The US Bans New Foreign Made Routers?!

The U.S.

government has banned all foreign-made

consumer routers,

SystemD's new age verification feature,

and the Meta and Google social media

addiction lawsuit.

All this and more coming up on This

Week in Privacy, number forty-six,

so stay tuned.

Welcome back to This Week in Privacy,

our weekly series where we discuss the

latest updates with what we're working on

within the Privacy Guides community,

and this week's top stories in data

privacy and cybersecurity.

I'm Jonah,

and with me this week is Nate.

How are you doing, Nate?

I'm doing very well.

Busy week behind the scenes here,

but very excited.

Good stuff.

How have you been?

I'm doing fantastic.

I'm excited to be back on the show.

Now we'll start off with the biggest news

that we've seen in privacy and security

over the past week.

Our first story today is reported by The

Verge.

The US government just banned consumer

routers made outside the US.

The US claims foreign-made routers pose

national security risks.

So this gives some context.

In December,

the Federal Communications Commission

banned all future drones made in foreign

countries from being imported into the

United States unless or until their maker

gets an exception.

Now the FCC has done the exact same

for consumer networking gear, citing,

quote,

an unacceptable risk to the national

security of the United States and to the

safety and security of U.S.

persons.

So as this article says,

we did see this happening with DJI,

who opted to just not sell new drones

in the United States rather than try to

comply with this.

And now a similar thing is happening here.

As The Verge points out,

the vast majority, if not all,

consumer routers are currently

manufactured outside the United States,

and the vast majority of future consumer

routers are now banned.

By adding all foreign made consumer

routers to its covered list,

the FCC is saying it will no longer

authorize their radios,

which de facto bans new devices from

import into the country.

So this is a interesting ban,

to say the least.

It doesn't seem to be like a lot

of other things that are banned,

because as this article points out,

domestic router manufacturing is pretty

much not a thing.

I have a couple of questions about this

and actually posted this on Mastodon.

But my biggest question is kind of like

how this relates to

they're differentiating between consumer

routers and other routers.

I've seen the FCC,

their definition of residential routers,

which basically says that it's all routers

that are intended to be used in a

residential setting and can be installed

by the end user,

which seems to me like it would

not affect something like the router that

your ISP provides.

So I think that this ban could certainly

mean that we're all going to be stuck

with these probably far more insecure

trash routers that Verizon or Comcast or

whoever provides you rather than you being

able to replace it with your own.

But yeah, it's crazy stuff.

Did you see anything in this article that

you wanted to point out, Nate?

Oh, yes.

A couple of things.

Well, specifically,

I wanted to point out that according to

the article, well,

according to the FCC as well,

this is about national security, right?

And they specifically mentioned the Volt

Typhoon, the Salt Typhoon,

and the Flax Typhoon,

which that one I'm not familiar with.

But they cited those cyber attacks,

which targeted critical American

communications, energy, transportation,

and water infrastructure.

But the thing they don't mention that I

thought was interesting is that Salt

Typhoon happened because of a law

enforcement backdoor in our

telecommunications infrastructure.

And I think the article pointed out here

that Volt Typhoon happened because

American-made routers,

they specifically – yeah,

Cisco and Netgear mostly –

we're just not kept up to date.

So it's like the flimsiest, um,

like I'm trying to think of an example.

It's,

I guess it's like that classic joke that,

you know, Oh, I don't drink water.

Do you know how many people that kills

every single year?

And it's like, that's not really related,

but okay, sure.

Go off, I guess.

Oh,

So one thing I thought I read here

that maybe you know more about is,

is this a ban on the routers or

is this a ban?

I think the article said something about

it being on like the radio chips,

which kind of makes it even worse because

I know there are,

there's a few in my non-expert opinion,

there's a few decent American

manufacturers like Netgear, for example.

But if the chip itself is the part

that's on the covered list,

then how are they supposed to produce

these?

um without getting a chip did you read

anything about that am i misremembering

that so i mean typically each individual

product is going to need to be approved

by the fcc so they do um they

would they would approve like the entire

product and the only thing that i've seen

is that they're not going to approve

consumer residential router products.

So this is not going to affect business

routers.

As far as I know,

it wouldn't affect the chips if they're

used in a non-consumer router.

So like one of my questions is,

there's certainly an interesting line in

the router space once you get to the

higher end between like

residential routers from like NetGate or

Linksys or whoever,

and then like more prosumer routers like

Ubiquity.

And then you get into like enterprise

routers, which as far as I know,

are not affected.

I don't know where something like in that

prosumer middle ground is going to fall.

But usually like even on the enterprise

side of things,

if you're looking at the the actual chips

involved there,

they're similar,

if not the same to what's in a

lot of routers,

just because there aren't like a ton of

options for chips.

So as far as I know,

individual components shouldn't be

impacted,

which makes this all the more

interesting because I don't know what

they're exactly trying to defend against

here.

I would imagine the bigger issue that they

would say that they have is more to

do with the router firmware and how it's

deployed.

But as you pointed out and as the

article said,

the most recent big attacks on routers

have been against major American ones and

enterprise ones that are typically more

powerful, enterprise firewalls.

So something from the likes of Cisco or

FortiGate or whoever are the most recent

major attacks lately.

Whereas consumer-grade routers,

certainly have security issues like don't

get me wrong but i don't think they

warrant um something a total ban like this

kind of similar to the drone thing uh

what their goals are aren't exactly clear

to me but uh it seems like they

really want

these manufacturers to just cut some kind

of deal to get approved rather than just

being approved because they made a product

that people need.

So yeah,

it's kind of like all of the tariff

stuff lately and the other trade bans that

have been going on in the US.

I think it's going to be a big

challenge for American consumers right

now.

Manufacturing capacity for these routers

certainly cannot shift to the US at a

moment's notice.

I mean,

it would take years for this to even

be a possibility.

So in the meantime, it seems not great.

And I guess we'll see how these router

companies respond.

I haven't actually looked this week to see

if any of them have made a statement.

I would be interested to know how many

are going to take DJI's approach to just

exit the US market versus how many people

are going to try to comply with this.

But pretty much the entire router industry

is going to be impacted by this.

So it's crazy stuff.

Yeah, nothing has come across my feed.

I haven't specifically gone looking in

terms of if anybody's made a statement.

um another thought that occurs to me uh

i'm assuming okay i i have a really

stupid question here i mean there are

enterprise level wi-fi routers right most

of my work is done with like hardwire

switch i've never i haven't done a whole

lot of routers or like wi-fi so yeah

definitely um i mean there's like ubiquity

for example you see that installed in

small and medium businesses uh

A lot of the time,

these enterprise things are split up into

multiple components.

They'll have an access point and a router,

and those will be separate things,

which is the case for most of Ubiquiti's

products.

It's also the case for something like

Aruba or Cisco.

They both make access points.

There's other...

There's other manufacturers like MicroTik.

I can't remember other big enterprise

ones, but there's certainly a lot of them,

which in theory should not be impacted,

but I guess it depends on how widely

the FCC decides to define all of these

products.

And then, okay,

so the other stupid question here is

there's kind of a big price gap,

isn't there,

between a consumer-level router and an

enterprise one?

How big of a price gap are we

talking?

yeah so that's where it really depends on

the product i think most of these um

enterprise routers are going to be or like

the entire system it's always going to be

more expensive because you have to buy the

router and the access points separately um

so there's that whole aspect but of course

on the router side of things you can

set up like a old computer or something

and use some open source software like

open sensor pf sense so you have that

option and then the access points um

generally cheaper you probably only need

one to cover a house realistically so it's

possible especially with um some fraud

some products like either from ubiquity or

microtik i know that they make access

points that are probably readily

accessible um some of the more enterprise

stuff like uh from aruba or uh maybe

cisco or or other companies they're gonna

require like

a whole subscription service for

management and all of this stuff.

So once you get into the real enterprise

side of things like that would be

extremely hard to do from your house,

but it really depends on the manufacturer.

But there are some lower end ones where

you could see that being possible.

But I don't know if the FCC is

going to extend that to pretty much

anything that normal residential consumers

will buy or whether it'll just be like

things that are marketed towards

consumers.

