Are Privacy Opt-Outs Useless?

All right. A new study finds that big tech tracks you even when you've opted out. Cal.com will no longer be open source and some big developments in US and EU privacy and surveillance. All this and more coming up on This Week in Privacy number forty nine. So stay tuned.

Welcome back to This Week in Privacy, our weekly series where we discuss the latest updates with what we've been working on within the Privacy Guides community and this week's top stories in data privacy and cybersecurity. I'm Jordan, and with me this week is Nate. How are you, Nate? I'm good. It's been a busy week, but I guess I can't complain. How are you? Yes, also a busy week, but now let's jump into the biggest news in privacy and security from the past week.

So this story here from four or four media, Google, Microsoft meta, all tracking you, even when you opt out, according to an independent audit. Uh, an independent privacy audit of Microsoft meta and Google web traffic in California found that the companies may be violating state regulations and racking up billions in fines. According to the audit from privacy search engine web x-ray. Fifty-five percent of sites it checked set ad cookies in a user's browser even if they opted out of tracking.

Each company disputed or took issue with the research, with Google saying it was based on a fundamental misunderstanding of how its product works. So this company itself, WebXRay, they viewed web traffic on more than seven thousand popular websites in California in the month of March and found that most tech companies ignore when a user asks to opt out of cookie tracking.

And this is specifically concerning because California has privacy legislation, thanks to its California Consumer Privacy Act, which allows users to, among other things, opt out of the sale of their personal information. And there's basically a system called the Global Privacy Control, which is basically a... In some browsers, it's a switch and in some other browsers, it's an extension that you have to install.

According to the Web X-Ray audit, Google failed to let users opt out of eighty seven percent of the time. Google's failure to honor the GPC opt out signal is easy to find in network traffic.

Now, I think this is kind of always been a concerning thing right there's these opt-out signals and we're not really sure how effective they are right because a lot of these signals themselves right they are often ignored like we saw the do not track signal that used to be kind of big right um that was also ignored by a lot of websites and now we're also looking at this new thing which is GPC so a lot of companies basically argue that they're not really sure what this

means and they're just gonna track you anyway which is kind of silly right so you know it's not really that surprising to see that so many websites don't comply with this did you have any thoughts on this Nate I feel like this is unfortunately kind of like I assumed this was kind of going on so Yeah, I mean it's um... I don't know. I do have a I mean, I always have thoughts on things. I mean, first of all, it's it's I do want to point out, well, OK, to assume this is always going on.

I agree with you. But I do want to know a couple of things that GPC is supposed to be an improvement over do not track because GPC is actually legally recognized under certain privacy laws like the California Consumer Privacy Act, for example. So websites are required to honor it. So. I'm with you. When this was initially announced, GPC specifically, I was kind of also like, I don't know, why would companies listen to this? Like they already don't listen to things.

But I was also kind of hopeful because, again, it is like legally required. And we have seen in the past that typically companies will – and I'll touch on this in a second in the article. But like companies do – they kind of like to ignore things right up until they get caught. And then they're like, ah, okay, you got me. We'll play along. Or, you know, they'll at least start to play along.

Usually it's, they kind of have to get caught a few times, but they get caught and they change what they do. And, um, so I don't know. I, I guess I was hoping that maybe this would go somewhere and it still might if, if that's what happens here. But, um, I think the real issue here, and this person that they interviewed from WebXRay kind of talked about this. Oh, where did it go, actually? Okay, yeah.

So this person who used to work at Web, or excuse me, Timothy Liebert, who founded WebXRay, he used to work at Google. And He said that he told four or four media he felt his job at Google was to protect its users, but his bosses didn't agree. And he left the company in twenty twenty three to start Web X-ray. And this is a quote from him. Shortly before I left, my boss told me direct quote. My job is to protect the company.

There was another time I got into a very serious ontological discussion with a fairly senior engineer about what the difference was between taxes and fines. And they didn't understand there was a difference. And I think this is something that a lot of people in the privacy space have noticed is I think the issue here is these companies, the fines are not really fines. They're just cost of doing business.

