Why Does Microsoft Hate Security?

All right.

Microsoft abruptly terminated the accounts

of two multiple actually FOSS projects.

Employers are now using personal data to

figure out the lowest salary that you'll

accept.

And the FBI was able to recover deleted

signal messages from a device's local

notification database.

Busy week this week coming up on This

Week in Privacy number forty eight.

So stay tuned.

Welcome back to This Week in Privacy,

our weekly series where we discuss the

latest updates with what we've been

working on within the Privacy Guides

community,

and this week's top stories in data

privacy and cybersecurity.

I'm Jordan,

and with me this week is Nate.

How are you doing, Nate?

I'm doing pretty good.

It's been a good week.

How are you?

I'm doing good,

getting ready to dive into this top story

here.

So this week,

kind of a huge story that's been going

around.

Microsoft abruptly terminates VeraCrypt

account, halting Windows updates.

So basically, quoting from the article,

Microsoft has terminated an account

associated with VeraCrypt,

a popular and long-running piece of

encryption software,

throwing future Windows updates of the

tool into doubt.

Veracrypt's developer told for media,

the move highlights the sometimes delicate

supply chain involved in the publication

of open source software,

especially software that relies on big

companies, even tangentially.

So according to the Veracrypt developer,

I didn't receive any emails from Microsoft

nor any prior warnings.

VeriCrypt is an open source tool for

encrypting data at rest.

Users can create encrypted partitions on

their drives or make individual encrypted

volumes to store their files in.

Like its predecessor, TrueCrypt,

which VeriCrypt is based on,

it also lets users create a second

innocuous looking volume if they are

compelled to hand over their credentials.

And I'd also like to add you can

actually do full disk encryption with

VeriCrypt.

This is why this is quite a concerning

move because

uh if you lose access to your full

disk encryption then obviously you're not

going to be able to access your files

so that is kind of a big concern

here as well um and i guess moving

on to the second thing here wireguard vpn

developer also can't ship software updates

after microsoft locks their account so if

you didn't know already wireguard is a

protocol that most vpn providers use to

facilitate the VPN connections.

And they also have an official WireGuard

app that you can use with your WireGuard

profiles.

And this app on Windows is currently not

being able to be updated because the

WireGuard developer has also been locked

out of their Microsoft developer account.

So that means that they can't ship

software updates to Windows users.

Jason Donnefeld

The creator of open source WireGuard VPN

software told TechCrunch that he has been

locked out of his Microsoft developer

account and as a result cannot sign

drivers or ship updates for WireGuard for

Windows users,

which are critical for its software to

run.

And I think probably the most concerning

thing here is if there was a critical

vulnerability found in WireGuard VPN on

Windows,

they wouldn't be able to ship an update

and get it fixed.

So this is kind of a concerning thing

to be happening right now.

But we did see that there was a

sort of update to this story.

So we did want to mention this immediately

off the bat.

Zach Whitaker from TechCrunch did a

Mastodon post saying that he had contact

from VeraCrypt and WireGuard,

both telling them that they had regained

access following their Microsoft account

lockouts and can now release updates

again.

So that was on the eleventh of April.

And a lot of these articles were coming

out on the April the eighth.

So it took a couple of days for

this to happen.

And I guess a lot of backlash, actually.

So there's this article here from Bleeping

Computer that also goes a little bit more

into depth about how this worked.

So according to the VeraCrypt developer,

his account was actually terminated,

which I basically need to have

a Microsoft developer account to sign

Windows drivers and the bootloader.

I believe this is because the secure boot

process, if the drivers aren't signed,

and it won't be able to load properly

or something like that.

I've tried to contact Microsoft through

various channels,

but I've only received automated replies

and bots.

I was unable to reach a human.

I cannot publish Windows updates.

So I think this story kind of highlights

the concern of trusting a centralized

entity with the update process.

So in this case,

Microsoft does have quite a lot of control

over which developers can actually

create apps and updates on their platform,

which, you know,

we obviously oppose this because people

should be able to run whatever software

they want on their computer.

They shouldn't be held hostage by a

corporation.

And I think in this case,

it also ended up being a kind of

security risk because they weren't able to

release updates and they could have been a

critical vulnerability found.

But I do want to mention that WireGuard

VPN is notoriously very stable.

And the amount of updates that have been

published for it have been quite minimal.

And there haven't been that many critical

vulnerabilities found.

So that is a benefit.

It's also because the WireGuard protocol

is much leaner than other protocols like

OpenVPN.

So that does benefit it in that

circumstance.

In this article here from TechCrunch,

Sorry,

this article here from Bleeping Computer,

it also stated that dev teams from

Windscribe and memtest-eighty-six have

also been locked out of their accounts

too,

so big issues for Windscribe and

memtest-eighty-six.

And it is kind of concerning that this

happened without any warning,

no notification,

just these developers trying to access

their accounts and they weren't able to.

And like Jonah said here in the chat,

he said,

almost like having a triopoly on app

stores isn't a good idea.

Yeah,

I think we should be trying to focus

more on having more app stores,

having alternative ways to install

software.

I think, yeah.

I mean,

one of the benefits with Windows is you

don't have to use the app store to

install apps.

You can actually install them

independently, which is a benefit.

But it also,

like we said in this story,

there is a...

element of control that Microsoft has

because you need their permission to sign

drivers and write to the bootloader.

So if you don't have that developer

account,

then you're not going to be able to

do that properly.

In that case,

your users would have to basically bypass

that,

which is a much more technical process.

Although it is possible,

it's not really recommended and a lot of

users are probably going to feel unsafe

about doing that.

so i feel like i've talked for quite

a while here um nate do you have

any thoughts on this story so far oh

man i mean i think you covered most

of it for sure i think um yeah

it's really uh it i'm glad you mentioned

the um the full disk encryption nature of

vericrypt i'm a vericrypt user myself i i

will admit that and um it's

VeriCrypt can be used either to encrypt

specific things like you can create a

container or you can encrypt like an

external hard drive.

Or like you said,

you can encrypt your entire Windows

computer,

which my wife is primarily a Windows user.

I kind of dual boot in between Windows

and Linux for the most part.

I really just use this Mac for this

and that.

when I travel and stuff.

So that's kind of one of the first

things we do is where I'm going with

that is we encrypt our computers with

VeriCrypt.

And the developer,

I forget which article he said it in.

He may have said it in all of

them.

But the developer pointed out that if they

hadn't gotten this fixed in time before

the certificate ran out,

which I think would have been early June

or end of June, sometime in June,

then that could have potentially meant the

computers wouldn't boot.

And on top of it,

since he can't push out an update,

how are you supposed to make sure that

people know like, Hey,

decrypt your computers because they might

not boot.

So it's really, it's really,

really troubling for sure.

The,

The thing I like about the bleeping

computer article is that it gives more of

Microsoft's side of the story.

And I don't like that necessarily because

I care what Microsoft's opinion is,

but just to have the full,

complete information, right?

And Microsoft claims that ever since,

I think it was April of last year,

they've had this program where developers

have to verify,

which we're seeing that now on the Android

side of things, right?

And Android, it's not...

I don't wanna say it's not going well

because it's not been rolled out yet,

but this just shows things can go wrong,

even well-meaning things.

There are problems with this model.

And so it's really confusing.

Did these people just somehow miss the

notifications?

Was there some kind of glitch where they

didn't get notified?

Because the Microsoft,

I think it was like a VP,

was saying that they've been sending out

emails,

they've been sending out notifications.

He said they've been emailing everyone

since October,

I think the guy from VeriCrypt said that

he noticed this account was shut off in

January.

It's just,

we're just now finding out about it for

some reason.

Not like he was hiding it.

He was just,

he was busy trying to figure it out.

And for some reason,

it's just now that he's coming forward and

being like, hey,

here's where I've been for the past couple

of months.

So, I mean, yeah, there's so many,

Like, so many questions here, you know?

Because there's... Again, there's like...

Did something just get missed?

I don't know.

Why all of these?

I have a hard time believing that like

Windscribe, they have a whole team.

How did a whole team miss this?

And like, for the record,

I'm not blaming Windscribe with that.

I'm blaming Microsoft.