One of the questions that I had on

Mastodon was whether we're going to see an

uptick in

small business or home business routers um

that say like not for residential use on

them because i know we've seen um in

other areas that the government regulates

like uh all sorts of crazy drugs and

peptides for example i was just thinking

about research drugs that are not approved

by the fda they're not for human

consumption but of course they get sold um

to random people anyways,

and you can find plenty of threads on

Reddit and other sites that indicate they

might not be following all of the labels

on these products.

So I don't know if that would be

the case here,

but I would be interested to see if

that's the case.

Yeah, I don't want to get too political,

but that is a thought with what you

were saying about,

I think regardless of whether you're

pro the current administration or not,

this whole idea of like bringing

manufacturing back to the U S again,

whether you think that's a good idea or

not, it, it can't happen overnight.

And so this like out of the blue,

like, okay, all these routers are banned.

It's like, dude,

it's going to take us five years at

best, probably even more than that.

That's probably like delusionally

optimistic to get the manufacturing done

back over here.

And then to get the supply chain instruct

in place and the infrastructure,

it's like, it's not, it's,

Yeah, it's it's crazy.

So I'm hoping and again,

not to be too political,

but we have seen I feel like we've

seen the current administration do things

like this where like they'll ban something

or they'll institute tariffs and then

they'll kind of start to like make

exceptions.

And OK, except for this guy.

And but here's a workaround.

And and I think it's because once they

do it, they realize like, oh,

wait a minute,

that can't happen that fast.

So I'm hoping we'll see something similar

here, to be honest.

Yeah,

I don't see any other way around it.

I think they're going to have to

personally.

The worst case scenario, I think,

for this whole thing from a privacy

perspective is that the available options

that will be left on the market,

I think it's going to be much easier

to track because...

The specific definition of residential

consumer routers that they're using here

do say it's routers that are intended to

be installed by the end user.

So presumably something that your ISP

installed would not be affected.

So like I said before,

I think a lot of ISPs will be

installing their own routers.

And those are pretty well known to track

a ton of information.

It's one of the main reasons,

aside from the poor performance and other

things.

There's a lot of reasons that people will

replace their ISP-provided router,

but tracking and privacy concerns are

certainly one of them.

And this could also, I think,

get more people to switch to cellular

connections or use their cell phones more

because you don't need a router at all.

But of course,

the whole cell network system is more

problematic for surveillance and privacy

as well compared to these hardline

internet connections.

Yeah,

I think we'll have to see how this

resolves,

but there's a lot of potential privacy

concerns here.

Jordan asked in the chat whether there's

any U.S.

manufactured routers.

Not as far as I know is the

answer to that.

I think that there are

There are certainly some routers.

Yeah, they're like U.S.

designed.

So there are American companies that are

making routers,

but the manufacturing in the U.S.,

it's non-existent.

And even like companies in end products

that are making wireless chips on the

other side.

Like we've seen Apple get into this with

their latest products where they're now...

creating their own modems.

But all of that is obviously not

manufactured in the US.

It's just designed here.

And I think that a part of the

concern that they would have is whether

the back doors could be inserted into

these ships during the manufacturing

process that the designers wouldn't know

about.

So I don't know how this is going

to impact American companies.

But yeah, it'll be interesting to see.

Possibly stupid question.

Are manufacturing and assembly the same

thing?

in this context?

Um, cause my thought process is, um,

in Texas, I think it's so funny.

I see a lot of Toyota trucks driving

around with a sticker.

It has like the Texas flag on it.

And it says, uh,

built here lives here because Toyota has

an assembly plant in Houston.

And every time I see that, I'm like,

yeah, but Toyota,

like this is not an American company,

but they assemble the trucks here in,

in Texas.

So good enough.

Right.

And that's kind of my thought is like,

Would that be a loophole maybe?

Like, OK, just take all the components,

ship them over here,

and we'll spin up a factory in Houston

or wherever, Indiana,

and just assemble them here.

And now it's not manufactured.

I wonder, I don't know,

that just kind of popped into my head

while you were answering Jordan's

question.

Yeah, that is a great question.

I don't know how they would apply this

to individual router components.

That's a great question.

It's hard to say what loopholes will be

available.

I was just curious if you knew anything

about that.

Like, no, those are...

Okay.

Yeah.

I know, like, for example,

I know this ban does extend to routers

that are designed in the US.

So like right now,

those American companies are impacted.

But whether they can do like this,

I've definitely seen that before to like

get the made in the USA stickers on

different products.

It's definitely a thing that happens.

And I don't know if that'll be enough

of a loophole to get these routers in

or not.

But I guess we'll see what companies come

up with.

Yeah, that's what I was about to say.

I guess we'll find out.

Yeah,

I think the biggest thing with this story

is just if there are security concerns,

we could certainly look at all of the

security concerns and issues that we've

seen with routers.

We've definitely reported on some or

talked about them on this show before

various routers being attacked with

malware or updates that you should

install.

But this kind of blaming that on it

being because they're foreign routers

routers doesn't make a lot of sense to

me this is definitely a case of like

because all routers are foreign um it's

it's sort of a correlation situation not a

causation right like that's not the reason

it just happens to be

all routers that have security issues are

foreign because all routers are foreign,

right?

Yeah,

and something else that popped into my

head that I forgot until just now,

not to put on too much of a

tinfoil hat,

but it's weird to me that they're like,

oh, this is a national security risk,

so we have to ban consumer routers.

But...

Wouldn't we want to keep...

And China has a proven history of stealing

U.S.

intellectual property.

That's known.

That's a proven thing.

So why wouldn't we ban the business

routers instead?

It's very confusing.

It's not lining up with... Absolutely.

I mean,

the business routers definitely have a

more sensitive position in the networks.

So there should be more concern there.

I do think...

I'll play devil's advocate and...

share why I think banning like consumer

routers or taking them more seriously

makes sense because I have

Ben Tu talks and other things where people

talk about not routers,

but like those fake Android TV boxes that

have a bunch of pirated content that you

can get on Amazon or whatever,

and sort of products like that,

or browser extensions that you can install

that give you a free VPN or something.

And all of these things are typically used

to create basically a botnet of all of

these residential routers or

like proxy services where you can get a

residential IP.

And I think just the sheer scale of

like how many internet connections are

residential ones versus like a business

one is typically going to have one

fairly large business connection,

but there are less of those.

I think that from a botnet perspective,

you could be concerned about consumer

routers being used to attack like just in

a DDoS scenario more than like a data

exfiltration scenario that you might want

to protect against on the business side of

things.

But again, like I said,

I don't think that just because they're

foreign means that that is going to

happen.

So the ban doesn't make a lot of

sense to me from that perspective.

But it is certainly a concern that you

could have.

That makes sense.

I think last note on this story,

Jordan said the US doesn't really have

semiconductor fabrication capabilities.

Well,

we have a Samsung factory that last time

I checked was supposed to start pumping

out chips in twenty twenty three.

I haven't checked recently,

but as of late last year,

they still are not making chips.

I know Tesla just announced their factory,

and I think there's another one that.

I heard about this supposed to be built

in New York, I think, but I like,

I heard about the initial funding a few

years ago and that's all I've heard.

So yeah, we definitely don't have.

TSMC has been building one in Arizona for

a while as well,

but none of these have launched as far

as I know.

It's not super easy to do.

Nate, I think you're muted or you're.

Sorry about that.

Ah, okay.

Yeah, just to drive home the point,

the one in Texas is supposed to take

twenty years to build,

and that's if it's on schedule.

That's not including that it is now

running behind,

and it will probably just compound,

and we'll fully habitate Mars by the time

that thing's done.

But you know what I mean?

It's like, yeah, they –

What we were saying earlier,

you can't just spin this stuff up

overnight.

It doesn't matter your political leanings

and whether you think manufacturing should

be here or not.

We can't do this overnight.

It's just not possible.

And it's not even a matter of getting

the equipment to do it.

You can't just build a building and fill

this up with semiconductor equipment to

start making these chips.

In Taiwan right now,

there's just such a massive centralization

of knowledge of how to make these chips

and how to use all of these machines

and how to design this stuff that you

can't

you can't just replicate this.

