Chrome Refuses to Crumble Third-Party Cookies

google is officially sticking with third-party cookies recall is back. But good news from Threema and Tor. Welcome to Surveillance Report 223, where we are dedicated to keeping you private and secure with the latest news from the past week. I am Nathan from The New Oil. And I'm Henry from Tecler.

Our sponsor this week is SimpleX. SimpleX is a security and privacy first end-to-end encrypted messenger with no unique identifiers. They do not require any phone numbers or email addresses or any personal data. So they are totally anonymous.

autonomous they are open source they are audited they are decentralized users can host their own servers if you want or of course you can just download the app and use it as is it is cross-platform it's available on iphone android there's also alternative app stores like f droid and

They even have an APK desktop releases are not in beta. They have not been. That was a mistake on our end. Long story short, everything is in stable release and available on all platforms. There are strong community features like large groups. They allow for files and. media.

We've been using it quite a bit. We have a patron chat in SimpleX. And at least from my perspective, it's been a pretty good experience. The goal is to offer features like Telegram and Signal and WhatsApp, but with even more privacy and security and the usability. is only improving

all the time. We do have a business address. If you are trying to test it out and test the waters, you can go ahead and message us. Somebody did ask us a question this week, not for the Q&A, but just like a random question. And again, we do have that private group for patrons as well.

It is important to remember that this is still a very early product. It might be a tough sell for your families and friends. You know, it's missing things like gift support and stuff like that. But, you know, they're improving all the time, like we said, and really their focus was privacy and security first. And now that they've got.

good foundation, they are working to add those other features. So we just want to make sure that you guys go into this with eyes open and know what to expect when you go in, but definitely check it out. We've been very impressed with our time testing it out and we've been very happy to get the chance.

to really use it at a mass scale with our patron group and use the business address and also thankful for their support. So thank you again to SimpleX and if you are still in the market for the right encrypted messenger for you and you haven't checked them out, be sure to do so. Our highlight story this week.

Google won't ditch third-party cookies in Chrome after all. And I'm sure that regular listeners are in no way shocked by this development. This came from Ars Technica, who says that after years spent tinkering with the Privacy Sandbox, which was a misleading...

leading name for the record, Google has essentially called it quits. According to the VP of the company's Privacy Sandbox Initiative, Google won't be rolling out a planned feature to help users disable third-party cookies. Instead, cookie support will remain in place as is...

possibly forever. So until today, Google was still planning to roll out a dialogue in Chrome that would prompt users to turn off third-party cookies in favor of Google's updated solution. According to the VP, Google has been heartened to see the advertising industry taking privacy more seriously. As a result, Google won't be pushing that cookie dialog to users. You can still choose to disable third-party cookies in Chrome, though.

While the sandbox project is looking more directionless today, it is not completely ending the initiative. The team still plans to deploy promised improvements in Chrome's incognito mode, which has been re-architected to preserve user privacy after numerous complaints. Can't imagine why. Incognito mode blocks all third-party cookies, and later this year, it will gain IP protection, which masks a user's IP address to protect against cross-site tracking, which...

will still not really help with a lot of browser fingerprinting methods, but you know what? It's better than nothing, I guess. Yeah, so that's kind of the major notes. Really a quick story, but a pretty big one, which is why we made it the headline story. Again, for people watching the news, I'm sure it's really obvious. This is almost certainly a response to them losing an antitrust lawsuit this week, which I don't...

think is in here actually yeah because there hasn't actually been a judgment handed down just a lot of speculation so we're not going to cover that this week again as soon as there's actual news on that front we will be sure to update you guys right now it's all just this might happen and this company's expressed interest and this

is expected and we try to stay away from that kind of speculation whenever possible so but yeah this is almost certainly them being like oh we are really in hot water right now and we need to do everything we can to earn some goodwill and try to pretend like we're not a monopoly and problematic on so many levels.