Like,

I don't think Microsoft did a good job

of notifying everybody if they did at all.

It's really weird.

I don't like to assume malice.

You know,

I don't like to look at this and

be like, oh,

Microsoft's trying to crush open source.

But I certainly have a lot of questions

and I don't understand how so much fell

through the cracks and so much got missed.

And

It really shouldn't take all this negative

media coverage for Microsoft to be able to

do something.

That's a big concern that I've had for

years,

that I've noticed years and years and

years ago that...

It was with Facebook specifically.

So I used to manage bands and one

of the bands I managed wanted to change

their name because there was another band

with the same name that got super,

super popular.

So they're like,

we need to rebrand because we keep getting

confused with them.

And like trying to get Facebook to rename

this band was literally a multiple months

long deal.

And it's like,

why can't I just talk to a person?

Like it doesn't even have to be real

time.

I'm not asking to call somebody or chat

with somebody.

Why can't I email a human being?

And it's just – everybody's trying to cut

down on the cost of having a support

staff, and they're trying to save money,

and it's all about shareholders making

more money and stuff.

But it's just like this is the result

is things don't get – like what if

this had never taken off the way it

had been?

Like this would have been a really big

deal.

This would have been really bad.

So –

Sorry,

I'm having trouble putting my thoughts in

order.

But yeah, this was so, so not cool.

And I guess it makes me wonder.

So, like, first of all,

what do you think,

if you have any opinions,

what do you think developers could do

against this?

Because, I mean,

it really does seem like Microsoft holds

all the cards here.

And I don't know.

Like, it's...

because these are privileged software,

right?

I think that's the difference.

We were talking about this in another chat

earlier today,

is like when I install things on Windows

that don't come from the Microsoft Store,

even when they're unsigned,

there's a little pop-up that's like, hey,

this is unsigned.

And I can tell it like, yeah,

I know, install it anyways.

But for these like really high level,

very privileged things, it's like,

I don't even know if there's a way

around that.

So I mean, yes, in a perfect world,

switch to Linux, right?

But I don't know if there's any other

alternatives there.

Do you have any thoughts on that?

Yeah, I think, you know,

when there's a gatekeeper and that

gatekeeper is Microsoft,

there is like not a whole lot we

can do in this case, unfortunately,

which kind of sucks.

Like you said,

like switching to operating systems that

respect you and don't hold your computer

hostage and do this sort of silliness is,

I mean,

I'm sure there is a security benefit from

doing this, but I think, you know,

we have to look at things from like

different angles as well, right?

Like what does this power that Microsoft

holds, what can it be used for?

And if they can lock people out of

their accounts accidentally, accidentally,

I'm saying in quotations,

very large quotations, but, you know,

then what could they do if, you know,

there was a foreign government that didn't

really like, oh,

we don't like that you're allowing people

to use WireGuard VPN to bypass our

firewall or,

something like that, right?

I think people should be able to use

their computer in whatever way they want,

right?

We shouldn't be, we shouldn't be,

you know,

bowing to Microsoft's wins on what we do

on our computers.

So ideally people are using Linux here.

I mean,

there's definitely the ability to use

different repositories is great.

I think

it's kind of unfortunate though,

whoever controls the platform kind of gets

to decide these things.

And as far as I'm aware,

there's Linux is basically the only system

where there isn't a big tech corporation

with ultimate control over everything

because Android,

like we've kind of seen Google owns the

Android source code.

So a lot of times they can exert

things onto the operating system that, uh,

against the user's interests,

for instance.

Like we've seen where they're stopping

people from installing apps on their

devices and stuff like that.

We're still kind of monitoring that

situation as well.

But I think when we operate on platforms

that are not controlled by the community,

then that's when we run into issues like

this.

So yeah, I mean,

I don't really have too much more to

add unless you have something.

No, yeah,

I guess just the last thing I wanted

to mention is,

do you happen to know off the top

of your head what PrivacyGuide's official

encryption software recommendations are?

Off the top of my head,

we do recommend VeriCrypt, I believe.

Yeah.

Okay.

Yeah, I've got it pulled up here.

Let's see.

Can I share?

Yes, sharing this tab.

Okay.

So it looks like we do recommend...

If you're trying to upload to the cloud,

we do recommend Cryptomator.

We do recommend VeriCrypt.

It does say that...

for disk encryption um interesting i did

not know we recommended that for full disk

encryption but yeah the like i said it

can also be used for standalone for to

encrypt like an external disk but oh there

it is operating system encryption yeah we

typically recommend whatever it comes

built in with so like linux distros will

come with lux which is the linux unified

key setup um the only thing that kind

of sucks is i'm told that it can

only happen

At the start, like when you install Linux,

I don't think you can go in and

add it afterwards,

at least not very easily.

It's kind of clunky.

Macs come with FileVault and Windows.

So Windows has BitLocker.

It's kind of tricky to use because

originally it was only in like the upper

level versions,

like the Pro and the Enterprise,

which typically cost a lot of money.

The home version now has it if you

use a...

if you use an online account,

which we definitely do not recommend for a

variety of reasons.

And, uh, yeah, but there's,

there's ways to, you know,

you can upgrade to pro, which, uh,

you can usually find, um,

make sure they're the reputable,

but you can usually find resellers online

who will sell them a pro license for

a lot cheaper and stuff like that.

So BitLocker, I will be honest,

me personally, um,

I'm not too crazy about BitLocker because

I've seen a lot of vulnerabilities in the

past where there's a vulnerability found

in full disk encryption and BitLocker is

vulnerable to it, but VeriCrypt is not.

Or I've also seen stories about there's a

bug and now BitLocker won't decrypt and

you can't boot your operating system.

You have to recover it.

So always make sure you save the recovery

methods because that's really important.

But at the same time,

I guess to make devil's advocate argument,

We know that BitLocker is secure.

We did cover a story about this a

while back where law enforcement requested

some BitLocker keys from Microsoft,

and Microsoft only had them because the

whole online account thing,

they were not able to get it just

the – what's the word I'm looking for?

They were not able to get it just

from the device.

As far as we know,

BitLocker has not been broken by law

enforcement or anything.

But also,

we would have been in the same situation

about not being able to boot had this

VeriCrypt thing not happened, right?

And there's also plenty of Windows

softwares that break Windows even without

the encryption enabled.

So I guess my point is,

I think there's pros and cons,

but BitLocker does have a lot going for

it.

Just something to be aware of.

Yeah.

Yeah,

I guess that's all I got on that

one.

Also, yeah,

just a reminder to get off Windows if

possible.

Even if you dual boot,

I mentioned I have Windows and Linux.

I don't fully run Windows all the time.

I try to use Linux whenever I can,

and then I use Windows for the more

CPU-intensive stuff,

like video editing and stuff like that,

that my Linux machine just can't really

handle.

I think that is all I've got.

All right.

And I think if that's all we've got

on that story,

we are going to talk next about a

wage.

What is it?

Surveillance wages.

Cause you know,

just when you think privacy can't get any

worse.

So this comes from market watch and it

says employers are using your personal

data to figure out the lowest salary that

you'll accept.

And yeah,

Man, I mean, honestly,

this article really,

the headline kind of says it all.

So there's been a lot of talk lately

about surveillance pricing,

which is where

And as far as we know,

this is happening more online than in

person.

But companies will use the data about you

to try and figure out like, oh,

maybe you'll pay a little bit extra.

You'll pay a little extra for this plane

ticket.

You'll pay a little extra for this.

I think there was a story a while

back that found out that if you were

in the parking lot of a Target and

you open the app on your store or

open the website,

They would actually try to charge you more

because they figured that you probably

weren't going to go to another store,

which I don't know who's going to sit

in the parking lot and then order

something.

That's kind of weird.

But there's also been a lot of allegations

about – well,

I mean actually –

No, because that's this data.

There's been allegations like Uber,

for example,

if they can tell your battery is low,

that they'll charge you more because they

know that you can't afford to wait for

the price to go down.

I don't think that was proven,

but that's definitely an allegation and I

wouldn't put it past them personally.

So yeah,

now the new thing is using your personal

data to figure out how much to pay

you,

which in the past has historically been

based on things like how long you've been

in this industry,

how long you've been at this job,

what the actual job title you're applying

for is, certifications, things like that.

which I'm sure will probably still play a

role.