Like we see Intel, for example,

has some of the most advanced

manufacturing equipment in the world as

well, just like TSMC,

but they've had a lot of struggles.

I don't know what Intel is up to

these days,

but I know for a while they had

a lot of struggles with improving their

processes even more,

just because it's extremely challenging to

do.

I was going to say something about AI,

but then I realized I was thinking of

Nvidia.

Yeah,

I have no idea what Intel's up to

these days.

Okay.

Before we jump into the next story,

I do want to highlight earlier today,

we had a new member join.

And if you're watching, I apologize.

I'm not even going to try to pronounce

that name because it's in a foreign

language.

It looks maybe, I want to guess Korean,

but I'm not super familiar.

It's something from that part of the

world,

but thank you so much for becoming a

member.

So now on YouTube,

you will have early access to videos and

we will talk about membership a little bit

more later in the show.

But first,

we're going to talk about everyone's

favorite topic, age verification.

SystemD is not controversial enough,

so they decided to go all in and

build in an age verification feature.

So for those who don't know,

SystemD is a Linux...

I'm going to let Joan explain what it

is better a little bit later,

because I truly don't know how to explain

it.

I know it's deep, deep in the system.

I'll put it that way.

And it's used by a lot of major

Linux distros.

I know Ubuntu uses it.

And therefore,

all the Ubuntu derivatives like min, pop,

Oh, man,

there's another one I'm forgetting off the

top of my head.

But another really, really popular,

Debian, I think, uses it.

I think that was the one I was

thinking of.

Technically, Ubuntu is based on Debian,

but either way.

So systemd is this really high privilege,

low in the system kind of thing.

And they have added a field to the

JSON user records that is simply

birthdate.

And it is what it says on the

tin.

Now, when you make a new user,

you can choose to enter their birthday.

So the good news is this is totally

optional.

This is not a mandatory field.

If you've ever made a user in Linux,

in most Linux distros,

you'll get all kinds of options like real

name, email address, location, and,

you know...

if you're like me,

you don't really need that kind of stuff.

So you can kind of skip through it

all.

But, uh, so this is the same thing.

This is just an extra field that is

four digit year, two digit month,

two digit day,

and you can skip it or,

or enter it in if you want to.

And they've specifically said,

this is not a policy engine.

This is not an API.

We just define the field so that it's

standardized if people want to store the

date, but it's entirely optional.

Um,

Yeah, I mean,

I feel like those are kind of all

the facts of the case.

Jonah, what do you think about this?

I think it's cool that it's optional,

but I also kind of see the argument

that they shouldn't have added it in the

first place.

What are your thoughts on that?

Systemd is a very interesting project.

So I'll go back to your original question

first before I get into that.

Systemd, at its core,

is an init system in Linux,

which is basically the process that starts

all of the other software on your

computer.

So if you think about booting up your

computer,

it gets ever more complex as you go.

So typically on Linux, you would have

like grub the bootloader which is

extremely lightweight and all that does is

you boot up it goes into that and

then it starts the linux kernel which is

much more complex than grub but you need

something to start it and then the kernel

starts your init system which in this case

would be systemd but it could be any

process and then

the init system starts everything else and

it's responsible for knowing what software

you want to start and doing it all

in order so that something doesn't get

started first that depends on something

else and then fails because it was started

too early and all of that stuff.

So the init system has to always be

running and it's just kind of the parent

of all of the other software that you

run on your computer, if that makes sense.

But system D is also

a whole project with a lot more ambitions

than just being an init system.

And they make a lot of different software

that basically tries to replace a lot of

basic operating system components with

systemd-developed ones.

So beyond the init system,

we see software like systemd-resolvd,

which replaces the DNS resolver on your

system.

And other and other stuff like that that

isn't necessarily related to just service

management and starting processes.

So they really want to be like the

core software for all of your system,

which is why I think they are pretty

divisive project in the Linux space.

But

Yeah,

I don't know what component this age

verification is actually being installed

in.

I didn't see this, but maybe I should.

It probably says in this article.

I don't know if it's specified.

It just said the JSON user records when

you make a new user.

XDG desktop project portal is adding age

verification portal that needs a date

source for the user's age in the user

DB.

Does that help any?

It's an interesting change to make.

You can definitely see their reasoning

behind it,

because I think if age verification is

going to come to Linux, for example,

it would be quite annoying if there were

one million different implementations of

it that the rest of the system has

to integrate with.

But I'm not sure if this makes a

ton of sense for it to be here

instead of in your desktop environment.

And also,

I don't necessarily think that age

verification is kind of a lost cause.

And I think it's unfortunate to see it

being adopted so readily in Linux

because...

I think in certain projects,

I wish that the open source community

would take a bit more of a stand.

But everything has just become very

corporate, especially in the Linux space,

and there's a lot of compliance in

advance.

So it's very tricky to kind of

keep with solid ethics and this has been

an issue for a very long time i

could go back to um one of i

personally the most annoying things that i

can think of in this space which is

um back in i want to say firefox

adding drm as like a first party thing

in their browser rather than like

relegating that to a third party

extension,

because that was kind of the end of

Firefox having any sort of say in the

web browser space and how all of these

web standards were made.

I think once they gave into that,

that was

the slippery slope that made them lose a

lot of ground in the standards committee

to Chromium because they basically showed,

hey,

we will implement anything that Google

asked for.

And I think that this is a case

certainly of the main developers behind

Linux saying, hey,

we are going to implement whatever the

corporate side of Linux asks for,

regardless of what the rest of the

community wants, which is unfortunate.

so yeah i'm not a fan of this

change there's a lot of arguments for and

against this i it i don't know like

what the point of this is really because

if you can just set your age to

whatever you want yourself i don't know

why this would be trusted by other

software um

But I guess we'll see how this is

used,

which is the main thing it'll come down

to.

I think it is like,

even if there isn't a huge issue with

how this specific thing is implemented

right now,

we are just kind of laying the foundation

for more anti-user systems and more

problematic systems to be implemented on

Linux in the future,

which is not a path that I think

we should be going down.

So that's my main concern with this whole

story pretty much.

Yeah, I agree with you.

I think, you know, I mean,

we always talk about how like companies

and services have to follow laws, right?

And somebody I spoke to recently in an

interview you guys will be seeing pretty

soon mentioned that.

It's like this whole idea of like

cyberspace as this nebulous,

like doesn't matter.

It's like, no,

the person writing the code,

your feet are touching the ground

somewhere and therefore there's

jurisdiction or your server is located

somewhere

in a physical space somewhere.

And so I understand they have to follow

the law,

but I do agree that it was really

disappointing to see them just roll over

with no fight, no nothing.

And I think to kind of go back

to, you answered it a little bit here,

but this person asked us, Leonard asked,

or Leonardo asked,

do you think air verification is a lost

battle?

I wouldn't say lost.

I mean,

there's definitely that part of me that's

like,

If I thought it was a lost cause,

I wouldn't be here, right?

Like I would just go get another job

and give up privacy.

But I do think...

I think it's partially lost in the sense

that I think this is coming,

whether we like it or not.

This is just my personal opinion.

I think it's coming,

whether we like it or not,

because I think there's just too many

people that don't understand the downsides

of it.

And I think it's really important in light

of that for us to have a seat

at the table and have this conversation,

which system deed clearly did not where we

say,

let's at least try to control it in

a way where it's less damaging.

So I think,

In that sense,

I almost like this because you can put

any age in there, right?

They're not going to verify it.

They're not going to ask you to upload

an ID.

And, you know, then there's the question.

I almost worry if like if everybody starts

doing that, like, OK, fine,

here's an age field.

Go ahead and lie.

We don't care.

Then the government's just going to be

like, fine, now you have to verify IDs.

And it's like, crap, now it's worse.

Yeah,

that's exactly my point about it being a

slippery slope.

Because if it can always be set

arbitrarily forever,

I don't understand what the point of this

would be in the first place, right?

To me,

the intent of this feature is clearly to

eventually have some sort of much more

verifiable way to set this field that

won't be as user-controlled.

And I think that that is...

dangerous to have because if they weren't

planning on doing that,

then they could just do what sites always

do,

which is like ask people to enter their

birth date or like confirm that they're

over a certain age or whatever without

this being built into the system.