Like I remember, I wish I could remember which story it was, but Meta got in trouble for something and they got issued a fine. And the article kind of openly said – like they didn't make a point of saying it. It was kind of just like a real quick sentence that if you weren't paying attention, you wouldn't even notice it. But the article basically said like, oh yeah, Meta is going to contest the fine because basically it's bigger than they thought it would be.

Like they don't even care that they got fined. They don't even care that they're wrong. They're just like, no, no, no. We set aside a certain amount of money to pay these fines, quote-unquote fines, which are really just a cost of doing business and a tax like he said. But it's more than we budgeted for, and that's why we're going to fight it.

It would be like if you got up to the register and you're going to buy – like you go to the grocery store, the corner store, whatever, and you're going to buy a soda. And they're like, oh, it's five dollars. It's like, whoa, whoa, whoa. Hold on. I have five dollars, but this should only be three dollars or maybe it is five dollars now with inflation. But you know what I mean? It's like it's not even that I don't have the money.

That's not how much I set aside for this thing, and that's basically how these companies treat it. Yeah. I think to give a little bit of a benefit of the doubt, I think it's tricky to find these companies sometimes in the sense that like, These big tech companies like Meta, Microsoft, Google, you want to be able to levy a fine that's going to hurt them and going to make them pay attention and stop doing this crap.

But at the same time, you need to write the laws in a way where it's like privacy guides, for example. It doesn't wipe us out if we – not that we do any of this stuff, but if we make a mistake somehow and we're accidentally collecting something we didn't know, I don't know, just throwing it out there. A fine that is one percent of Meta's hourly revenue would wipe us out.

And so you want to find that ground where you're not destroying the small guys, but at the same time, you're still hurting the big guys. And I do have some sympathy for that. But at the same time, I feel like as far as I know, there's no laws being weighed right now or suggested. So, I mean, it's not like they're really trying to fix that. But that's really the problem is just that the penalties for doing this stuff are. just a cost of doing business.

And yeah, I don't know, really unfortunate, but I guess. I think, oh, sorry. No, go ahead. I think like I do think it's interesting what you said is the the the stuff about finding a company based like, you know, if you don't want to destroy all the small companies, I feel like we could kind of get around that. Maybe if we had like, you know, proportional of their earnings, like based on their profits or revenue, maybe.

But, you know, obviously I feel like our governments are too captured by these big tech companies and lobbying and all that sort of stuff um so it's probably not super likely but I think you know having a fine that is actually proportionate to how much they make because I don't know I guess that might be hard to argue from a from a um a damage perspective right like if they were if they were collecting let's say all of Americans data that wouldn't even be that much of the entire globe right

for meta because meta has like billions of users so um it'd be hard to say like just uh in California you know even less so um I feel like it might be hard to argue the fine being so large I guess um but it's still a problem uh I don't know what the answer is but I do think they need to be fined more especially for not um complying with this stuff but it's good though I didn't realize the GPC stuff actually was um related to like legal stuff like there was a legal precedent

behind it so that's good um but I guess it's like you said it's kind of the cost of doing business for these companies Yeah, it's very – like I said, that was kind of what gave me hope for it because when I first heard about it too, I'm like, we already did this. What's different this time? But it's the legal enforcement. But it's – I don't know. The street proportional thing, I have mixed opinions on because we'll take – if my project – I'll just say it.

Like the new oil, I published transparency reports. I made twenty thousand dollars last year, which was by far the most I've ever made. And so let's say a ten percent penalty. Right. That's two thousand dollars. I don't have that in the bank right now. Most of that money has been spent on various things. But, you know, ten percent, two thousand dollars for me is a lot of money that would wipe me out.

Whereas for Meta, you know, ten percent of their what, ten trillion dollars they made last year or whatever. I don't know. I could look it up. But you know what I mean? Like ten percent for them, they're already paying four percent. They don't care. Like it's just it it doesn't scale the same. You know, a person who's making one hundred thousand dollars a year and gets a ten percent speeding ticket.

