that's collected and logged by the

company,

WhatsApp and their parent company meta are

collecting and storing all sorts of

information about like,

who's registered on their service,

when they're using the app,

who they're communicating with,

they have all of that information.

And in that place places you at risk,

even though WhatsApp is end to end

encrypted.

And similarly here,

At the end of the day,

I don't think it's reasonable to expect

Proton to not comply with court orders,

of course.

I don't know.

Maybe you saw this in Consignment,

but I don't know if I saw in

this article whether Proton fought back

against this court order or to what

extent.

And so I'd be interested to know about

that.

But I will say,

at the end of the day,

looking at the...

I think especially after the French

activist thing,

Proton has made a bit of this more

clear and it is pretty clear in their

privacy policy,

like what information they have.

And I think that people just need to

go into situations like this,

assuming that any data that they give to

a third party service provider could

potentially be either leaked in a data

breach or handed over in a case like

this.

and need to plan accordingly because the

only protection that you can really rely

on is strong encryption of all of the

data you want to protect.

You can't rely on privacy policies.

You can't rely on companies avoiding court

orders.

if they have the data,

it will eventually be leaked,

whether it's the company giving it away or

whether it's a hack,

which seems inevitable.

I mean, Nate,

you publish like a data breach roundup

every single week, right?

With all sorts of companies that are

hacked all the time.

I think it's more than most people would

expect.

And yeah,

you can find that on our website if

you want to

go back in time and see all of

these happening but um yeah you have to

rely on encryption and you have to really

take a look at what these companies are

encrypting because proton is taking a lot

of data that they do not encrypt at

the end of the day and you need

to plan around that yeah it's um

Yeah, real quick,

fun story on the data breach note.

I started doing that back many,

many moons ago.

I started my own just solo podcast.

And when I ended up teaming up with

Henry at Surveillance Reporter,

that was my one stipulation is I want

to bring the data breach section

And that's kind of why I started doing

it here as well is because,

like you said,

I think people don't realize how

frighteningly common data breaches are.

And that was kind of like my thing

is like I wanted people to realize, like,

if for no other reason,

take your privacy seriously than the fact

that this happens literally every day.

But yeah, it's...

I think the reason I always like to

share these stories about Proton sharing

data is not to beat up on Proton

necessarily, but I mean, for one,

I already know there's going to be a

lot of people out there spreading

conspiracy theories about how Proton's a

honeypot and this just proves it.

But it's like you're saying, like email...

So many.

I think this is actually in one of

our upcoming videos here that should be

coming out soon.

So many of the technologies that run the

internet were invented literally in like

the nineteen sixties when there were ten

people online and they were all like

college kids and there was no need for

security because nobody was doing banking

transactions.

Nobody was doing sensitive military plans.

Nobody was sharing like

intimate communication.

It was all just literally like research

that was all going to be made public

at some point anyways.

Right.

And like maybe a few notes here and

there about like, you know, Hey,

did you get the document or whatever?

But it,

so security was really kind of an

afterthought.

And unfortunately as the internet grew and

scaled,

we kind of just kept bolting afterthoughts

onto this, this stuff.

And that's how we end up with things

like encrypted email, which, you know,

proton is great to does great.

But both of them and mailbox and like

all of these,

they're really just applying band aids to

technologies that were never really

designed to be secure.

And that's why we like things that things

like signal that were kind of like,

what if we went into the ground floor

and tried to be as secure as possible?

But even then, those have use cases.

Like, I always push back on that.

A personal pet peeve of mine,

I hate when people are like, oh, well,

you shouldn't use encrypted email because

email was never designed to be secure.

Use Signal instead.

And it's like, great.

The day my bank agrees to send me

a Signal message,

I will be in agreement with you.

But we're just not there.

Like, unfortunately, again,

we still have all these legacy

technologies that are floating around

because they just are.

And I think...

I think these stories are unfortunate

because Proton,

like every company is going to try to

market why you should use them, right?

And I think for,

especially for the target audience of

people like Proton,

it's very difficult to explain to people

in a nutshell why they need something like

Proton or PGP or anything.

It's very difficult to explain to them why

Gmail and Yahoo are not secure.

And also to explain nuance, right?

It's a very fine line to thread,

especially when you're talking to the

masses.

And I think there's definitely places

where Proton could do better.

Like I think with that French activist

one,

Proton did actually change some of the

wording on their website because it wasn't

technically wrong,

but I could see how somebody could get

the wrong impression.

And I don't know, this stuff,

I'm trying to put my thoughts in order

here.

It's frustrating because I don't think

Proton necessarily did anything wrong

here,

but I could see how people could be

lulled into a false sense of security.

And I do want to point out,

somebody pointed out here in the chats,

they said like no end-to-end encrypted

data was given away.

The account owner simply had bad OPSEC.