I think that that works fine until you

want a much more verified way to confirm

people's ages, which,

as we talked about on the show a

lot,

is is very problematic from a privacy and

censorship standpoint and that's really

the only reason to build this feature

that's and that's my main concern here

i've seen a lot of um a lot

of mixed reactions to this like in our

community and elsewhere on the internet

where people were kind of saying like what

you were um saying at the beginning of

your thought which is like hey this isn't

really doing anything right now you can

set it to whatever you want and i

would just be

It doesn't make sense to me that that

will always be the case.

I think that the fact that they're doing

that is concerning.

And this is kind of similar to me

to the current discussions that are going

on

In the Android world right now with

developer verification,

I think we are seeing a lot of

app developers and a lot of custom Android

operating systems and other third party

open source app stores beginning to comply

in advance with that sort of thing or

make statements saying like, hey,

we are going to participate in the

developer verification system.

And I think that that is unfortunate,

because you could look at the Keep Android

Open campaign for a lot of explanations on

why you shouldn't be doing that.

You should be taking a hardline stance and

saying, hey,

we're not going to comply with this

system,

even if that means some restrictions on

where apps can be installed.

that is the best move to make our

voices heard and to potentially make a

difference.

So it's just a similar thing here.

Exactly like you said,

I think that we got to take a

stand and we can't lose our voice when

it comes to this.

And SystemD is...

kind of giving that up,

which is a real shame.

Yeah, and I think,

just to kind of add to what you

said, I think, ironically...

I think if we took more of that

attitude of, like,

let's have a seat at the table and

try to steer this, I think, ironically,

it would become a self-fulfilling prophecy

in a good way,

a good kind of irony, where, like,

because we're participating,

we might have more attention to be able

to draw attention to these issues and

point out, like,

this is why age verification doesn't work.

These are all the problems with age

verification,

the knock-on effects that are going to

make things worse.

And we might end up actually being able

to do something about it.

But, yeah, I think...

I think definitely just I know we've

called this out in the past with other

stories,

but just this attitude of like of,

you know, oh, well,

this doesn't affect me.

So I don't care because I know how

to get around it.

Congratulations.

It's coming for Linux.

It's coming for the things that we use.

We can't have that attitude forever

because eventually we're going to run out

of places that are not touched by this.

Or at very least,

they're only going to apply to like a

handful of people that are

really tech savvy and know how to write

their own code.

And now we have privacy for one percent

of people instead of, you know,

right now where it's what, ten percent.

I don't know.

I'm just making up numbers.

But my point being is like,

I think standing up and trying to do

something gives us more power and it

builds momentum to the point where maybe I

will be wrong, which for the record,

these are the kind of things I'm happy

to be wrong about where it's like, hey,

we were able to roll back age verification

because we took such an active role that

we were able to spread awareness and

attention.

So, yeah.

And real quick, just to roll here,

point it out.

Like, yeah, it's not age verification.

It's identity verification.

I'm trying to get more in the habit

of saying that, but I don't always.

So thank you for pointing that out because

you are right.

It's not just kids because how is it

going to know if you're a kid without

verifying everyone?

So yeah, thank you for noting that.

Yeah.

It's an interesting story.

I don't know if I have too much

to add.

I...

I can certainly imagine some reasons that

something like this could be useful in the

grand scheme of things,

regardless of age verification plans right

now.

But certainly the timing of this with all

of the age verification stuff going on

this year is extremely suspicious.

So that doesn't give me high hopes for

how this feature will be used.

For sure.

um i think we can move on from

this story before we dive into the meta

and google social media addiction ruling

um i want to give some quick updates

about what we've been working on at

privacy guys this week um on the website

side of things uh the big stuff has

been a lot of news articles so there

are a ton of stories that we aren't

able to discuss here on this show but

freya and others have been writing them in

our news brief section which you can visit

at

privacyguides.org slash news.

So some of the articles include the cadnet

botnet hijacking ASUS routers.

Good example of the kind of botnet issues

I was talking about earlier in the router

space.

FBI seeking info from gamers who installed

malware from Steam.

Big tech creating an accord against online

scams and fraud.

A severe meta cybersecurity incident

caused by an AI agent.

Graphene OS saying that they won't

implement age verification.

which is fantastic,

exactly what we do want to see,

unlike SystemD here.

A French aircraft carrier being located in

real time via a fitness app,

which we've definitely seen in the

military before.

Android-XVII getting a post-quantum

cryptography upgrade and Vizio TVs.

now requiring a walmart account um crazy

stuff really annoying the smart tv

industry uh so if any of you think

any of those topics are interesting or

want to learn more about them we have

those articles again at privacyguides.org

news all of those articles are also

automatically published to our form when

we publish them and there are some

discussions that go on there or you can

ask questions and follow up and we can

Talk about it there.

I think that's kind of the main stuff.

I know that there have been more

discussions in our forum and on the

community side of things,

but we're going to get into some of

the biggest ones later on in the show,

so I will leave that there.

But I know Nate has some stuff to

share about our YouTube channel and some

videos we've published lately,

so I will pass it over to you,

Nate.

Yeah, so just a really quick one here.

Last, God, was it last week?

It's been a week already.

Jonah and I were invited to Austin, Texas,

EFF Austin,

which I am a board member of.

We threw an unofficial South by Southwest

party that we called EFF Austin

Interactive because- I will just say,

technically two weeks ago, Interactive.

Two weeks ago, okay.

We did that live show, if people remember.

Yes.

That was cool.

Sorry,

my sense of time is all checked up.

It's been a busy couple weeks ever since

I got back.

It's crazy.

But yeah,

South by Southwest Interactive has been

retired,

so therefore we decided to be sneaky and

use the name.

And Jonah and I got to film some

of the talks,

and we thought they were really

insightful,

so we've been publishing them on our

channel.

We have Hugh Forrest,

who was actually one of the co-founders of

South by Southwest Interactive, who gave,

I thought,

a really good talk about South by

Southwest's

and how it ruined the world um good

talk so check that out uh dr sharon

strover who is a professor at ut austin

talked about public opinions of

surveillance technology which is i thought

was very hopeful um you might be surprised

to check that out and then uh john

lebkowski

who is also an EFF Austin board member

and very early pioneer of the internet.

Um,

he's been around since the early days and

I swear to God,

I feel like he has a story about

every,

like if you name somebody in the digital

space, um, like Phil Zimmerman or,

you know, um,

Pretty much anybody.

I feel like he knows them.

Cory Doctorow, like he knows them.

He's met them.

He's got a story.

But anyways,

he gave a very short talk that I

would loosely describe as like the state

of the internet and a call to action.

I think it's less than five minutes.

That was definitely the shortest one.

So if any of those sound interesting,

head over to our YouTube channel or it

is also over on PeerTube and check those

out because they were really good.

Yeah,

I will just say I might be a

little biased, but I did love Dr.

Sharon Strover's talk a lot,

just mainly because, well,

a lot of reasons, actually.

But she included a segment about

Minneapolis and what's going on here that

I thought was interesting as well.

So totally,

totally check that out because all of

these mass surveillance systems in cities

right now,

we've talked so much about flock in other

systems here on this show.

And it's a really good,

really good take on all of that.

Yeah, for sure.

And not to beat a dead horse,

but I would say it's as fact-based as

you can get.

I mean,

it is a lot of surveys and self-reporting,

but it's not just like, oh,

we read some news articles or we looked

at Twitter.

It's like they went out and tried to

get the best numbers they possibly could.

So it's really good stuff.

All of this stuff, the articles,

the videos,

the upcoming videos that I've been teasing

at,

all of this is made possible by our

supporters.

So if you are not a supporter and

you would like to be,

you can sign up for a membership or

donate at privacyguides.org.

We also have a merch shop,

shop.privacyguides.org.

And I think we've added some new designs

ever since we launched our activism

section.

So be sure to check that out if

you're interested.

Privacy guides is a nonprofit that

researches and shares privacy related

information and facilitates a community on

our forum and matrix where people can ask

questions and get advice about staying

private online and preserving their

digital rights.

And we'll talk a little bit more about

that later.

But for now,

we're going to talk about Hong Kong and

a new law regarding device passwords.