But of course,

now they've got to factor in things like,

where did it go?

Things like if you've taken out a payday

loan,

if you have a high credit card balance,

I just made a big move and I'm

not going to lie.

We moved from a very high cost of

living area to a lower cost of living

area.

We didn't have savings because the cost of

living was so high.

So I've got a pretty high credit card

balance right now because we use that to

fund a lot of the move.

Um, so things like that,

I think further down, they did talk about,

we've actually,

I really feel the need to point out,

this is not hypothetical because I've been

hearing for a long time now that this

is how it works with gig, gig work.

And, you know, things like, um,

like DoorDash,

there are certain people who start out

making more, like if, if, okay,

if I put it in an order to

DoorDash,

And it goes to two different people,

two different dashers.

One of them will see a higher price

than the other one based on things like

how picky they are with their – do

they just accept every single one that

comes along or do they wait for the

better ones?

And the ones that typically pay more will

usually go to those people first, right?

Which is so predatory.

It's so – I feel like I'm getting

ahead of myself,

but like –

I don't know.

Yeah.

Like, okay,

we'll just jump into that part because I

mean, again, this is the story.

Well, okay, hold on.

There is one more thing I want to

point out before I jump into the analysis

portion, which is they say that, um,

The vendors that provide tools that make

this possible, oh, no,

it's a little bit further up.

Yeah,

a first of its kind audit of five

hundred labor management artificial

intelligence companies found that

employers in healthcare, customer service,

logistics,

and retail are customers of vendors whose

tools are designed to enable this

practice.

The report does not claim that all

employers using these systems engage in

wage surveillance.

Instead,

it warns that the growing use of

algorithmic tools to analyze workers'

personal data can enable pay practices.

And I skipped over it earlier,

but when they talk about, like,

high credit card balance and stuff,

they can also scrape your social media to

see if you are more likely to join

a union or could become pregnant.

And...

I guess the last thing I'll say is

I love down here.

They were talking about how there are laws

now that are trying to outlaw surveillance

pricing,

but a lot of them have not caught

up to wage surveillance wages,

except for one,

which is Colorado is trying to pass the

prohibit surveillance data to set prices

and wages act,

which would ban companies from using

intimate personal data.

Um, it carves out performance-based wages,

uh,

which I mean on the surface sounds fine.

Uh, I like that.

He says, uh,

Here it is.

The bill would prohibit companies from

using workers' personal data without their

consent to determine what they're paid.

So, I mean,

I read that without their consent.

I'm like, yeah, of course,

that's going to be buried on page fifty

of the contract, right?

That's ridiculous.

So, yeah, I don't know.

Anyway,

so getting back to the analysis portion of

this, this is really frustrating.

I had the privilege of interviewing

someone recently that we'll talk about a

little bit more later.

coming up here, but she spoke about how

a lot of this surveillance used to like

set prices and set wages like this,

it becomes deterministic, right?

Because here's what I can see happening is

you go up to your boss and you

say, I think I deserve more.

And your boss says,

or even negotiating a new job, right?

Because I've done that where I go to,

I get a job and they say,

we'll pay you this much.

And I say, I think I deserve more.

And I've successfully done that.

And what happens when they come back and

say, well, we can't.

Like I do that every,

you guys may or may not know this.

If you rent,

sometimes you can negotiate your rent.

Like I've done that.

I've gone to the leasing office and been

like, I don't want to pay more.

Like,

let's see if we can find to an

agreement and they'll walk it down a

little bit.

And then I've been to other places where

they're like, no,

that's out of our control.

We can't do anything.

And my fear is as this continues to

grow,

we're going to see more of that

That second thing where people are like,

no, we can't do anything.

It's just,

it's set what it is because that's what

the algorithm says.

And I can't,

I don't have the authority to push back

on the algorithm,

which is demeaning to your employees.

But it's also deterministic.

And it sets us in this like,

this like,

almost like a lack of free will.

I just don't want to use the word

deterministic again.

But it sets us in this environment where

we have no freedom, really.

We have no growth because now it doesn't

matter how hard you work.

It doesn't matter, you know,

how good you do.

It's, you'll forever hit a cap, right?

And sure, those things will matter.

Those things will help.

But, you know,

if you've got the high credit card debt,

if you've got pro-union views on social

media,

now you can either choose to not talk

about that

Or you can choose to just like forever

not reach your full earning potential,

which then keeps you trapped in this

cycle.

And it's just, oh my God,

this is so predatory.

And yeah, I don't know.

I feel like I kind of rambled a

little bit on that one,

but hopefully I kind of said something

coherent.

Yeah.

I mean,

I think one important thing to add to

this is we already see like when it

comes to employment and like how much

people are paid,

like this is already an issue without like

the surveillance stuff, right?

Like,

we have studies that are done where,

you know,

there's people that apply with the same

resume,

but they change the name from a female

name to a male name.

And then the person they get employed more

under the male name,

then they get more interviews under the

male name than the female name.

I think this is just like increasing the

level of discrimination.

People are going to be finding themselves

in right.

Like, Oh, your name appears like this.

And we already kind of know that these

AI systems are incredibly biased against,

um,

people of color, you know, uh,

marginalized groups that are less

represented.

They're, they're not as that,

that these systems are trained on data

that doesn't have them as the majority.

Right.

So it's going to kind of deprioritize

their, uh,

their skills and their experience, right?

So I think this is sort of an

additional layer to that discrimination.

I think someone said here,

Plants McGee said,

giggles in European where this is illegal.

Yeah,

this is illegal in a lot of the

world, actually.

I'm kind of surprised that this isn't

illegal in the US,

but I guess that is the state of

things.

You know what, though?

I don't mean to cut you off,

but I'm glad you mentioned that because I

did want to mention that.

I don't want to get after anybody here,

but I just want to point out,

in my personal opinion,

I think that's a dangerous attitude to

have.

We're like, haha,

that wouldn't happen here.

Just, what was it, late last year,

early this year?

The EU is talking about rolling back parts

of GDPR to be more competitive on the

AI industry.

So like,

Yes.

Like laws help.

Laws are good.

That's I'm glad you guys have that,

but I just really feel the need to

point that out.

Like still keep an eye on this stuff

because laws can change.

And I am under no delusion that European

politicians care more about their citizens

than the U S ones.

They're just, you know,

they put on a better facade about it

in my opinion, but yeah,

just to just keep that in mind,

laws can change and that stuff can go

away.

We gotta,

we gotta make sure that we're constantly

fighting for our privacy rights,

not taking it for granted.

So yeah.

Yeah, exactly.

I mean, I don't know.

This story is kind of, uh,

I don't know.

I think, yeah,

there's laws in countries like the

European union where like, you know,

access to personal information for

employment purposes is protected and not

able to be run through an algorithm or

whatever.

Um,

and there's laws against that in the EU

and, um,

I know in Australia, technically,

that's classified as discrimination.

So it depends on the country.

But like Nate said,

I think it's important.

We can't just say, oh,

it's just the US being the US.

I think we should be constantly vigilant

of governments that are trying to do this

stuff.

Yeah,

so it is a good point that AI

will just be fancy autocorrect and picking

the most likely responses will inherently

lead to a tyranny of the majority rather

than a fair system.

Exactly.

So it kind of has that effect, right?

I think, you know, it's more likely to,

it basically just mirrors the reality,

right?

In a lot of cases,

which the reality is people get

discriminated against and people are paid

less depending on their,

their identity, which is,

we've done studies on this.

We know this is the case.

It's kind of something that we're trying

to fight against to stop,

but it's not something we've completely

solved.

And yeah, I think, you know, if we,

if we try and make sure people are

aware of this,

I think some of the stupid stuff that

I've seen is a lot of companies are

using like

AI to scan people's resumes when they

apply and it will like check the keywords

and stuff and people were just like

putting invisible keywords on their

resumes To make it detect it like this

is this is incredibly silly stuff I can't

believe I have to say this but like

we need to go back to when humans

were reading resumes and interviewing

people and not feeding their information

through an AI system and

That's also just terrible for the person's

privacy.