There's no way that this is like, oh, you know, advertisers doing a good job on their own. It's just they know this was an incredibly monopolistic thing and they can't do it right now. So that's still not going to change anything. Privacy Sandbox was always I don't even want to say poorly named. It was named that way. on purpose that thing where they like make it sound innocuous and good but it's not because all it really did

For those who are just joining us, this is not an exaggeration. The short version is it made Google the sole gatekeeper between you and advertisers, like even more than they already are. It's hard to explain.

It was really tightening it a lot more. It was really giving them a lot more control than they already had. I don't understand how they ever got away with saying this was a good idea or this was privacy preserving. And then I guess the last thing I'll say is, of course, we don't recommend Chrome. If you want something Chrome-like, there's Brave.

There's, I mean, pretty much anything. I think Vivaldi is also, it's not open source, but it does have some pretty good privacy features. You know, and then there's Firefox and there's all those forks, Mulvad, LibreWolf, things of that nature. But in my opinion, there's really no good excuse to be using Chrome these days. It doesn't offer any...

advantages over a privacy-respecting fork like Brave, for example. I mean, for whatever reason, if you're a workplace or for whatever reason you have to be on Chrome, you can still disable all this. It's in the settings. I guess that's about the only excuse, yeah. But yeah, I would love to know behind the scenes what kind of discussions took place. When it first came out, it was Flock. And then it turned into something else. And then it turned into Privacy Sandbox.

The messaging has been super confusing. Originally, they said this will replace cookies. Then they said, oh, well, we're releasing it, but it lives alongside cookies. So now you just get double tracked. And then now they're just phasing it out altogether. But it's typical Google, right? release something new, keep the old one anyway, keep both, and then just phase out the new one and go back to the old one as if nothing happened.

And then make everyone once again question ever migrating to a new Google product, which already sets up every future Google product to be a failure. It's just typical Google. Google has dug their own grave with the amount of projects that they've...

just dropped and now no one wants to ever try a new Google product. I think if this was popular enough, they would have still like figured out a way to do it. So I also think that popularity is a big reason why this didn't happen. Quite possibly, yeah.

Data breaches. SK Telecom warns customers that USIM data was exposed in a malware attack. So for those who don't know, this is a mobile network operator in South Korea, and they hold about half of the mobile phone market in the country. which is about 34 million people, apparently. So this data's information is stored on a Universal Subscriber Identity Module, or USIM, which includes International Mobile Subscriber Identities, or MZs.

as well as ISDN numbers, authentication keys, network usage data, and SMS or contacts if stored on the SIM card. This data could be used for targeted surveillance, tracking, and of course, sim swap attacks. A quick peek behind the curtain here. The way that I try to organize stories. not just in data breaches, but in general, is generally in terms of impact. What are the companies...

in these stories that people will likely have heard of, or in the case of data breaches, what are the largest breaches that people are most likely to be impacted by? Where I'm going with this is when I was organizing these stories today, I went, man. There's multiple healthcare related data breaches and they're all very similar. We have so many stories this week. We need to do the whole cutoff thing. And I didn't want to just like cover one or two of them and then cut off the rest.

So I had the idea to just combine them all. But anyways, with that long preamble out of the way. So those collected data breaches are Yale New Haven Health. which affected 5.5 million patients, Blue Shield of California, which affected 4.7 million, and I'm going to circle back to that one in a second, and Frederick Health, which is Frederick County, Maryland, of nearly 1 million patients. The Blue Shield one sticks out in particular because that was actually...

via Google Analytics. It's kind of like we covered like a year or two ago, there was a lot of ongoing stories about the Metapixel and how it wasn't just tracking basic user data, which is already a lot for the record, but it was also detailing very specific data like Things when you logged into your portal, messages you sent, diagnoses, things that...

are completely insane for any analytic service to be collecting. And so it's kind of the same thing with this one. I can't remember if it was quite that detailed. I don't have the details in front of me right now. But yeah, that one was interesting because it wasn't like a ransomware attack or anything like that, but they're still treating it that way.

saying we exposed a lot more information to Google than we meant to. And then the other people that commonly are affected is schools, public schools, like Baltimore City, whose public schools were hit with a data breach affecting over 31,000 people. So during the breach, the threat actors may have stolen folders, files, or records containing social security numbers, driver's license numbers, or passport numbers belonging to current and former employees.

volunteers and contractors for the schools. It might have also just indirectly contained a combination of student data, call logs, absenteeism records, or the maternity status of currently enrolled students. If anything was shared with any of those people, then it might have included some of that data as well. Our last few stories.