To them, that's just a much smaller amount as opposed to a person who's making forty thousand dollars a year. So, I mean, I hear you like that. I just feel like that's not really. I feel like that's not really a sustainable solution. Personally, I could be wrong, but. I don't know. It's tricky. But yeah, I think that is the solution is until we like get some kind of better legal enforcement, I don't think these companies are going to stop doing what they do.

And I think the, what was his name again? This Liebert, this Timothy Liebert, he even said that too in this article. But I think, I guess a question for you, what would you recommend? Because I mean, I think the solution here is In my opinion would be that we, we kind of, you know, a lot of people argue that laws don't work and that we need to force companies to respect our wishes. And I think they kind of got a point with this kind of stuff.

Like, I don't know if I'd go so far as to say laws don't work, but I think we need to do what we can to force companies to respect our wishes regardless. Right. I mean, I think it's, I think people get too caught up in black and white thinking, right? Like you can definitely use the laws as well as doing things to protect yourself, right? Like I wouldn't like just use a browser, not harden it at all, share as much information as possible, rely on this like somewhat nebulous global privacy thing.

Like, you know, I think it'd be, a thing that you could use that along with like a fingerprint resistant browser to protect yourself a bit more, um, not share as much information, use email aliases, secondary phone numbers, stuff like that to protect yourself.

Um, because yeah, a lot of cases, I'm not really sure if this global privacy control thing is to be respected like this company said but i also think it's kind of interesting that this person um i think you read earlier that they were um part of the Google team working on like the cookie compliance stuff. I think it's like, I'm not entirely sure what they're expecting.

Like you go to work at the largest data collector in the world and you expect them to care about like respecting people's privacy. I'm not really sure. I mean, I guess maybe you could make the argument that like you are trying to change it from the inside, but like, I'm not like friends don't let friends work at like big tech corporations. Like let's, let's, you know, it's not a great idea. Yeah. I, um, first of all, I think that was a great answer with the black and white thinking.

I think you're right. Um, I'm, I'm a real big fan of using multiple approaches. Right. So like, yeah, you should use a hardened browser and, and Tor VPN, all that kind of stuff, but also. we should push for better privacy laws and stuff like that. So fantastic answer. Thank you for saying that. But yeah, I mean, as far as this guy specifically, I don't know when he started at Google.

So it could be like, you know, there was that book, Careless People, that was written by the lady, Sarah Wynn Williams, that used to work at Facebook. And to be fair, she got there back in like, what, two thousand... like eight or something like back when, when Facebook was still like had the potential to be good and she kind of watched it become the cancer that it is now. So I don't know, like if this dude had been there from the start back when Google used to say, don't be evil.

And back when you Google stood up to China and all that kind of stuff, then I could kind of see, but yeah, I feel like, um, I feel like with these big tech companies these days, you kind of have to hit a point where you're just like, they're not going to change. Like, you know what you're getting into. And I don't, I don't, I have, um, I feel this way about a lot of systems.

I want to be careful how I say this, but I feel like there's certain systems around the world that just kind of like I don't know. I'm kind of cynical on if they can be changed. It's like you either get corrupted and become part of the problem or you get forced out because you refuse to fall in line because you're trying to make things better. And unfortunately, I think big tech is one of those systems that nine out of ten times or ninety nine out of a hundred times. It just it is what it is.

And it's hard to change. It's an uphill battle. So. But yeah. Yeah, but I think like to talk a little bit more about like using those both angles on this approach, like, you know, trying to enforce these privacy laws. We do have an activism section on our website now. So You can check that out at privacyguides.org slash activism.

There's some stuff in there about like how to contact your, actually, I'm not sure, it's not live yet, but there was a section in the works for contacting your data protection authority. And there's also a lot of bunch of tips on there about, you know, all sorts of things to basically build a movement behind trying to get better laws passed and stop people from you know, stop politicians from passing these terrible laws. So I think that's also important.