Like,

I don't want everyone to know my

employment history or where I worked or

what I've the schools I've been to.

And, you know,

that's just another thing that we're

feeding the AI systems.

Like really we're putting all this

information through these massive AI

companies with like no corporate like

control, especially in the US.

Like there's, I feel like there's,

it's very lax at the moment because the

entire economy is basically propped up by

the AI data center industry.

It does seem like that is starting to

fall down a little bit now,

like with a lot of data centers being

canceled, but.

I definitely think the AI hype stuff is

propping up a lot of stuff.

And it kind of means that a lot

of cases this behavior is allowed and when

it shouldn't be.

So, yeah.

That's kind of my thoughts on that.

Did you have anything more you wanted to

add, Niamh?

No.

I think just, yeah, it's such a, like...

it doesn't matter where you are in terms

of your economic beliefs.

Like even if you're a free market person,

there's always going to be someone who can

do the work for less.

And when it's a race to the bottom

like this, everyone loses.

I mean, just look at airplanes, right?

It's, you know,

even Southwest now is getting away,

doing away with their like first come

first serve seating and like free check

bag because it's becoming such a

competitive market.

And they, I don't know,

it's such a race to the bottom.

One of the,

the headers here that I think I may

have scrolled past said judging our

desperation rate, which is again,

it's just so predatory.

It's one thing like surge pricing is one

thing, right?

Because surge pricing looks at the entire

market and says using Uber as an example,

a concert just ended.

There's a, you know, ten thousand people.

That's probably too many.

Five thousand people in this one spot

trying to get home.

We're going to charge more.

Right.

But this is looking at an individual

person.

This is looking at you specifically and

saying, I know that.

that you've sent out five hundred resumes

this week.

I don't know how you did that.

You probably used a bot,

which I wouldn't blame you.

You sent out five hundred resumes this

week.

You've gotten two callbacks and you've got

a thousand dollars left in your savings

account.

You will literally do anything.

And I'm going to give you the bare

minimum that I can to make you say

yes.

but also not pay you.

Your other coworkers are making more than

you do.

Personal opinion,

I've always thought it was ridiculous that

you're not supposed to talk about pay at

work.

No,

I was always happy at my last job

to tell people how much I was making

because I wanted everyone else to know.

I think I've mentioned this in my last

job.

I was...

the highest paid person in in our job

title just by sheer coincidence and luck i

don't know how i got that and i

was very open about that not because i

wanted to brag it to everybody else but

because i was like you guys like i

don't think i'm better than everyone else

you guys deserve to be getting paid more

too and i would tell people that kind

of stuff all the time so like yeah

um jonah says five hundred resumes in a

week sounds like fighting ai with ai hey

man you know that's that's the the

situation we're in right it's ai writing

emails ai reading emails ai responding to

emails it's yeah

But I don't know.

It's yeah,

I'm kind of going off on a rant,

but this just makes me so mad because

it's so, I keep using the word predatory,

but it removes, it removes everything.

It removes the hard work.

It removes the whole like, and again,

it doesn't matter what your beliefs are.

Even if you're like a pull yourself up

out of your bootstraps person,

you can't anymore because it removes that

possibility because they know exactly how

much you need and they will never give

you a penny more.

It's just, it just frustrates me.

So sorry,

I feel really passionately about this

subject.

Yeah,

I think it goes without saying people

should be paid a dignified amount.

And yeah, I agree totally.

Like, I think it is important to me.

There's a weird culture around not sharing

how much money you make.

I'm not really sure what the reasoning is

behind that,

but I think it is important to be

open about that, especially because,

you know, your employer, well, I mean,

not every employer,

but this

the people that are using this software,

they are not holding back.

They are doing everything in their power

to pay you the least amount.

So the least you can do is discuss

this with your coworkers, um, unionize,

do all those sorts of things.

Right.

Like, I dunno, maybe that's, uh,

that's too much, but I think it is,

uh, it is important, like another thing.

Right.

But I think, you know,

if your employer is doing this sort of

stuff to employ people,

Name and shame, name and shame,

like seriously,

like that is the sort of thing that

people go on strike for.

So I think if there's companies that are

doing this,

definitely try and get them to stop

because like Nate said,

it's discriminatory.

It's like, you know,

it's removing people's power to control

things.

And yeah,

if you think it's not already happening,

definitely go read this article because

they lay out several scenarios they looked

at where it's like, this is happening,

like not could happen.

Like this is happening in like,

they mentioned, what is it?

What is it?

Staffing, gig nurses, again, gig workers,

DoorDash, Uber,

like it's already happening there.

There's no reason it's going to stop.

And God,

twice now I've had something pop into my

head and then I lost it.

I hate when that happens, but.

Yeah, it's...

This is one of those moments where laws...

I mean...

I know laws are controversial.

Like people are always afraid of

over-regulation and afraid of like,

you know, Oh,

companies break laws all the time,

but like,

what else can we do about this?

There is no, I mean, yes,

we can all take our privacy seriously and

we should,

regardless of whether or not this is

happening, but there's really like,

I don't see any way to fix this

other than just straight up outlawing it.

Like we were talking about earlier,

this is illegal in a lot of countries.

It should be legal here in the U

S it should be very illegal.

Everyone should be mad and sending this to

their politicians and being like,

we need to outlaw this before it becomes

a regular practice.

Cause yeah,

Oh,

I remember what I was going to say.

Because yeah, on that note,

you can't tell me this is a problem

that the free market is just going to

fix.

Because look at Amazon.

Everyone knows Amazon,

especially the Amazon brand,

is usually cheap garbage.

And you can't tell me that Amazon became

the behemoth they are today by putting out

the best product.

They did it by undercutting everyone else,

by knocking off everyone else,

by using manipulative algorithms to

prioritize their crap first.

I guarantee you,

Amazon doesn't pay for that ad slot at

the beginning.

It's just, this is not...

Yeah, this is a complicated thing to fix.

And it's not just going to fix itself.

That's what I'm getting at.

But anyways,

I think we beat that to death unless

you have something else to add there.

Okay, so in a minute,

we're gonna talk about how the FBI was

able to recover signal messages, sort of,

from a locally stored database on a phone.

But first,

we're gonna talk about some updates about

what we've been working on at Privacy

Guides this week.

And the first thing is,

we have a new interview coming out on

Sunday.

If you guys have not seen that yet,

it's in the newsletter.

Go check out privacyguides.org slash

livestreams.

It should be there right now.

That's live streams with an S on the

end, just by the way.

And we have an interview with the one

and only executive director of the EFF,

Cindy Cohen, will be coming out on Sunday.

I'm super excited for it.

I was the one who got to do

the interview and I'm still excited about

it.

It was really cool.

She was awesome.

And I think it was a really good

interview.

I tried to make sure it was applicable

to everyone.

So we talked about how to stay motivated

in the fight for privacy.

We talked about how to build a good

community.

We talked about what she learned in her

time fighting with the government and her

kind of insights on that.

So really excited for that.

Make sure you're subscribed on YouTube,

on PeerTube,

because we'll be posting it there as well.

PeerTube, of course,

does not have the little premiere feature,

but obviously we do post everything on

PeerTube as well.

So

Make sure to check that out.

And just to hype you guys up for

it a little bit, on the XIX,

we're also going to be interviewing

Carissa Veiles about her upcoming book,

which is coincidentally about AI and all

this stuff we just talked about.

And a lot of the stuff I got,

you know,

a lot of the stuff I was saying

about how this makes it deterministic and

it removes meritocracy.

Like,

these are all things that she talks about

in her book and in her interview.

So...

Yeah.

And then my last thought is that we

are working on a video coming up soon

that many of you have requested.

And that's all I'm going to say to

kind of build a little bit of hype

for that.

So that is what is going on on

the video front here.

And I'm going to turn it over now

to Jordan to let me know what I

may have missed.

No, didn't miss anything.

But we do have some other things that

we've been working on more on the site

update section.

So there wasn't any site updates this

week, but there was.

Freya has put out another article here.

It's about OKCupid settling after selling

three million photos to a facial

recognition company.

Oh,

now that's probably not what you want to

hear about your dating app.

But yeah, if that sounds interesting,

you can check that out.