And I'm going to turn that one over

to Jonah.

All right.

This was reported by the BBC.

Hong Kong police can now demand phone

passwords under a new national security

rules.

This article starts out,

Hong Kong police can now demand phone or

computer passwords from those who are

suspected of breaching the wide-ranging

national security law.

Those who refuse could face up to a

year in jail and a fine of up

to Hong Kong dollars,

which is about US dollars.

and individuals who provide false or

misleading information could face up to

three years in jail.

It comes as part of new amendments to

a bylaw under the national security law

that the government gazetted on Monday.

The NSO was introduced in Hong Kong in

twenty twenty in a week in wake of

massive pro-democracy protests the year

before.

Authorities say the laws which target acts

like terrorism and secession are necessary

for stability, stability,

But critics say they are tools to quash

consent.

Of course,

this is an issue that we have talked

about in other countries.

Certainly in the UK, for example,

this is a problem right now that we

know of.

It's also kind of a gray area in

U.S.

law where you technically don't have to

provide this information,

but what they can do for you,

do with you in the meantime is kind

of up in the air and not decided.

We've seen stories certainly of people

being held in temporary custody.

temporary jails for years or more because

they didn't decide to comply with sharing

their passwords with police or they simply

forgot their passwords and weren't able

to, which is always a possibility.

And in a lot of cases,

it is exactly used to quash dissent or

target people who otherwise haven't

committed crimes.

This is a big part of the issues

that we see with encryption in general and

end-to-end encryption,

where governments really want to make any

form of encryption or end-to-end

encryption illegal.

Simply the act of using it because it...

certainly makes it much easier to

investigate crimes if you don't actually

have to do any investigation of the crime

or any of the data involved.

If you can just say, hey,

the fact that this encrypted data exists

is a crime enough that

can be used to target a lot of

people who have otherwise done nothing

wrong.

And it wouldn't surprise me to see the

same thing happen here.

There's a couple stories mentioned in this

BBC article,

if you want to check it out later,

about some examples of activists and other

big names in the area being sentenced to

jail or being

being targeted by laws that expand on this

kind of NSL national security law.

So it's definitely being used to target

protesters, activists,

former opposition lawmakers even in Hong

Kong.

So unfortunate stuff for sure to happen

here.

I think that that

would be would be kind of my main

point.

It's it's something that we could

certainly see expand to other countries.

And it's something that if other countries

aren't doing this,

there are at least plans to do something

like this,

which is is bad news for everyone around

the world.

Yeah, Nate,

do you have any other thoughts on this

story?

I don't think so.

I think you kind of covered it.

Jordan said they've already been doing

this for years in Australia.

That's wild because, yeah,

it's very – here in the U.S.,

I –

Oh my gosh.

I've taken in so much information the last

few days I'm forgetting.

Basically,

the way the courts are supposed to work

is they're supposed to take existing laws

– like when it comes to new technology,

they're supposed to take existing laws and

interpretation and figure out how to apply

them to the new laws in a way

– supposed to,

for the record –

in a way that protects Americans and

preserves their existing rights.

So for example, with privacy, right?

Here in the US,

we have the Fourth Amendment,

which says that cops need a warrant to

come in and search your home.

And so in theory,

the way the court is supposed to interpret

that when it comes to the electronic world

is the same way.

They're supposed to figure out,

electronically speaking,

what counts as your home,

and therefore the police would need a

warrant to come in and search that.

So-

Yeah,

that's not to say like this couldn't

happen here in the US because in the

US we have repeatedly refused to make a

final decision on whether or not you need

a warrant to search your phone.

But it's just really.

Yeah,

it's really unfortunate because I'm with

you.

This is something I think we could see

here in America, in the UK,

if it's not already.

I mean, anywhere, really.

And it's just it's such a.

Things get really bad once we go downhill

like that.

And, you know,

they also I think they said,

what is it like you could face?

Yeah, here it is.

They could face a fine or jail for

providing false or misleading information.

So like my first thought is if you

have a graphene phone and they're like,

oh, what's your passcode?

And you give them the duress pin that

wipes the phone.

Congratulations.

You're still going to jail because that

wasn't the pin and you knew it.

You knew that wasn't what they meant.

So, yeah, it's absolutely.

It's bad.

I have got a ton of thoughts about

courts, uh, interpreting the laws,

but I think we can talk about that

in the next story here.

So, well,

maybe we should get into that one.

Okay.

Yeah.

So, uh, on that note, um,

let's talk about the courts and meta and

Google and, uh,

Man,

so this isn't directly privacy related,

but it has a lot of knock-on effects.

And this headline, this comes from NPR.

I was going to quote Reuters,

but they do this annoying thing where it

doesn't do a link preview in Ghost.

But NPR also covered this story very well.

This is a very thorough article.

And the headline says,

jury finds Meta and Google negligent in

social media harms trial.

So the short story – the short version

is there's a woman.

I believe some other article said that

she's in her twenties.

And she was suing Meta and Google.

And she also sued Snap and TikTok,

but they settled before it went to trial.

So Meta and Google went all the way

to trial.

And –

This woman basically says she's been

addicted to social media since she was a

child because these companies purposely

make social media addictive.

And therefore,

they should be held accountable.

And the jury agreed.

And they awarded this woman six million

dollars in damages,

mostly coming from Meta.

And the article rightly points out for all

of you who are thinking like, oh,

six million dollars, who cares?

You're one hundred percent right.

Mark Zuckerberg probably – his breakfast

probably cost six million dollars.

He doesn't care.

But what matters is that this is now

on record,

and this is now set a precedent,

and that –

Oh, man,

this this just has so many knock on

effects.

And I think that's why we want to

talk about this is not even so much

for what the story itself is actually

about.

Although, for the record,

I think that is a very important thing

that I'll elaborate on in a second.

But the fact that it holds these companies

accountable and opens the door for so many

more legal actions in the future.

On behalf of everyone, I feel like,

because who hasn't had a Facebook account

or a YouTube account at some point?

Many of you are watching on YouTube.

And thank you for watching, by the way.

But yeah,

I do want to point out real quick,

again, personal opinion here.

I've been saying for a long time about

a variety of privacy topics that I think

it's extremely...

We'll take misinformation, for example.

I know a lot of people who are

like, oh, I don't fall for fake news.

That is extremely arrogant.

And I'm including myself in this.

I have definitely read stories that

somebody else is like, hey,

here's an opposing viewpoint and all the

things they left out.

And I'm like, oh,

I probably called that one wrong.

Because when there are companies whose

whole job, forty hours a week,

is to sit there and pump out fake

news,

They're going to get you at some point

or another because that's just how it

works.

Like,

think about your job and how good you

are at your job because you do it

all the time.

And now imagine some random person coming

in off the street and being like,

I could do that.

You know, whatever your job is,

it doesn't matter.

It's like, no, dude,

there's certain skills and flows and

processes that I've learned over the

years.

And it's the same thing with these.

I think...

we really underestimate how addictive

social media is.

And I'm not trying to let people off

the hook.

Agency comes with pros and cons.

If you're in charge of your own actions,

you're also responsible for the

consequences.

But at the same time,

we have to acknowledge these things are

made to be addictive by experts who are

paid to make this thing as addictive as

possible to keep you there one second

longer.

And I feel like when we discredit that,

it's like we're forgetting that

It would be like saying, oh,

cigarettes aren't that addictive.

Bro, they bake nicotine into it.

Yes, it is.

And it's the same thing here with this

kind of stuff is like this stuff is

made to be addictive.

And I think we're just really – yeah,

I know I'm kind of going in circles

now,

but I think we're just really being –

it's just really not good to ignore that

is what I'm trying to say.

So yeah.

I think that's kind of all I've got

for now on that one.

I know you said you have a ton

of thoughts on this.

So what, what was your takeaway from this?

So I've seen a ton of mixed responses

to this case on the internet,

and I have a lot of mixed feelings

on this myself, because I,

even on this show,

have said that all of the social media

stuff,

and especially the stuff that Meta is

doing, which we've,

I think it's even mentioned in this

article in a separate case from the six

million dollar one,

but

It's been found in Discovery that they

have internal discussions about

specifically targeting kids who are

thirteen or even younger and making it as

addictive as possible.