But like, you can do multiple things at the same time. And I think that's kind of why people get kind of confused. They'll be like, oh, these laws are like always getting bypassed. They're so useless. It's like, well, there are some laws that have done something. Like we can all argue that the GDPR has had an impact, right? Like the right to delete has become a lot more common since the GDPR came around and that used to be such a pain to like delete your information from websites.

And it's had an effect even outside the EU as well. So I think, you know, there's definitely examples of things that have worked pretty well. So it's just a matter of advocating for better legislation. I think it's definitely possible that there's a lot of bad stuff right now, especially with the age verification stuff. I think in large part it's just because people aren't getting riled up enough about it.

I'm sure the politicians would probably change their mind if people were protesting outside parliament or outside your government buildings. So I think there's certain things we can do to sway people on it. But yeah, that's sort of my thoughts. Yeah. Agreed. It's, it's politicians are at the end of the day, we'll do whatever keeps them in power. So if something proves to be wildly unpopular, they're going to find a way to walk it back. I nine, not a hundred times.

So. Um, real quick, before we move on to the next story, uh, Jonah gifted five privacy guides memberships on YouTube. So if you're on YouTube and you're kind of like listening to us in the background or something, uh, check that out. You could, you could get a free membership trial and, uh, get some early access to some upcoming videos. So thank you, Jonah. But, uh, if that's all we've got on that story, um,

we're going to move and next we're going to talk about Mastodon and, um, Mastodon, I think most of our listeners probably know. I think most of you guys, or not most of you guys, but I think a lot of you are probably currently Mastodon users or have used Mastodon in the past. Let us know if you are a Mastodon user. One in the chat for yes, two for no. But in the meantime, we're going to talk about some upgrades. Mastodon got a grant from the Sovereign Tech Agency Fund.

And so the Sovereign Tech Agency is something from Germany. I pulled up the Wikipedia page here. And basically, it's a part of the German federal government. It's part of their budget that aims to promote and secure open source foundational technologies. It tries to make the open source ecosystem more resilient against external attacks, thereby enhancing cybersecurity and resilience across the German economy.

And so in the past, they funded things like, let's see here, Arch Linux with, oh my God, over half a million euros. That's crazy. FFmpeg, FreeBSD, GNU, GNOME. Oh, my gosh. All kinds of stuff. Open street maps, open SSH, PHP, so on and so forth. WireGuard. Yeah, really, really cool stuff there. So now they have donated to Mastodon.

They've awarded six hundred and fourteen thousand euros And out of that total, ninety thousand has been set aside to be shared with other Fediverse projects that choose to implement the protocols developed during the work, which we are about to talk about. So we did write an article or Freya wrote an article about this for privacy guides earlier this week and focused specifically on the on the end to end encryption, which I will get to that in a moment.

But there's a lot more in here, although that is certainly one of the more exciting features. So there's blockless synchronization. I know historically that's been A bit of a problem on Mastodon is moderation. A lot of people, I'm told... There's a struggle, right? And I don't want to get too philosophical right off the bat, but there's a struggle between... We want... freedom of speech. And we want people to have a space where they can say whatever they want, even if we don't agree with it.

But also some people maybe just don't want to do that, right? Like someday I have days where I know I need to like not check the news, because I'm just so tired and so mentally exhausted. And I'm like, dude, I'll check it tomorrow. Now's not the time. And so I understand some people may want like an account, for example, where they can go and just not see anything political or whatever.

And but the point is, it's sometimes been a challenge, especially for people who are new to like open source technology, like maybe back when Elon bought Twitter and a lot of people were checking out other alternatives. You know, some people were like, the moderation is difficult and I'm seeing a lot of stuff I don't necessarily want to see. And that's been a thing.

And so now that's one of the things they're working on is enabling Mastodon server administrators to subscribe to shared block lists, which this is totally optional. I think one of these days I floated the idea of we do want to do a Mastodon tutorial, like how to self-host Mastodon, your own instance. And I definitely got the thumbs up from Jonah. We just haven't gotten around to that one yet. That one's in the works. We have a lot of great ideas for videos, but...