Go to privacyguides.org slash news to

check it out.

And we've also been what,

so our activism lead,

M has been working on a section for

the website,

which if you haven't called it already,

there was the Privacy Activist Toolbox has

been released.

So you can visit that by going to

privacyguides.org slash activism.

There's the Privacy Activist Toolbox,

which came out a couple of weeks ago.

And that has a lot of tips about

how to

be an effective privacy activist.

There's a lot of great tips in there,

but she's also released this new support

request here on GitHub and

Basically, it's for a DPA directory.

So there's data protection authorities and

that's basically the organizations that

you need to contact to lodge a complaint

with.

So this pull request has got basically all

the regions in the world.

Well, I mean, I'm not sure if...

Yeah,

basically every region that you would

think.

I'm sure there could be some that we're

missing,

but I think Em has done a really

good job here and has covered, I think,

basically all of them.

But there could be small ones that we

didn't find.

So if there is any of those,

I guess you could take a look at

the pull request and suggest adding those.

But so far, what we've got is Africa,

Asia, Europe, North America, Oceania,

and South America.

So basically it will list the privacy law

in particular, the abbreviation,

the data protection authority.

So you can click on that.

And there's also a contact page link and

a complaint link.

So you can basically get directly to the

page that has the complaint form.

So basically what we're trying to do with

this is make it as easy as possible

for people to make a complaint against a

company, against the government, because,

you know,

this is kind of important to

utilize.

Because if you don't use your privacy

rights, well,

you're not going to have privacy.

So if there's companies that are misusing

your data,

or if you want to get something deleted,

I think using this DPA directory is going

to be really helpful.

So definitely stay tuned for that.

I know Jonah said he was taking a

look at the pull request.

So I'm sure it'll be released in the

next couple of

weeks so it does look really nice uh

definitely check out the pull request on

github there's a preview there um but it's

really well put together um so i

definitely recommend checking that out um

it has you know all the regions that

you would expect but if there's any

regions that we missed or you know that

there's that we need to add still um

that you think we might have missed this

there's just so many countries on earth um

we i'm sure we might have missed one

or two so if there's anything that you

would recommend seeing

adding to that, um,

if you're from one of those countries,

definitely do reach out and let us know.

Um,

it's kind of going to be a community

project, I guess.

Um, if there's, there's a couple of, um,

countries now that are sort of in the

process of putting together a data

protection authority,

which is really good,

like Egypt and Mexico.

So definitely, uh,

keep an eye on that as well.

Um,

There's definitely a lot of important

information there,

but also it's sort of a project here

where we are trying to get community input

as well,

because we try and represent every country

here,

but I'm sure there's things that change or

if there's countries that are establishing

data protection authorities,

then that's a really positive step for

people in those countries as well.

Yep,

so that's basically everything that I've

got to talk about here.

There wasn't any articles this week,

so kind of a light week on that

side.

But yeah,

I guess we can hop right into our

next story here.

Oh, actually, before we do that,

all of this is made possible by our

supporters,

and you can sign up for a membership

or donate at privacyguides.org or pick up

some swag at shop.privacyguides.org.

I recently made another purchase on the

shop.

There's some really cool new merch that we

released for the activism section,

so definitely check that out.

and have a look if you didn't visit

it in a while.

There's some new stuff on there now.

Privacy Guides is a nonprofit which

researches and shares privacy-related

information and facilitates a community on

our forum and matrix where people can ask

questions and get advice about staying

private online and preserving their

digital rights.

Now,

let's talk about how little snitch is

coming to Linux.

So kind of a big announcement from Little

Snitch,

which has been historically a Mac OS only

app.

They've now announced that there is a

version available for Linux.

So this is kind of reading a little

bit from their blog post here announcing

it.

I guess press release.

Recent political events have pushed

governments and organizations to seriously

question their dependence on foreign

controlled software.

The core issue is simple and

uncomfortable.

Through automatic updates,

a vendor can run any code with any

privileges on your machine at any time.

Most people know this,

but prefer not to think about it.

Linux is the obvious candidate for

reducing that dependency.

No single company controls it.

No single country owns it.

So I decided to explore it myself.

And basically the article goes on to say

that this person was trying to find an

alternative to little snitch.

They tried open snitch.

which has several command line tools and

stuff like that.

But basically,

it doesn't have the same ability to show

which process is making connections,

which is basically the way that it works

on macOS.

Like any process on macOS,

you're able to see the connections and

block them if you don't want them to

be made.

As far as I'm aware,

Open Snitch is somewhat a little bit more

limited.

It kind of only does like application

level.

I'm not a hundred percent sure because

it's been quite a few years since I've

used Open Snitch.

And it did seem like it was a

bit more complex.

So to use like the interface wasn't

particularly easy.

So this person has developed,

this person at Objective Development has

created a

linux version of little snitch now let's

like kind of clear the clear the air

on how this works so basically it is

there's another app on little snitch on

mac os but i can't remember what it's

called so there is another app on the

it's called lulu and it's by

another company.

It's a nonprofit company.

So definitely, yeah,

Lulu is the other one you're thinking

about.

But yeah,

this one here is Little Snitch has

previously been a paid software.

So it's actually kind of surprising that

this is a free and open source.

It's licensed under GPL v.

So it could be quite cool to see

package managers just adding this by

default,

like just adding this as a package.

But basically, the way that this works is

It is a browser app, kind of.

It's like a web app, basically.

And the reason why they decided to go

with this is that it can work on

a server, right?

Because this is something that you just

run as a system process.

For instance, basically,

that allows you to access the connections

that the server is making through that

nice interface.

So that's a benefit of it being in

the browser, right?

You can access that for a remote computer,

which is extremely useful.

I'm not really sure of many solutions that

do this sort of thing,

especially that easily.

You just install a package and it's

instantly monitoring.

But kind of scrolling down here,

this is basically based on a kernel

component written for eBPF.

And that's an open source component

which is available.

So just to be clear,

the UI is open source and the eBPF

filtering component is free and open

source,

but the

Basically, the backend,

which manages rules, block lists,

and a hierarchical connection view is free

to use, but not open source.

So that's basically the reasoning behind

that is because that part is kind of

proprietary to objective development.

They've been working on that for like,

twenty years to perfect it.

So they argue that that should be

kept closed.

And they kind of did an important note

here.

Unlike the Mac OS version,

Little Snitch for Linux is not a security

tool.

eBPF provides limited resources,

so it's always possible to get around the

firewall, for instance,

by flooding tables.

Its focus is privacy,

showing you what's going on and,

where needed,

blocking connections from legitimate

software that isn't actively trying to

evade it.

So if you install malware,

little snitch is not going to protect you

from the connections getting out, right?

And at least right now,

there are some limitations.

I did see some people having issues with

Fedora workstation working correctly.

They do note that on the page,

on the download page.

I tested it on Debian and it was

working perfectly fine for me.

You just install the package and basically

it only works on kernel Linux kernel six

point one two and above.

So basically the reasoning behind this is

that older kernels currently have an eBPF

verifier maximum instruction limit.

So they kind of have to backport this

fix.

Hopefully they can kind of get in contact

with the Linux kernel developers and do

that.

So that is an interesting thing too.

But I think this is kind of a

pretty, it's a pretty basic app so far.

Like it allows you to enable block lists

and see the connections that your computer

is making.

But I think that's really all you really

need at this point.

I think just being able to see the

connections itself,

because a lot of times you'll be using

software and you won't realize that it's

making connections to like ads and stuff

like that.

especially if you're using software that

is genuine it's genuine normal software

but it's a proprietary app that you know

might have some data tracking built in

like discord or any of any other of

those types of apps um i think this

is an important tool to have on linux

uh especially because people on linux

still need to be able to see the

connections that are being made and you

know there's still privacy invasive stuff

on linux uh you can install

Facebook Messenger on Linux,

you can install Discord on Linux,

you can install Steam,

like all these apps are not great for

your privacy,

but being able to see some of those

connections I think is pretty important.

But yeah,

we kind of got this little poll up

on the screen to use Little Snitch,

you can type one,

two or three in chat to respond and

it'll pop up on the screen.

But Nate,

did you have any thoughts on this one?