It's this person, like I will admit,

I pay for my Proton account with a

card.

I use a privacy.com card.

which is linked to my name.

Like if,

if I was the person in this scenario,

for whatever reason, um,

the FBI could request data from proton

proton.

They, here's their card info.

They could trace that back to privacy.com

who could trace it back to me.

I know that's not fully anonymous,

but also I'm not an activist.

If I was doing like serious,

heavy activism work,

I would probably take some more steps.

I don't really want to victim blame here,

but I guess, um,

And Proton pointed that out too.

They said like, we do accept cash.

We do accept cryptocurrency.

They don't accept Monero.

I'm going to always call out on that,

but it's, yeah, it's, it's like, it's,

it's important to know the limitations of

a tool.

And again,

like I mentioned this earlier in the show,

there's a difference between privacy and

anonymity, right?

Proton is not promising you anonymity,

at least not by default.

You're

So I think it's just really important to

keep in mind the limitations of these

tools.

And I just remembered you said is from

what I understand,

Proton did not push back on this order

because they were informed that apparently

this person,

I don't know if charges were dropped.

The article said that charges hadn't been

filed.

What exactly did they say?

Uh,

four or four media is not publishing the

person's name because they don't appear to

have been charged with a crime according

to searches of court databases.

So maybe they haven't been charged with a

crime yet.

Um, but yeah,

Apparently,

Proton was informed that the person in

this situation was violent,

that they had already shot at one officer,

that they had explosives on them.

I don't know how true that is.

That's Proton's justification,

and you are welcome to have your own

opinions on whether or not that was

justification enough.

But it is...

Yeah,

it's – Proton does push back sometimes.

They kind of do it on a case-by-case

basis,

which I don't know how I feel about

that.

But they try to get as much of

the facts of the case as they can

before deciding whether or not they want

to push back on a core order.

But yeah, it's –

I don't know.

I think for me,

the big thing again is I hate seeing

people confuse privacy with anonymity and

get really upset and be like, oh,

Proton shouldn't have complied.

Proton even said this.

I don't know if it was in here,

but there was a Reddit thread where Proton

issued an official statement,

which was very professional.

I was impressed by it.

And they did mention basically that, look,

nobody can operate above the law.

There's not a country in the world where

we're not subject to somebody's laws.

And

They choose to be under Swiss laws.

They feel that Swiss laws are very

thorough and set a very high bar.

But yeah, I mean, ultimately,

at the end of the day,

I personally would be more worried by a

company who ignores the law because

they're going to get shut down eventually.

Like they just they can't keep operating

outside the law.

So, yeah.

Yeah, I, I agree.

It's a very fine line for them to

be treading here.

At the end of the day,

like the headline is accurate.

They did help the authorities.

And you might not expect that from a

company that markets itself so heavily

around privacy.

And a lot of people in the privacy

community, especially,

I even saw a comment here from our

team member, Jordan,

saying they could make it more obvious the

data isn't encrypted,

which I think is certainly true.

But at the same time,

I think you have a really good point

about

like Proton needing to market this product

towards an extremely broad audience who

does not care about these problems and who

isn't like going to be affected by court

orders because the demographic that Proton

is targeting is

primarily businesses and people who are

switching away from the Google Workspace

suite of things.

And it is just objectively true that

switching from Google to Proton is a huge

benefit for those people.

No matter what they do, really,

it's always going to be an improvement in

their privacy and security.

And a lot of these people are not

going to be

concerned about the nitty gritty details

of some of this stuff.

And also to Proton's credit,

between their privacy policy and their

blog and some pages on their website about

transparency,

for the people who are concerned about all

of this stuff,

you can find all of this information

pretty accessibly on their site and in

their resources.

You do have to look for it.

Which you can certainly argue is

unfortunate,

but also you can see that as a

legitimate decision for them to make

because it doesn't probably make a lot of

sense to overwhelm the type of person or

business that's switching from Google and

Microsoft to Proton with all of this stuff

that isn't going to impact them.

It's a very hard problem to solve.

And I think that for people who are

in this situation,

making it more clear that you need to

be using tools like Signal or SimpleX or

other messengers that are designed from

the beginning to be secure rather than

like you said,

sixties technologies that have had a ton

of stuff just bolted on over time.

like that is the actual solution here and

i think that like more tools that are

designed to be as private as possible by

default without having to worry about this

makes a lot more sense than than proton

like trying to describe every possible

case where your data could be could be

leaked or shared like this

So yeah, it's kind of unfortunate,

but I'd agree that I don't really know

what else Proton can do in a situation

like this.

It's very challenging,

and they've created this challenge for

themselves because they chose to make an

email service,

but that is what they're doing at the

end of the day,

and there isn't a great way to handle

this, unfortunately.

Yeah, I agree.