Anyway, so that's one of them is a blockless synchronization. Remote media storage. This is more behind the scenes stuff, but it'll just make it easier for server administrators. They won't need to have quite so much storage on hand. Mastodon hasn't been too crazy for me, but also my instance is a lot smaller. So yeah. In regards to the spam thing again, they have automated content detection, which is specifically for like spam or illegal materials. I... I'll come back to that one actually.

End-to-end encryption, I mentioned that. So they're going to use, I believe it was messaging layer security, MLS. I believe I read that in Fria's write-up, but I apologize if I'm wrong about that.

But yeah, they're going to add end-to-end encryption to DMs, which is great because that has historically been one of the negatives of mastodon is the dms are not encrypted and a uh an administrator could still look at your messages if they really wanted to they're going to improve the documentation and i believe they said they're trying to get most of this stuff done by the end of the year and then again there's that ninety thousand that's bookmarked to help

other instances or other projects that want to take advantage of this so maybe someday we'll see end-to-end encryption between like mastodon and pixel fed for example or something like that so I think that's super cool. The last thing I wanted to add is this automated content detection. I could see the argument, and this is just me kind of thinking out loud. I could see the argument where like, we're not usually fans of this, right? Because how long does it take?

You know, maybe illegal material for now means like, Um, child abuse material or like in Iceland, I found out in Iceland, technically adult material is illegal. I don't think anybody actually enforces it, but let's say you wanted to err on the soft side or err on the side of caution and say like, I just want to block anything that's adult, right? You, you could use this for that.

I could see how it could get a little bit tricky if there starts to be some kind of pressure to scan for, um, protests or something more political, but also at the same time, that's one of the beauties of things like Mastodon, right? Is if you start to feel like this instance is getting a little bit too heavily moderated in a way I don't like, you can move to another instance or you can self-host your own instance. So I think that's definitely one of our favorite things about the Fediverse.

Jordan, was there anything in this announcement that you jumped out that caught your attention or you thought was interesting or wanted to talk about? Um, yeah, I think the block list synchronization thing is definitely going to be somewhat controversial.

Like you said, like there was, I think I've talked to people about this a decent amount, but like, you know, people kind of get frustrated that there's almost like censorship in quotations of like, you know, certain people, um, And I think that, you know, a lot of times, maybe sometimes that can be the case, but I think the biggest thing here is the. um, you know, uh, the, the, the small server operators who don't have a lot of time.

So maybe, you know, like I know you run your own master on instance, I'm sure that can sometimes be kind of frustrating to see, like, you know, CSAM and like awful stuff popping up. Um, because, you know, a lot of administrators are basically having to take care of that themselves. Um, so, you know, kind of offloading that a little bit to, allow that to be a sort of community-based effort is a decent way to go, I think.

But I think, you know, some people are still going to have a problem with this because, you know, it can kind of make things become a bit like group-thinky, I guess, where everyone is sort of blocking people based on, I know it's not very common, but there are a couple of instances that have just like de-federated with other ones because of, you know, beef that they have with each other, which is, you know, it happens on every platform. I think people are like that.

So I don't think it's really, an issue with Mastodon specifically, but I do think it's still in a better spot because even if you find that to be an issue, you can start your own instance or you can just join one that doesn't have those restrictions.

But I do think it could be better to make it more obvious what information is being blocked to users of your instance, because a lot of times it's not exactly clear what block list, I mean, I hope it's clear once this gets implemented, but also just like being able to see what is actually blocked by the server so you can make a better choice if you prefer to join a server that doesn't have as many blocked things.

But yeah, all the other stuff seems reasonably interesting i think i'm not really a big fan of like the automated content detection but i think i guess it's kind of needed once the network gets to a certain point do you have any thoughts Yeah, I think the automated detection thing, I think it's a blessing and a curse because like I said, there is the one argument of like, this is the same thing that we would criticize like Apple or Google for, right?