No,

I think you kind of you kind of

answered the question I was going to ask,

which is, you know,

Linux is known for being more private.

So my first thought is kind of like,

is there a use case for this?

Why or why would people want to use

this?

And you made a really good point.

You know, one of the this is

tangentially related but you know a common

question is like how do i get people

to switch to xyz signal linux whatever and

one of the things that we are you

know myself and jonah and um you know

some of us always say is like you

have a lot more luck by focus focusing

on the features and so one thing i

like to point out i'm trying to get

my sister to switch to linux because she

was on windows ten and it's you know

not getting updates anymore and um

I'm going to do that with her next

time I see her in person.

And one of the things I'm going to

try to convince her is, you know,

like everything you do on a windows

computer,

you can more or less do on Linux,

especially for her.

If, if, you know,

assuming she's not using any special

software for her job.

Um, you know, you can browse the internet,

you can download discord.

You can, uh,

a lot of games are now gaming on

Linux is doing really well from what I

hear actually.

So, um, for the most part, even,

even some video editing, you know, uh,

the, the Linux computer I use is cube.

So that's a lost cause,

but for like Fedora,

you can run DaVinci on Fedora.

And I think.

Um, you know, there's, yeah,

it's just point being is like,

just because Linux itself is relatively

private,

but especially once you start adding on a

lot of these,

these features that people might use,

even at first,

like if somebody makes a switch to Linux

and at first they start using, uh,

Microsoft office, God forbid,

or something.

I don't even know if that's Linux

compatible, but you know what I mean?

Like they start off and then after a

while, they're just like, yeah, you know,

maybe I'll check out LibreOffice or

something.

And, and, you know, it's,

it's just helpful to kind of have that

ability to control things.

It may also let you know,

like if you fire it up and you're

like, oh my God,

this thing is pinging like twenty

different servers ten times a day.

Like, hold on,

let me take a closer look at this

thing.

So, yeah, it's pretty cool.

And I... I don't know.

I think that's really cool that he made

this...

I guess the selfish side of me would

like to see this come to something like

windows,

even though I know we already have things

like port master open, what is it?

Open wall, simple wall.

But it's not quite one-to-one.

So I think anytime we have more,

more options is always good in my book.

So I think that's pretty cool.

Yeah,

I think I'm also kind of biased on

this because I use their software.

I use Little Snitch on Mac.

I really think it is exceptional software.

People say to use Lulu because it's free,

but it really does not do the same

thing as Little Snitch.

Little Snitch has a lot of benefits over

that.

So it's great to see them kind of

expanding because...

people have kind of been complaining about

little snitch.

They're like, Oh,

I wish it was on windows.

Like you, like, uh,

I wish it was on Linux, you know,

different platforms I think is good.

I mean,

I'd like to see it be on windows

too, but it may just be, you know,

I feel like when we talk about these

filtering softwares, it's extremely, uh,

it's extremely specific to the platform.

Like in this case, it was using eBPF,

but, you know, on Windows,

I'm sure they've got some whole other

system, right?

So, you know, making that basically,

I guess,

compatible with Little Snitch is probably

a lot of work and, you know,

they kind of have to port the entire

thing over.

which is kind of a pain,

but I think it's good to see that

a little snitch is expanding to other

platforms and it's free,

which I think was very generous, but.

Yeah, I agree.

I fully recognize that it's not an easy

thing to go from platform to platform.

And I mean, even Linux, right?

You were saying some people on Fedora are

having some issues getting it up and

running.

And hopefully since it is open source like

that,

hopefully people can do what they need to

do to get it up and running.

But yeah, it's certainly no small task.

And I think that is really cool.

And actually, yeah,

I could never remember because I'm not a

Mac user.

I could never remember if Little Snitch or

Lulu was the one that was free.

And I didn't realize Little Snitch was the

paid one.

And I think that's really cool that

this is free.

So bummer that it's not fully open source,

but I understand the logic of like,

you know,

I've been doing this for years and I

don't want somebody to, twenty years,

more than twenty years,

and the algorithms and concepts are

something we'd like to keep closed for the

time being.

Like, I get it.

So.

Yeah, I think also here,

let's quickly cover this question we got

from Cass K. So they asked,

any tips you guys have for people who

want to start making YouTube content

related to privacy?

All right, Nate, what do you got here?

Yeah,

so I just want to mention that I

have my own website called The New Oil,

which is...

It's supposed to be like a very, very,

very beginner level to privacy stuff.

And my hope is that when people finish

reading that,

they'll move on to other resources like

privacy guides.

But over there,

I do actually have a quick start guide

on the front page for content creators.

And the reason I'm referring you over

there is because there is a lot of

different stuff there.

But it kind of goes over things like...

it's really, I mean,

as with everything in privacy, right?

It's like, what, what do you want?

What are your, your priorities and stuff?

So for example, um,

if you're going to be a Twitch streamer,

you could totally just use your handle,

right?

You know, I mean like Markiplier that,

that dude's obviously not his real name.

It's derived from his real name, I think.

But, um,

A lot of YouTubers and stuff,

they're known by their handles.

But then if you're going to be a

public figure, like a politician,

a lot of them go by nicknames.

Like Ted Cruz, his first name is Raphael.

So things like that.

It's just to keep in mind,

what are you going for will determine a

lot of those things.

But I'm a big fan of things like

using pseudonyms wherever possible.

So again, handles, fake names.

being mindful of your online presence.

You don't have to plant your flag on

every single website, but it may not hurt.

And sometimes you may not need certain

websites.

Like I remember way,

way back in the day,

there's a band I follow, uh,

Oh Sleeper actually.

Um, they only ever had a Twitter account.

They never signed up for Facebook.

They never signed up for Instagram.

Like you could only follow them on

Twitter,

which was slightly annoying as someone who

didn't use Twitter at the time,

but you know,

like that's what they wanted to stick to.

And

Again, likewise,

most bands probably don't need Twitch

unless they're going to do live streaming

nowadays.

And maybe a lot of Twitch streamers don't

need Twitter.

So just kind of asking those questions,

but

Also,

a lot of the technical tools that we

recommend to privacy guides as well,

things like email aliasing,

password managers,

basically securing your online account.

Because I've also, again, I've seen bands,

their Facebook gets hacked and all of a

sudden they're spamming out like,

twenty percent off Ray Bans or whatever at

this sketchy link.

And again,

we just talked about this earlier,

Facebook does not care.

Unless you're Taylor Swift,

they don't care.

Sucks to suck, scrub.

We're not going to help you get your

account back.

I actually read one earlier today,

an article earlier today about how

Discord's support system is still the

dumbest thing that has ever been designed

by a human being.

I'm not sure a human being designed it.

It's so dumb.

But anyways, yeah.

So like just, I don't know.

I think I would check that out and

definitely bounce any of my

recommendations off privacy guides because

I will admit privacy guides has much

stricter,

I don't want to say vetting process,

criteria for a lot of their

recommendations.

So I mean,

I don't know.

Yeah, I would check both of those out.

I think they're really good resources

that'll get you started, hopefully.

Yeah, I just want to add as well,

I think there's some parts that kind of

go... I haven't read your streamer guide,

so maybe I'm just repeating what's already

on the page.

But I think stuff that's kind of important

to establish early on,

are you going to show your face?

I mean, that is kind of important, right?

I think...

You can kind of see what I'm doing

here.

Like,

I don't really want to show my face.

I'm sure someone could find what I look

like,

but it's just a layer of privacy on

that aspect.

People aren't going to recognize you in

the street or whatever,

or people aren't going to be able to

immediately know who you are.

So that is a benefit too.

And I think also thinking about things

that you share,

being very mindful of things that you

share, because, you know,

you take a picture of the room that

you're in,

someone could analyze the texture of the

roof or something,

find rental property stuff and analyze and

work out where you're living or something

like that.

You know, people are pretty creepy.

So I think being aware of

you know, what you're sharing,

how it can be used to find you

being very deliberate about posting stuff.

But I think it's definitely a personal

preference whether you want to show your

face or even show anything about you.

You can certainly be

faceless.

There's plenty of channels that do that

and pretty successfully, I'd say.

So, you know,

I think it's definitely worth thinking

about at least.