I mean,

it's I think we hit a certain point

where it becomes

It becomes kind of a personal opinion

thing in the sense that like, for example,

this person here on YouTube said that I

think that doesn't justify the move

they've made.

And I could see that argument where like,

again,

if you're saying like they shouldn't have

handed over any data period,

no matter what,

I completely disagree because they will.

If you go with a bulletproof provider who

does that,

eventually they will be shut down.

And now even if you didn't do anything

wrong,

your data is sitting in an evidence locker

alongside everybody else.

We've seen that happen time and time

again,

but I could see the argument of like,

well, they still,

they should push back on every core order

by default.

And I can see that argument.

I don't know if I necessarily agree with

that for the record, but like,

I definitely see where you're coming from.

So that's what I mean when I say

like,

we kind of get to a point where

it becomes personal preference.

Like, should they have pushed back harder?

Should they push back every time?

Because there's also a part of me that

says, well, if they cooperate,

let's say they cooperate on,

objectively awful cases,

like we know this person was genuinely a

terrorist in the wrong,

we know this person is trafficking CSAM,

we know this person is doing awful,

awful things,

then I feel like that kind of improves

Proton's position when if they get a BS

request that's like, oh,

we just don't like that this journalist

wrote mean things about us.

Okay.

Cry me a river, go home.

We're not turning over the data.

So I don't know.

It's just, it's, it's personal preference,

but yeah, it's that same person just said,

there's a reason I've always avoided

email.

I'm kind of backing up what you were

saying.

It's, it's less, uh, but, uh, you know,

we,

we need to focus on things whenever

possible.

Again,

I mentioned that my bank is never going

to send me a signal message,

at least not anytime soon.

And I wish they would, but, um, yeah,

trying to avoid email when you can trying

not to.

I don't know,

just trying to move to those more private

or more secure from the ground up

alternatives where possible is kind of the

only solution.

But it has its limitations for sure.

But I think that was all of our

stories this week.

I was poking around Proton's website.

Let me close these tabs.

Those were all the questions.

So it's time to start taking viewer

questions, actually.

If you've been holding on to any questions

about any of the stories we've talked

about,

go ahead and start leaving them in either

the forum thread or the comments section

of the livestream.

And we're actually going to go ahead and

start with the forum thread,

which

Last I checked only got one question.

Yes, that is correct.

So we have a question from anonymous five,

seven, one.

First of all,

big thanks for the work that we do.

Thank you.

You said in the past,

I used a single Gmail address,

which was not your main email address for

all sorts of random account signups for

things like discord, Amazon.

Netflix, news websites, one-off trials,

et cetera.

You said,

I've used this email address for many,

many years.

Needless to say,

it's a bit of a cluster.

Younger me thought that I was being smart,

not having these accounts fill up my main

email address with spam.

Cut forward to today and being more

privacy and security aware, you got,

ironically,

a Proton subscription with a custom

domain.

You've been updating all your old accounts

to either Proton or simple login aliases

and aliases on your custom domain.

Got me thinking, however,

is this merely updating my email with a

unique alias a waste of time?

Should I rather be creating completely new

accounts for all these websites?

The thinking is that they likely keep

version history of my email address so I

could still be linked or profiled based on

previous email addresses.

A data breach could also expose the email

history,

so it doesn't help in that respect either.

Updating my email with a unique alias on

all these websites is one thing,

but creating new accounts and closing the

old ones gives me goosebumps just thinking

about it.

I have some complicated thoughts on this

one.

Well,

complicated in the sense that I feel like

it's very nuanced.

You know, it's always nuanced, right?

So, I don't know.

Do you want to go first, Jonah?

I mean, yeah,

I could give a few thoughts on this.

We might be thinking about the same thing

here,

but I do think certainly it's a good

thing to switch to Proton,

start using simple login aliases for all

your accounts because it is super

important to use Proton

a different email for every site that you

use for the same reason,

pretty much that you'd use a different

password for every site that you use,

which is that, you know,

especially you don't you don't even

necessarily have to be concerned about the

website itself tracking you,

although that is definitely a concern with

some websites.

But as we talked about

previously in the show,

data breaches are super common.

And these sites will,

like when these data breaches are out,

if your email is shared between data

breaches,

that does create a pattern that can be

used to track you across these sites and

create a profile of like the kind of

sites that you're using.

And these data breaches are super common.

So you don't want to have any information

between data breaches that can potentially

be linked together.

That is a privacy concern.

Um,

As far as updating your email with

accounts you already use or deleting

accounts and starting over,

that is something that is going to really

depend on what you think is worth it.

I think the person who has this question

really laid out a lot of the reasons

why you might want to do that and

also the reasons that you wouldn't want to

do that,

especially like just the effort involved

in having to recreate all of these

accounts.

And it really depends on how you feel

about that site.

I don't think for a lot of websites