And this is, in my opinion,

a public health concern for exactly the

same reasons that marketing cigarettes to

children was a massive health concern.

But on the other hand,

I think that this really closely relates

to Section two thirty issues that we've

seen here.

And the social media companies originally

tried to use Section two thirty as a

way to say, hey,

we shouldn't be responsible for any of

this.

And they tried to get the case dismissed.

Thankfully, in this specific case,

they chose not to address any section

two-thirty issues at all.

So this can't be used as a way

to like get around section two-thirty in a

court case.

That still applies in this case,

did specifically focus on the design of

these apps and kind of the algorithm that

they're using and not on the content of

these apps themselves.

Um,

but I have a lot of fears here

that this case will be used as a

gateway to attack some of this section two

thirty stuff.

Um,

because I think it is not a stretch

for a lot of these, uh,

concerned parent groups or these

conservative religious groups to say, hey,

you know,

the algorithm on this app turned my child

trans or gay or what have you,

and they just blame the algorithm instead

of the content,

and it's a new approach to attack these

companies.

And depending on how those go,

it could be a similar case to either

attack these companies without

Section two thirty being involved,

or this could be used as an excuse

to implement such something like COSA or

the repeal of Section two thirty in the

future.

And this is just kind of a way

in.

Even though the issue at play here really

has nothing to do with the content,

I think that the parallels here to the

tobacco industry and how they were

marketed

they were marketing to children,

for example,

are very apt here and they make a

lot of sense.

And that is a case where like regulation

was needed.

And I think in a similar way,

like the way that these apps are designed

and the way that the algorithms work,

which is to kind of find all of

the most

inflammatory and addictive content they

can find um and really highlight that

which is not the fault of the content

itself but it's the fault of the algorithm

that these apps designed i think that that

is a big problem and just like um

the the tobacco industry um which i mean

their their products weren't banned um

they're they're still around you can buy

them anywhere um but they really got hit

with um

huge restrictions on marketing and how

they can sell their product.

And I think that that is probably

something that should happen here.

And just like that,

I think the fact that cigarettes weren't

banned, for example,

that's kind of similar to how all of

the content on these apps shouldn't be

banned or restricted.

We can't be going after the content

itself.

We have to be going after the format

with which these companies are presenting

that to make money.

Because we know...

that some social media is not inherently

addictive.

We can see non-algorithmic social media

like Mastodon, for example,

which doesn't have these problems,

even though you can post the exact same

content there that you can post anywhere

else.

And we know that

Facebook and other social media platforms

like Twitter,

they didn't used to be so bad until

Twitter really started making very

algorithmic timelines instead of just

showing, you know,

posting chronological order from people

that you follow.

Or, I mean,

I remember the days before Facebook had

the news feed, for example,

and they made that switch to kind of

tell people

um that like hey we're going to be

showing you the most relevant stuff

instead of uh just a way to keep

up with your friends or whatever and there

was some controversy there but facebook

was really adamant that hey this is a

very good thing whereas in reality we know

that while they were designing this they

were intentionally trying to make their

platform more addictive and more um

don't know reactionary i don't know the

right word but it was a way to

get people to stick around on facebook for

longer and to uh more effectively sell ads

right and i think that those motivations

that these social media companies have is

really at odds with how they sold these

things to consumers and that is a

legitimate

problem in deceptive marketing.

There is really no place, I think,

in our society and from these companies to

be deceptive,

just completely deceptive to how they sell

their products to consumers.

And so some restrictions here do make

sense.

But I think that

I think that the big problem is that

courts and lawmakers do not really

understand technology or the Internet.

And lawmakers are consistently very

unwilling to make a decision about this

themselves.

And it's only gotten worse lately.

And now that the doors are open here

to this issue,

I think that the doors are open to

wider issues that may impact content or

Section two thirty and other courts,

because

All of these courts around the US are

going to have slightly different

interpretations.

This isn't something that the Supreme

Court decided on.

And I think that that's really

unfortunate.

My main thought is that

We should be focused on some of these

very specific problems with how social

media apps market themselves and how they

design very addictive platforms,

because it is a problem.

But we need lawmakers to say, hey,

we are only focusing on this specific

thing, right?

We're leaving all of the content and all

of the Section two thirty and all the

free speech stuff alone.

We don't want courts to think about it.

We want to have this law that just

focuses on this one specific issue so that

it doesn't expand into a ton of different

issues,

which is exactly the reason Section two

thirty was created in the first place.

We already have these protections under

the First Amendment,

but lawmakers had to step in because

courts were interpreting.

how the First Amendment applied to

technology companies slightly differently

or very differently,

depending on like what court you were in.

And lawmakers had to say, hey,

this is how the First Amendment works for

all of these tech companies.

And now tech companies can use Section two

thirty to easily get these cases

dismissed.

And I think that we need

um another federal law like this that says

like hey this specific design is bad but

it doesn't mean that we have to regulate

or ban free speech on these platforms

because that is an unnecessary problem but

it seems to be the the direction that

some of some future cases could go in

based on this um so I think

I think it's kind of unfortunate just

because I can see what direction this is

going in and I don't think we live

in an ideal

world and i think this is more of

a failure of lawmakers than the courts to

be honest and i just wish we were

more effective about making these laws

that are more substantial and specific

than than we currently are we're just

leaving everything up to the courts it

seems like these days and that is not

an effective way to govern a country not

at all

Um, I don't necessarily disagree with you.

I definitely see how this could be a

slippery slope,

but did you by any chance happen to

see the last section of this NPR article

that says the LA case focused on design

of social media platforms to overcome

liability shield?

Uh, was there a specific point?

Yeah.

So they, they, um,

they specifically mentioned how the,

the prosecution,

I believe it was stayed away from section

two thirty.

Um, they said that, uh,

Where was it?

Yes.

By taking this approach,

the lawyers pursued a case alleging

defective design that was able to get

around the high bar set by section two

thirty.

It's not what the users post,

but the very architecture of the platform

itself.

So, I mean, again,

I don't disagree with you because I I

know there's probably there's a saying in

the legal world that you can indict a

ham sandwich.

So, I mean,

which I know an indictment is not the

same as what we're talking about here.

But the point being is like a good

look.

for better or worse,

our legal system in the U S is

basically who makes the better argument.

And, um, so it's definitely could happen,

but I think it's just a,

maybe a little bit reassuring that they

purposely stayed away from talking about

section two thirty or even any of the

content itself.

And instead they focused on things like

infinite scroll, constant notifications,

auto playing videos and beauty filters.

And they mentioned how, um,

when she was young the the the plaintiff

when she uh what was it she so

craved the validation of social media that

she would run off to the bathroom at

school to check the number of likes her

poster received um and where did it go

There was another section where basically

they talked about the beauty filters.

Oh, here we go.

She developed depression and body

dysmorphia as she continuously compared

herself to others and used beauty filters

to enhance her appearance.

And that's the thing that I think applies

to everybody.

If not the beauty filters or the physical

thing, I will admit,

I fall prey to this where somebody's like,

oh, I'm going on vacation.

We're going here.

We're spending the weekend here.

My sister has been to Europe more times

than I can count.

because we have different uh different

dads i don't want to talk too much

about privacy we have different dads and

her dad has a lot more money and

i don't know if she ever used that

for the record maybe it's all maybe she's

just really damn good with money but

either way like she's traveled quite a lot

and i really haven't and i i won't

lie that i'm like jealous of that but

also like being her brother i have the

insight into like i know how hard she's

worked i know that she's good with money

It's not necessarily just that her dad

wrote her a check, like, yeah,

go to go to Germany or whatever.

Like she probably earned all that money

herself.

It's not like she was there every other

week.

But when you don't know that person,

when you're looking on social media and

you're like, God,

they're in Europe all the time.

Yeah,

maybe they're posting a picture from six

months ago.

And they've been back in the States this

whole time.

And you don't know that because you don't

know them or you don't know how many

overtime shifts they worked or overnight

shifts.

Like you don't know how many times their

friends were like, hey,

let's go get drinks.

They're like, oh, no, thanks.

I'll catch the next one because I'm trying

to save money.