Employee monitoring app leaks 21 million screenshots in real time. Mobile provider MTN says cyber attack compromised customer data. And that was in Africa. And on that note, Hellenic Open University, which is in Greece, I believe, was hit by a cyber attack.

and 813 gigs of personal data leaked on the dark web. This one's a little bit older, actually, a couple weeks older. It was from a reader. Sorry for the delay. Those are our data breaches this week. And then we're going to go into companies and Microsoft. Gosh.

Just like Google flip-flopping on different things, we got Microsoft flip-flopping on Recall. And... They are rolling it out to the public nearly a year after announcing it. We already announced this previously, but just wanted to give you a heads up that this is now finally rolling out. Recall is their very controversial feature, and it's only available on Copilot Plus PCs, which is a...

subset of Windows 11 systems sold within the last year. And what it does is it takes continuous screenshots of everything you do on your computer, saves them, scrapes text from them, and saves it in a searchable database so you can kind of always go back and find something. This had some...

serious privacy and security implications. Some of them were dealt with, some of them were not. What they said was that testing of the new version of Recall, both by ours and other security researchers, found that the company had addressed many of the complaints about Recall security and added better automation.

content filtering to help keep the feature from storing some kinds of sensitive information like passwords and social security numbers and other things that previously it kind of failed to pick up on But most significantly, it's a feature that you must opt into using rather than it being opt out. And it's possible to remove it completely, which was not originally how they designed this. There are some processors that you need to use if you want to use this feature, which we don't recommend.

using, but the source does talk about which processors and PCs specifically support this. Our last company story, WhatsApp's new advanced chat privacy protects sensitive messages. This is a quote from WhatsApp. When the setting is on, you can block others from exporting chats, auto downloading media to their phone and using messages for AI features. That way everyone in the chat has greater confidence that no one can take what is being said. outside the chat.

And that is the end of the quote from the company. The article says the company added that this is the first version of this feature and it's rolling out to all users who have updated WhatsApp to the latest version. WhatsApp is also working on adding more protections that make it even more effective. However, it's important to note that even after enabling a...

there are still ways to extract sensitive media and information, such as taking a picture of the conversation if screenshots are blocked. No research this week. There's actually not that many stories and we're getting close to the end. So we're going to go into politics where there was only one story.

Shopify must face a data privacy lawsuit in the U.S. And this is in a 10 to 1 decision. that the 9th U.S. Circuit Court of Appeals in San Francisco said the Canadian e-commerce company can be sued in California for collecting personal identifying data from people who make purchases on websites of retailers from that state. So that...

at least, like, allows them to pursue this case. Brandon Briskin, a California resident, said that Shopify installed tracking software known as cookies on his iPhone without his consent when he bought athletic wear from the retailer I Am Becoming. And it used his data to create a profile it could sell to other merchants. Shopify said it should not be sued in California because it operates nationwide and did not aim its conduct towards that state.

The Ottawa-based company said that Briskin could sue in Delaware, New York, or Canada. A spokesman for Shopify said the decision attacks the basics of how the internet works and drags entrepreneurs who run online businesses into distant courtrooms, regardless of where they operate. Shopify's next legal steps are unclear. That'll take us into the FOSS news and it's all good news this week.

First up, Threema now has a new desktop app that can link to Android. So quoting the article, the beta version of Threema's new desktop app, which was already available to iOS users, can now also be linked to Android devices. The next generation of the desktop app was redesigned from the ground up and it doesn't...