But at the same time, I think historically, Mastodon has had a huge problem with spam. And... a lot of that, I mean, this is, there's, there's pros and cons to decentralization. Right. And that's one of the cons is like their entire servers out there that are just like abandoned. Like, I don't know why the owners are still paying for server space, but apparently they are. And they've got open registration and, And I've seen this happen a few times.

I've been on Mastodon long enough that I've seen this happen more than once, where for some reason, a whole bunch of bots will just go and join this one instance that's like six versions out of date. The admin is clearly checked out five years ago and registrations are still open. And so everybody, they send their bots and the bots start harassing everybody and posting spam.

And usually it's in another language and it's like, links to gambling sites or another common one that goes around is like, this is Mastodon support. You need to verify your profile, which I hope most Mastodon users are too tech savvy to fall for that. But at the same time, I think there's a, not to get too in the weeds here, but I think any sort of a platform needs to have a philosophical question of what's their end goal.

Because I think if your goal is to be like, oh, all of our users are too tech savvy for that. They're not gonna fall for that. Then you don't really need to worry about weeding out the spam, right? Like at this point, it's buyer beware. You're expecting your users to have that level of tech savviness. But if you want something to be, what's the word I'm looking for?

If you want something to be accessible to everyone and to gain mainstream traction, then these are the things you have to think about. And so I would certainly appreciate some better moderation tools. I have my instance set to approval. I have to approve everyone. I usually do, unless I think it's an AI bot, which they're usually pretty easy to spot. But if you're a real user, I don't care why you're here. But I think... I can't help it when other people are spamming, right?

And, you know, I can't be on Mastodon to manage that. So it is kind of annoying. Yeah, I don't know. It's got pros and cons. Although again, like I said, with the whole, we would criticize Apple and Google for this, Mastodon's decentralized. You know, the US government could theoretically come up to me and be like, hey, you need to start blocking, I don't know, anything from anything in Arabic because we're beefing with Iran right now, right?

But alternately, if you're, if you're a German instance, like the U S government has no power over you. So it doesn't, I wouldn't go so far as to say it doesn't matter, but it's, it's a lot harder for that kind of censorship to like really take hold, which I think is, is an advantage for sure. But, Yeah. And then I've, I've also got thoughts on the free speech thing, to be honest, but I'll just, I'll leave that there.

Um, like you said, the advantages, you can always just go start your own instant, which Mastodon is one of the more user-friendly things that I've looked into hosting. It's certainly not, I wouldn't describe it as like your first project. I think there's definitely easier things, but it's easier than next cloud for sure. Um, it's, it's definitely easier than a lot of other, um, a lot of other projects in my opinion.

So Yeah, and I do think it is good with Mastodon because if you disagree with any of these things, like if you don't agree with blockless synchronization, that's fine. You can use like any other Fediverse system, right? There's loads of other ones you can use. You don't have to use Mastodon. I just think it's the most popular or one of the most popular, I guess. I think so, yeah.

So that's kind of why it has... most features it's the most feature rich i guess and this is just kind of adding to that um it is interesting here i did notice the timeline for the end-to-end encryption for private messages is twenty twenty seven and i just think you know we're gonna be on the side of don't use that so we don't really want that but like i mean i don't really think that's that important i think you know if you people already i already see people

doing this on maston but they link their signal account We would suggest that much more than going and using end-to-end encrypted private messages. Yeah, I think actually somebody here did mention, yeah, on YouTube, Seismic said finally, and chat besides Signal that I can use. I mean, we're going to have to wait and see what this looks like in the final version. I highly doubt it's going to be something that we would recommend over Signal or even alongside Signal.

But I always think it's great to have more protection wherever possible. And I think it is really good that, because, you know, there may be, times that I want to message somebody. And especially in, you know, one of the problems that a lot of these, uh, decentralized services have is there tend to be like one or two or a handful of servers that get like a massive amount of users.