Like, you know,

and it's what's the statement about like

you're seeing somebody's highlight reel.

And anyway, I mean,

I guess that's more about content.

But my point being like we can all

relate to the fact that

social media gives us this warped

interpretation of what's going on in other

people's lives that if you don't know them

personally and you can't ask them like man

how are you affording all these trips

they're like oh you know my dad's really

good with credit card points or something

um i forget who it was but one

of the podcasts i listened to said the

same thing they're they're i think they're

even a personal finance podcast they're

like yeah we don't make that much money

but my wife is really good with the

travel points or else we would never

travel this much so it's um

Yeah,

it's anyways getting back to the topic.

Sorry, I kind of got distracted there.

It's I think it is heartening that they

purposely avoided the content and the,

you know, people are posting this.

And it's the beauty filters.

It's the infinite scroll.

It's the architecture of the platform

itself,

which I think is absolutely a huge part

of the problem personally,

but maybe not the whole problem,

but definitely a big part of it.

So yeah,

not to say that it couldn't happen because

I could totally see a world where this

does open some doors,

but hopefully that will at least make it

a little bit harder since that's not the

direct argument they took.

Yeah, I totally agree.

I think that them sidestepping the whole

content issue entirely was the correct

approach,

and I think that that is the main

issue with these social media platforms.

The challenge that I see here is that

I think the line between the content on

this platform and the algorithm serving

that content is...

it's not it's it's a fine line it's

not very clearly defined and i think what

we could see is future court cases um

exactly like i said um not necessarily

focused on the content but focused on the

content that these algorithms are

promoting um for like these

conservative or religious groups to say

like, hey,

it's the algorithm that turned my child

gay because it surfaced all of this

content related to that or whatever.

And I think that we could see...

a response to that from social media

companies that would be very similar to

the response that we would probably see if

Section two thirty was repealed.

I think that they could interpret that

like like if that's the case in the

future.

And there are already some cases where

this exact argument is being made.

I think and I think in other countries,

I'm not aware of cases in the US

right now,

but we've seen this before and we know

it could happen where

Like if Facebook gets sued for that issue

and they lose that case,

I can see them potentially censoring or

moderating much more heavily like LGBTQ

information or education or not even that.

It could be any topics that...

certain groups find undesirable or they'd

rather ignore.

And I think that that could lead to

a free speech issue on these platforms if

the algorithm can be targeted like that.

even if Section two thirty remains just

for liability reasons.

So this is the main reason that I

would love to see a law that really

restricts app design and a lot of that

stuff,

because I think that that or like the

beauty features that filters that you

mentioned, for example,

or some other aspects of these apps do

need to be reined back in.

And I think

um just how heavily these apps are

marketed to kids in the first place i

think that needs to be reined in as

well um but it would be nice to

have a law that delineates that from even

from the algorithm which which is

problematic but um

I would be worried about it being impacted

in future cases because I do think even

if it doesn't mandate censorship or

moderation,

I think that censorship and moderation

could be a likely outcome if these

platforms become liable for the content

that they display with those algorithms,

basically.

That makes sense.

I hear you.

Yeah, I don't have an answer to that.

Hopefully that does not happen.

So yeah,

it's something to keep an eye on.

I don't know.

I'm never very optimistic about the things

that our government is doing,

but you can always hope for the best.

But yeah,

I've definitely seen a lot of people very

concerned about this case,

even if they agree with some of the

issues that are being addressed here,

because...

there are concerns with how this will

affect future cases.

Totally.

I think that's kind of it,

if you don't have anything else to add.

In a minute,

we'll start taking viewer questions.

So if you have questions or if you've

been holding on to any questions about the

stories we've talked about so far,

you can leave them in the forum thread

for this show,

or you can leave it in the chat

here.

We'll try to get through all of them.

For now,

I think we should check in on our

community forum.

There's always a lot of activity on our

forum every week.

We can't talk about it all,

but we wanted to highlight a couple of

this week's most interesting discussions,

in our opinion, that are happening there.

Our first forum thread that I wanted to

take a look at was called Remembering

Device and Master Passwords.

This was a question that was asked to

the community talking about

password managers and replacing all of

their reused passwords with randomly

generated passwords that are stored in the

password manager.

But there are some passwords that the

password manager can't remember for them

because they need them

like the master password,

to access the password manager in the

first place, which is, of course,

a problem.

So they mentioned some examples,

the master password,

the user account password for each of

their devices,

the disk encryption password for each of

their devices.

And then if they had five different

devices, they would have eleven...

six word passphrases to remember,

which is a challenge.

So they asked basically what strategies we

have for remembering so many passwords,

or what password should you reuse in those

situations?

So Nate,

I know you had some things to talk

about and you saw Fria's answer there.

Do you want to kind of cover what

Fria talked about here?

Yeah,

because I really appreciated Fria's

response.

So for example,

one of the questions that the original

question asker said,

is it safe to reuse the same password

for disk encryption and user account?

And Fria said,

it's probably best to make those

different.

But ideally,

your online account would use a passkey or

something like that instead of a password.

And they also noted that your device

passwords don't leave your device.

So, for example,

my computer in front of me here... Well,

this is a Mac,

so this is a good example.

But my Windows computer, you know,

I have a VeriCrypt and I have the

login to my local account,

which is not a Microsoft account.

It's a local-only account.

So, in theory,

I can make both of those the same

password, right?

Because they're not going to leave the

device.

And they also mentioned that you can...

You can go ahead and enable biometrics.

I guess I should have said this to

start with.

It really depends a lot on your threat

model, right?

Because my threat model, for now,

is basically getting robbed.

Laptop, laptop, laptop, laptop.

several phones laying around.

Like my concern is not really the

government.

I personally am a strong believer in a

five dollar wrench attack and I do not

have a high pain tolerance.

So, you know,

the minute they threaten me with violence,

I'm going to fold like a souffle.

I'm just being honest.

But, you know,

if somebody comes in and breaks into my

house while my wife and I are out

and they steal all the laptops,

I want to make sure that they're not

going to be able to get into that

because that's when they're going to be

able to get into my password manager.

And I don't keep browser history,

but browser history and

any apps I have saved, any like,

like I use Thunderbird.

So all my emails are downloaded locally,

things like that.

And that's what I really want to protect

against.

So in that situation, yeah,

really just having one really strong

password

is probably sufficient because they're not

going to crack that as long as I

don't write it down and stick it on

the desk anywhere.

Right.

Um, you know,

like one randomly generated six word

passphrase.

If I really want to be safe,

I could give each device a different

passphrase.

So that way it's not, um, you know,

if they get one,

at least they don't get into all of

them, but at least that way, you know,

it's not, uh,

What's the word I'm looking for?

Like that's only three different passwords

instead of six, right?

Or something like that.

So it really does depend on your threat

model.

But going back to the biometrics thing,

what a lot of people have,

I've seen several people notice this where

they've been in a public situation and for

whatever reason,

they have to pull out their phone and

unlock their phone.

And they realize as they're typing it in,

they're like, dude,

there's a camera right over the cash

register looking at me type my password

into the phone.

Hmm.

And they're like, man,

I kind of wish I had just used

biometrics because at least then they

wouldn't have my password, right?

Or, you know,

we've covered stories in the past about

there's a scam that I think is still

going around where somebody will basically

watch you unlock your password for

whatever reason.

You know,

maybe they're flirting with you at a bar

or something and they see you type in

your passcode and then them or their

accomplice will steal your phone,

try to unlock it and send a lot

of money.

And I know Apple and Google have rolled

out some defenses against that,

but that's a good example where if you

unlock it with biometrics,

They're going to have a harder time

unlocking the phone when they steal it

from you.

So it's really about what are you trying

to protect and who are you trying to

protect it from.

If you have a very high threat model,

then yeah,

you probably want a bunch of different

passphrases.

I think it's also worth noting that it

is

I know this is really unpopular,

but it is okay to write down passwords

in some situations.

For example, do not call it password.

Do not stick it on a sticky note

on your screen.

But if you have a little notebook that

you carry with you everywhere or something

like that.

So I think my thing, I'll be honest,

I basically have two main passwords I use,

one for the encryption and one for the

local account.