But I hope those tips were somewhat

helpful.

We try and answer people's questions in

the chat.

There was another question here from

Plants McGee,

which I'm not really sure about what it

means.

So what's the deal with Twitter, Sydney?

They just left.

So what is this referring to exactly?

They're referring to the EFF just left

Twitter.

Real quick, I do want to say,

I didn't mention the face thing and I

really should add that because that's a

really good point.

I've been just watching random YouTube

videos lately about dinosaurs and space

because I will forever be five years old

at heart.

And yeah, a lot of those...

So it's not just a privacy thing.

A lot of those channels are faceless too.

And I'm actually sitting here thinking,

I'm like, man,

maybe I should do more faceless videos

because I bet they can pump those out

real quick.

But yeah, going back to the question,

the EFF left Twitter.

I...

I have personal opinions,

but all I'm going to say is go

check their blog post.

They laid it out in very plain numbers

where basically they said – you can tell

I agree with their decision.

But basically they said that they're just

– they're not reaching people,

and they only have so many resources,

and they've decided their resources are

better spent elsewhere.

So you can disagree with them.

That's fine.

Free country for now.

You're welcome to do that.

But that's their logic.

So –

I think I'm just going to share my

thoughts on this.

Obviously these, these are my thoughts,

not,

not related to privacy guides as an

organization,

but I think the platform itself has kind

of become pretty toxic.

I think a lot of people are complaining

about it kind of becoming a bit of

a,

an echo chamber for like conservative

voices and stuff.

I think that's not great.

It's definitely,

the platform's definitely changed and

it's,

in a lot of ways became worse.

I think we're seeing more and more people

leaving because, you know,

it is kind of a platform that allows

in, in a lot of countries,

I would say hate speech,

maybe not in the US because the laws

there are a little bit looser, but yeah,

I can kind of understand not wanting to

be on a platform like that.

And I think, you know,

In our case,

Privacy Guides is still on Twitter posting

stuff.

I think we are getting some traction.

So maybe our strategy is different to that

of the EFF,

but we're still getting quite a lot of

traction with that.

I think it's important to reach people no

matter what platform they're on.

So, you know, in a lot of cases,

we're going to be on all these crappy

platforms.

Doesn't mean we support the platform or we

want to...

Doesn't mean we want to make people move

to better platforms like Mastodon.

We recommend different ones that people

should move to instead.

But I think you have to meet people

where they are.

And if we just stopped posting on all

these platforms,

we wouldn't be reaching as many people and

converting them to believing different

things,

like that X is a bad platform and

invades your privacy.

Same thing Jonas said here.

It doesn't make a ton of sense to

me to leave X,

but not Facebook or TikTok,

but shrugging emoji.

I think it's definitely like a personal

choice.

If the analytics said that they weren't,

I mean,

it doesn't really make that much sense in

my opinion,

because

we have all these multi-posting tools.

Like, for instance, our team here, Nate,

I, me, and Jonah, we're basically,

a lot of our posting is through Buffer.

And all it is is just ticking another

box to send it to another platform.

Like,

we're not specifically creating anything

for a specific platform.

So, I mean, if those platforms

I mean, we can debate all day,

like how bad X is as a platform.

We can debate all day how bad Facebook

is and TikTok, but I still think,

you know,

we post on all those platforms because we

wanna be able to reach

these people because you know everyone

deserves privacy not just everyone on

mastodon um so and especially because

these people are probably less aware of

the issue that's why they're on those

platforms in the first place so i can

kind of understand from like an

ideological perspective like if you really

don't like being on a platform that kind

of amplifies conservative voices i can

kind of understand why you may not want

to be on a platform like that where

you get harassed but

I think from an organizational

perspective,

I think I'm not quite sure if I

agree with this because it is kind of

easy to cross post and I can respect

the decision,

but I'm not sure if I agree with

it particularly.

But yeah, that's kind of my thoughts.

Okay.

I don't really have much to add.

I think that was a good point about

buffer, but I don't know.

I don't, I don't have a,

what do they say?

I don't have a dog in this fight.

So it's kind of a messed up saying

now that I think about it,

don't fight dogs.

On that note,

I think we're going to move into a

story about the FBI extracting a suspect's

deleted signal messages saved in the

iPhone notification database.

So I'm not going to scroll on this

one too much because this is actually a

paid post.

But this comes from four or four media.

Highly recommend.

It's totally worth it, in my opinion.

They do great reporting.

But Jonah did say in the chat that

you felt like this is a little bit

of a nothing burger here.

And I...

I halfway agree.

Um, cause you know, it's the,

the headline kind of says it all,

but I think it's worth talking about

because it kind of points out,

they said further down in the article that

this, like,

this just kind of amplifies how difficult

it can be.

Actually,

let me see if I can find it

here,

but they basically said it just points out

how difficult it can be to, um,

to think about every possible angle of

your OPSEC,

especially when it really matters this

much, you know?

So like last year in June,

we found out that, which I mean,

the more technical people who know this

kind of stuff, which remember,

not everybody is super technical,

but yeah,

We found out last year that because push

notifications are usually not encrypted,

Apple and Google can see them,

which probably was not a shocker to most

people.

But also, basically,

the way that they're registered to make

sure they get to the right device and

stuff, it's... Basically...

It's another way that police can get your

data, right?

Police can go to Apple and Google and

they can subpoena you for your data.

And so we're really big fans of services

like Tudor, for example,

does not rely on Google for push

notifications on Android.

Signal, I think,

also has their own implementation.

Proton does rely on Google,

but they encrypt it.

So there's not really anything useful

there, although there is still metadata,

which is worth noting.

But...

And now we're learning it's still even

more complicated than that, right?

Because basically what happened is they

arrested somebody and they were able to,

you know,

they ran the Celebrite or whatever,

whichever device it was.

They ran the forensic tools on the

person's phone,

which was an iPhone in this case.

And this person had already deleted

Signal.

I believe they even had disappearing

messages enabled,

but don't quote me on that.

I feel like I read that in this

post somewhere.

And the police were still able to extract

some of the messages because the

notification history was stored on the

device.

And, um,

Yeah,

I did not see that coming personally.

So it is worth noting that because these

are device notifications that we only got,

or they only got, I should say,

half the,

I can't word today and I apologize.

They only got half of the conversation,

right?

They got the incoming stuff.

They did not get everything, of course.

And I personally am a little bit unclear

on exactly how this would work.

Like for example,

how long do these notifications stay

there?

It sounds like this is a like a

volatile memory kind of thing like RAM.

So would rebooting the phone get rid of

them?

I'm assuming not because I think if these

people were smart enough to use signal and

disappearing messages and to delete

signal,

then they probably rebooted their phone as

well.

Or maybe not since they were able to

forensically examine the phone.

I really can't say for sure.

But

I just, personally,

I have some technical questions like that.

But I think the big reminder here that

I thought was interesting I wanted to talk

about was just the reminder to be mindful

of your notifications.

One thing I really appreciate about

Signal,

and I know other apps do this too

to various extents.

Privacy apps tend to be a lot better

about this, of course,

as opposed to something like Discord.

But Signal lets you get pretty granular in

terms of like,

I can mute this chat.

I can mute this chat for an hour.

I can mute it for a day.

I can mute it indefinitely.

I can select notifications.

It says here that includes name, content,

name only, or no name in content.

And so this is actually what I used

to do ever since I found out about

that story from last year.

I have Signal set to send me just

a notification that says Signal.

And then from there,

I use notification profiles

to kind of manage things.

So like when I was at work in

my last job,

which was a more traditional nine to five

sort of job, I, you know,

in the sense of like,

I can't be on my phone during the

day and stuff like that.

I had a notification profile that would

start at working hours and at end of

day, which was never really end of day.

But at that point I'm like, whatever,

we're staying late.

I don't care.

And during that time,

pretty much the only notification that

would come through would be my wife in

case there was an emergency.

And so at that point,

I don't need the notification content,

right?

Because I know exactly who it is.

It's the only person that the notification

will get through.

And likewise, when I go to sleep,

my wife in case I'm traveling and my

sister in case of emergency.

And I think that's it.

Now, I have one local friend, too,

in case of emergency.