It doesn't just spur a completely refreshed and modern user interface with a significantly faster response time, but it also offers multi-device support. Even when your smartphone is turned off or not connected to the internet, you're able to chat from the computer.

That was honestly like 90% of the article right there, but there's also specific instructions about how to use it. And then I'll go ahead and take the last FOSS story real quick because it's super quick. Tor user support is now available in Farsi. Farsi speaking users can now contact us directly for help with accessing the Tor network.

Whether you're trying to download the Tor browser, bypass online censorship, or need assistance navigating connectivity issues, our support team is available to help. Tor user support is available via Telegram, WhatsApp, Signal, and email Monday through Friday from 19.30 to 0.30 Iran time.

Same day to next day support. Support is provided via text only. Voice and video are not supported. And we didn't have any formal stories for Misfits. So I went ahead and added my own for any who are invested in my story with Purism and the Libram 5 that I ordered.

years ago, I actually bought it with a credit card that I shut down. And I don't remember that. And when I asked for a refund, it's been what, like 36 months, I think, since I requested a refund. And it's been two years, a little over two years, it's been 26 months since they said they'd give me a refund and they opened a ticket for it. But I started getting emails from this closed credit card company. And they were like, oh, there's a new statement balance on your account.

I had no idea what this was. I'm like, this is a closed credit card. How the hell do I have a statement balance from something that I closed five plus years ago? So I called them and they said, oh, there's a new transaction from Purism. And for a second, I thought they charged me and I go, oh my God. But no.

They actually credited me. They apparently gave a refund. They didn't email me to tell me, but it looks like it worked. And that's really appreciated. It took years and I'm happy to get a refund. But just a little update to my story. And that's all we have for this week. So Google is officially, unofficially, officially sticking with third party cookies for the foreseeable future. Recall is...

It is finally officially rolling out. We don't recommend that either. But we had some good news from Threema and Tor and also Henry. So, you know, it was a short but interesting week. And with that, I will let Henry do our ad read.

Yes! The sponsor this week is SimpleX. I'm fairly new to it myself, and I very much have been getting familiar with it. So it definitely has a learning curve if you're used to Signal. But it definitely has a super strong privacy and security focus. And the way you invite people is with a link. You can even do it.

Onion links. You can invite people with an anonymous profile. And it's really cool for managing communities. So I've been really impressed by that so far. But yeah, security and privacy first, end-to-end encrypted. No unique identifiers, not even a phone number. So there's nothing even to hide. whereas on Signal, you need to register with one, which I wish there was a way to do without it. It's open source, audited, decentralized, it's cross-platform, and the desktop releases.

are not in beta, which is something we got wrong. It's pretty good for community stuff. So I've been really impressed by that. Nate and I have set up a little group over for surveillance report. It's like a sister community for Signal. Some of you on Signal have been wondering, oh, well,

one do I join well join whichever one works best for you I don't really expect people to be in both of them and keep up with both of them if you want to go for it but otherwise just join the one that you prefer the most we also have a business address there so you can directly contact us on the platform

and again just some drawbacks missing some mainstream features the ui still needs some work i have had some crashes on the desktop client personally and make sure that when you set up your desktop client you ideally set it up on your phone first because like I don't think I can move my account over to my phone now, so it's desktop only for me.

with my current account so little things like that are still kind of part of the learning process but i'm trying to learn and like use these tools that have better privacy and security than what i'm used to and that's what simplex is so check them out in the description it's totally open source it's free to try and there's support is awesome and the least we can do is kind of put them in the spotlight.

Thank you for listening to Surveillance Report. Links to all the stories can be found in the show notes as usual. And if you have a story that you think we should cover, please send it to news at surveillance report dot tech. I will try to be much quicker about including them. The final thing we want to ask of you, of course. is to share the podcast around. We don't do any advertising, any traditional marketing. So we're 100% dependent on you guys, word of mouth and whatever.

things you guys are willing to do that might help the algorithm favor us. So things like subscribing, giving us a rating if you're on a platform where that's an option. Thank you again for listening and we will see you guys next week.