I don't know why I do it that

way.

I just do.

Because now that I think about it,

if they get past the encryption,

they can just pop out the disk, right?

Yeah, I don't know.

But I think that's the big thing is

the threat model.

If your threat model is not very high,

it's probably safe to reuse the local

passwords that don't leave your device.

Just be aware that that is a risk.

If somebody gets it,

they can get into all the devices,

I guess.

So I don't know if Jonah has a

different strategy that he would approach

it with.

No, that makes a lot of sense.

I mean,

the main thought that I would have is

I think for most people,

the information that you store on your

different devices,

if you have multiple devices,

is usually pretty much the same

information.

you're going to probably install your

password manager on all of them and the

same web browser that you have synced

across them.

And people have a desktop and a laptop

and a phone for convenience purposes

rather than just separating all of their

data.

And so I think using the same password

for encryption

And using the same password for your local

account probably makes sense in those

situations.

At the end of the day,

those passwords aren't exposed to the

internet.

You don't have everyone on earth trying to

hack you in the same way that...

you have like thousands of hackers trying

to attack your online accounts all of the

time because because they can and it's so

easy to attack like all of this local

stuff it does it's not as much of

a deal and i think memorizing one password

for all that is good um you definitely

do want to have a different password for

your local account versus your encryption

password just because

you don't want to be entering your

encryption password all the time in case

of like shoulder surfing attacks.

So keeping that separate is nice.

And I wish that's a feature that could

be used on more smartphones,

but I digress.

But other than that,

Yeah,

there's a lot of good advice in this

thread,

and I think it really does depend on

your setup,

but usually I think that works.

If you do have very different information

on your devices,

it might make more sense to not reuse

those passwords,

but

I would also say if you're just trying

to remember these passwords,

even if you do use biometrics,

usually you could try disabling them for a

month or a couple months because I think

muscle memory is usually the way to

memorize these passwords quickly.

I remember back when I was in...

college I would always have to log into

different computers like in the computer

lab we didn't have laptops or anything we

just had these these desktops and I'd have

to use my account that I would normally

use a password manager for like um like

to access my email but the password was

the same to log in locally to these

computers and I didn't want to have to

like grab my phone or something to copy

my password over I just had to have

a passphrase that I could

Memorize to log in and it only took

like a month or maybe a month and

a half to eventually like have the pretty

long passphrase down I think if you just

do it all the time it's you'll probably

get it so yeah lots of good advice,

but I think typically.

There's only three main passwords that

most people have to remember,

which is for their local accounts or pins

or their encryption key and then their

password manager, master password.

I think that you should keep them all

separate,

but you probably don't need more than that

unless you have a good reason that you

know of to have more passwords than that.

So, yeah.

Oops.

There we go.

Yeah.

Last thing I want to add just to

double what she said is if this is

something you're struggling with,

definitely check out this thread.

Cause a lot of people gave really good

ideas from like different,

I wouldn't say different threat models,

but just different perspectives.

Like don't forget, you know,

hardware tokens and don't forget this.

And if this is your threat model than

this, and it was, it's a really,

really good thread for sure.

So there's a lot of different,

we're kind of just given like a rough,

you know, what,

what would probably work for most people,

but people gave a really thoughtful

answers about, you know,

keep this in mind.

And if your threat model includes this,

so.

Really good thread for sure.

And then,

if that's all we had on that one,

there was one other thread that I thought

was interesting that I wanted to talk

about a little bit because I've been...

My router started giving me issues right

before we went to Austin,

and I just got it fixed this week,

finally.

And this forum post asks about apartment

Wi-Fi privacy.

And so they were specifically talking

about the...

the router issued by their ISP.

They said they moved into a new apartment

complex and there's fiber pre-installed

from a provider.

The complex states that that provider is

the preferred provider and they have a

partnership.

And then after moving,

I was contacted by representative to begin

the internet setup process.

And so they were basically wondering,

can the apartment complex get any insight

into what I'm doing on my Wi-Fi and

what would be the best way to get

more privacy?

They mentioned,

should I get a different provider

altogether or something like that?

So as a longtime apartment dweller,

for most of my life,

I've lived in apartments.

Jonah can correct me on this one.

I don't think the complex would

necessarily have any insight into your

traffic.

Um,

but I think they probably just have a

relationship with that.

It seems like every apartment I go to

has a preferred provider.

So that doesn't really surprise me,

but it can definitely go both ways.

Um,

there's definitely a lot of apartments and

especially probably older apartments where

they have like,

one provider like a cable provider or a

fiber provider that has just like

pre-installed cables to all of the rooms

and so it's much easier to get that

access um and so that might be what

they mean when they're talking about like

this is our preferred provider and

especially typically if you have to set up

an account with the isp yourself usually

that's the case where the complex wouldn't

have access to that i have seen in

a ton of new developments around here um

apartments basically getting their own

connection and then running their own uh

ethernet and and access points to all of

these rooms but they run a central router

basically that keeps all the rooms

separate but it is all managed by the

apartment and usually they have like

apartment-wide

wi-fi for example so all of their routers

it gives you um sometimes they give you

a uh like a personal connection and

sometimes just this one wi-fi connection

for the whole building um that's in all

of the rooms um and you could certainly

see that and that would be managed by

the complex so it could go either way

for sure um and i it seems to

be even more common that it is apartment

run so i wouldn't rule that out

necessarily

was how our last apartment was they had

um i don't know if it was managed

by the apartment but they were like hey

this is included with the rent and they

did have the apartment the complex wide

wi-fi like you mentioned and there was one

ethernet port that was in the study for

some reason and that was the only one

that were no it was in the living

room and we had to run a cable

into the study because my wife has a

desktop that doesn't have wi-fi i remember

that now yeah so that was probably the

case i think in my last apartment it

was a similar situation where

If I wanted my own network,

I would have to plug in my own

router to their one Ethernet port that was

provided on the access point,

but I couldn't remove their access point

from the room and make a direct

connection.

And it was basically like a double NAT

setup.

It was on their network,

and then I had my own network just

for security,

but it was not a direct connection to

the ISP.

Okay.

Which leads into what I was going to

say.

This is what I've been doing for years,

and this is what I would recommend.

For those of you who are really passionate

about your privacy,

which is probably most of you watching

this,

I would strongly recommend getting your

own router.

Our official recommendation, I believe,

at Privacy Guides is OpenWRT, correct?

I think so.

We do recommend that as one.

You could use OpenSense or PFSense as well

if you want something more...

robust,

but usually that has to run on a

computer,

whereas OpenWrt can install on consumer

router platforms.

Gotcha.

OK, yeah.

Historically,

I originally went with DDWrt.

For years, it was not an issue.

And then recently, it became an issue.

I don't know what happened.

Now I'm using a different one that Jordan

actually recommended to me and so far has

been amazing.

Thank you for that recommendation, Jordan.

um but yeah if i if i whenever

this router dies assuming i can buy

routers again um given our headline story

i'm probably gonna go ahead and get uh

the what is it the

the one, I don't remember who makes it,

but it's endorsed by the free software

foundation.

And it is specifically designed to run

open WRT.

And I did try open WRT on my

router, but it,

because it is so open source,

it couldn't get access to multiple wifi

networks,

which is something I really want.

That's, that's really important to me.

Um, so it was like, yeah,

you get this one wifi network.

And I'm like, no,

that ain't going to work.

Um,

But I'm sure if I bought something like

the one router,

it would be specifically designed for that

and it would probably be able to do

more, I'm hoping.

I'll definitely look into it more when the

time comes.

But yeah, anyways,

where I'm going with this is every

apartment I've ever been to,

they tell you like, oh,

you can't use your router and our, okay,

some of them have not told me that,

but almost all of them are like, no,

you can't do that.

It's worked just fine for me, no problem.

Personally, your mileage may vary,

but for me, I've never had an issue.

There's only been like one or two that

are just like, yeah, whatever,

use your router, we don't care.

Um, I,

I know my current router and I think

a lot of ISP provided routers have this,

they have a bridge mode where it basically

shuts that router off and turns it into

just a pass through.

Um,

because a lot of the time it will

be, especially if it's fiber right now,

it'll be, um,