And those are the only people,

even though I try,

lately I've been doing a good job,

but usually I try not to sleep with

the phone in the bedroom.

But you know what I mean?

It's like,

I'm able to craft these very specific

notification profiles.

And even now here at Privacy Guides,

I do have working hours where I'm like

at work and I try to focus.

So I've got everything that isn't, again,

like my wife and my sister and then

all the Privacy Guides people,

they're the only ones that the

notifications go through so that I don't

get distracted by other people.

And yeah.

I think trying to figure out how to

make a device work for you in that

sense, you know, somebody, I think I saw,

I think it was in the privacy guides

forum when people were talking about this

story,

or it may have been in the comments

of this actual article,

but somebody mentioned like changing the

ringtones, you know,

before I started using these notification

profiles,

that was something I did is my wife

had a different ringtone than everyone

else.

So that if I got a, you know,

a notification, I would know, is it her,

do I need to check this or can

I just ignore it?

And so, yeah,

it's definitely something to be mindful

of.

And something else that kind of came up

here,

I'm looking at the comments now on this,

is on iPhones,

if the calls show in recent,

that will show up in the actual phone

app log.

On both iPhone and Android,

there's always relay calls,

so your IP address isn't exposed.

Slight quality trade-off,

but if you're a high-risk person or if

you live in an area where you've always

got a good signal,

it's probably not a big deal.

So just things like that to keep in

mind.

But one last thing I do want to

circle back to when Jonah said, he's like,

this is kind of a nothing burger because

Signal doesn't encrypt their own local

database in the first place.

And I think that's a valid point.

I mean, I love Signal.

I recommend Signal.

It's very user-friendly.

It's very easy.

It's cross-platform.

It's got all kinds of shiny little

features that people enjoy and makes them

more likely to use it.

But I think it is important to note

that there is no perfect tool,

whether that's Signal,

whether that's SimpleX,

whether that's

Um, you know, whatever messenger,

whether that's email,

email itself is incredibly imperfect,

which we did explicitly mentioned that in

our latest video about email.

So, you know, it's,

it's looking at your threat model.

It's looking at what you need from a

tool and it's understanding what the

limitations are and how to either

eliminate them, mitigate them,

work around them.

Cause then I'm not gonna lie.

My, my, um,

One of my thoughts I had today when

I was thinking about this story is like,

I can't control other people's phones.

You know,

I have my notifications set not to do

things.

But now when I text people,

my notifications are on that device.

And that's just something to be mindful

of.

So yeah, kind of a shorter story,

I think today, but you know,

it's a pretty quick takeaway.

So I don't know if you had any

thoughts on that one that you wanted to

share, Jordan.

Yeah, I mean,

I think you brought up some great points

there.

Like, you know,

there's ways to at least somewhat protect

this on your end.

Like you said,

the settings in Signal itself.

I almost wonder though,

you could almost disable notifications

just in general, you know,

no notifications.

And then, you know,

there wouldn't be a database where

anything would be stored in this case.

But, you know,

maybe that's kind of problematic for

people to do.

But there's also the case where

know there's at least on android there is

the ability to enable notification history

so it can save notifications that's off by

default but it's another thing to check um

to see if you have that enabled definitely

disable that i don't think that's

necessary to to enable like it's it's the

whole point of notifications is they're

kind of ephemeral they're there on the

screen i kind of assumed though

that's when you dismiss the notification,

it's gone, right?

I didn't think that there would be saved

on your device in a database.

So this might be something for Apple to

actually fix because I feel like that is

a bit of a concern.

and anonymous three, four, four,

just put in the chat, threat model,

threat model, threat model.

Exactly.

Like if,

if your concern is your device being

seized and you want to protect the data

on it, um, you know, use Molly,

have an encrypted database in signal.

Um,

don't use notifications cause they can be

accessed.

Right.

Um, I think it's kind of hard though,

especially because, uh,

in this story in particular,

I think it was,

They said the case was the first time

authorities charged people for alleged

Antifa activities after President Trump

designated the umbrella term a terrorist

organization.

So I don't know,

this is kind of a very nebulous thing

going on in the US.

Like what is Antifa?

Like it's not really an organization.

It's kind of a bit silly that they're

calling it that.

But I think people should be

guess more vigilant than usual because you

know you never know if your your

activities are going to be considered

antifa and then your devices might be

seized so it could be worth thinking if

you know you might be a target of

this sort of thing a little bit more

thoroughly because it does seem like the

government is cracking down on political

behavior um i can't really read the full

article here so i'm not really sure it

says here that it was uh people present

It said the case involved a group of

people setting off fireworks and

vandalizing property at a ICE detention

facility.

Yeah, in Texas,

and one person shooting a police officer

in the neck.

So I'm not going to comment on whether

they were guilty or not,

but that's what the FBI is finding.

Yeah,

I think that's up to the courts to

decide.

But I think the thing is, right,

you know,

if you're doing any sort of

political action.

I'm not saying, you know,

you should go out and vandalize an ICE

facility, but, you know,

I'm saying like any sort of political

action,

whether that's peaceful protest or,

you know, marching through the streets,

you know,

I think it's important to think about ways

that your data could be extracted and used

against you.

I think in this case, you know,

it's definitely,

everyone deserves privacy,

even if these people were

vandalizing something um so it's kind of

unfortunate that uh the the iphone was

kind of a bit uh vulnerable to this

extraction method i also do wonder if

lockdown mode could have prevented this um

because i think lockdown mode does prevent

a lot of these uh

like tools that these FBI uses to like

forensic extraction tools.

Um,

I think it probably could have been

interesting to hear, um,

if that was the case or not,

I'm going to assume no, but you know,

I feel like anyone who's going to any,

uh, political action,

like just enable lockdown mode.

It's like the least you can do.

It's, it's, it's a basic thing.

It's just a switch you turn on.

Um,

but I do think it is, uh,

calling out Antifa is big,

the hacker known as Fortan energy.

Yeah.

It's just like, it's, it's just,

it just shows that the government doesn't

really know about like any sort of,

any sort of political organizations.

I think it's a lot easier to, uh,

it's a lot easier to lump a whole

bunch of people together and sort of say

this nebulous thing is bad.

Um, then, you know,

having any sort of specifics like, yeah,

these,

these protesters at this specific ice

facility, um, who that's why, I mean,

we don't really know if they're part of

a group or anything, but, um,

they could have just been acting

independently.

Um, I think it's just,

it's kind of ridiculous that we're,

grouping it all together like that.

But yeah,

I don't really have more to add than

that.

Yeah.

The only thing I wanted to comment on

is you said that it would be best

to turn off notifications altogether,

which yeah, I mean, if it's really,

really, it's all about threat model,

right?

Like that wouldn't be feasible for me in

my day to day for sure.

But yeah, if you're,

especially if you're doing something

sensitive,

whether that's simply protesting or

whether you're taking it further,

which I'm not advocating for violence or

breaking any laws, but I'm just saying,

you know, threat model.

Yeah.

You maybe should bring a separate device.

You maybe should turn off notifications.

It's, it's tricky, but it's also just,

yeah, I don't know.

I wonder how

I personally just wonder how well-known

this kind of vulnerability is.

Is this the kind of thing that technical

people would look at and be like, yeah,

obviously, iPhones are keeping a...

Because it sounded like Jonah...

Full disclosure,

Jonah's the person I usually go to with

deep technical questions because he's

really smart about this kind of stuff.

And when I was asking him questions about

this earlier this week, I was like...

And I asked him those questions about

would the phone restart?

Would this, that, and the other...

Or excuse me,

would a restart clear out the...

the cache or the database.

And he didn't really know either.

And he said the same thing that you

said, where he's like,

I always thought that when you swiped a

notification, it was gone.

Is this like, does you,

do you have to handle it differently

somehow?

And so I,

where I'm going with that is like, he's,

he's really smart in my opinion,

not to like, you know, but, uh,

and if he doesn't even know this stuff,

it's like, how many people do know this?

Like, this is not common knowledge.

And, um, I think we did find a,

uh,

some some court cases i mean this was

like a real real quick web search we're

not lawyers obviously but we did find some

some cases where the judge kind of threw