And so it's a lot of people criticize, they're like, well, it's not really decentralized because everyone's using that server. Um, but regardless, you know, it's still like, if you're talking to somebody, like if I message somebody, there's a good chance they're going to be on like the mastodon dot social. Right. And so maybe I'm comfortable telling that person like my date of birth. but I don't want to tell everybody. And I don't know who the admin is.

And I don't necessarily know if I trust the admin and, and, you know, some Mastodon instances even have like an admin account where there may be more than one person that has access to it. So I think it is really good that they're adding this level of privacy, but yeah, I don't, I doubt it's going to be implemented in a way where we're like, well, shoot, this is just as good as signal. Everybody just use that, you know, but it's still nice to have that extra layer of protection for sure.

So yeah, that is a long ways off. So Definitely. I think, yeah, you're right. I think it is important, like you said, to have more than just have everything be have some level of protection rather than nothing. Right. Definitely agree. And I also saw real quick, somebody asked, why are people chatting numbers? We were running a poll. I think it got moved off when I started showing comments, but we were running a poll about if you were a Mastodon user or not.

And so you would comment in the chat, one for yes and two for no. But we'll try another poll in the future. So I think for now, that's all I've got on that story, if we want to move on to the next one, unless you have final thoughts. Awesome.

Yeah, no, I think we kind of talked about that quite thoroughly here. So let's move on to the next story here. And this one has been kind of a hot story this week. Cal.com is going closed source. Here's why. So I guess first, you know, I think a lot of people in our audience may not be familiar with this if they're not really into like uh, meeting scheduling, self-hosting meeting scheduling sort of stuff. So basically cal.com was, uh, well, it is still a thing, right?

Um, there's basically a way to organize meeting times with people. So you could send someone a link and it would have your availabilities. And then the other person could select the time that works best for them, which, you know, Personally, I've had to do that because we communicate across time zones now. This is like a global economy. So people have to sort of find the best time. And that is oftentimes across different time zones.

So, um, the, the thing here with cow.com is they have decided to move to going closed source. So originally there was a, they had a self hosted version. And I think the whole thing with that was that it was a full, uh, it was a full open source version of their, uh, service that you could self host yourself. And basically they've announced that they are diverging from that project. And they have been for some time now they've actually been working on a closed source version.

Um, and that's the version that runs on cal.com and they have introduced a new service, which is cal.diy, which is, self-hosted version and i do want to talk a little bit about that but first let's kind of talk about the reasoning behind going to this closed source model so they posted a video here um saying that ai is killing open source stating that you know open source vulnerability scanners are basically making it really hard to keep up with patching vulnerabilities because, you know,

they're able to scan the software and find vulnerabilities much easier than spending hours and hours as a, you know, professional hacker or whatever, you know, like a threat actor, a proper threat actor. They can kind of find these vulnerabilities without Being that technical is what I'm trying to say. So basically that's kind of their reasoning behind this. Their reasoning for moving to closed source is security.

And I think that's kind of where we kind of fundamentally disagree with this because I think the source model of your software doesn't actually have an impact on security, right? There's still ways to, you know, analyze software that is closed source. There's still ways to, you know, test software, crash software, find vulnerabilities. So that's an interesting take.

I think One thing that Jonah brought up, you know, we have like a staff group chat, he brought up that the cal.diy project looks kind of sus. If you go to the website cal.diy, there is actually a lot of warnings all over the page, which kind of makes it seem like they may not be following, they may not really be updating this. This seems like, you know, something that is sort of risk, they're kind of making it seem like it's extremely risky to use. Um, so this is kind of strange.

I think, uh, I don't really know why they're have such a large warning on like every single page or like at the top of the introduction page, um, saying use it. Your own risk is open source community edition and is tended for users who want to self host their own CalDIY instance. It's strictly recommended for personal.

non-production use please review all installation blah blah blah like it's it's quite um strange uh and it says um below that there's like an ad for their um for their commercial service which is closed source now um so you know we we've always kind of been are saying that, you know, there's the source model I don't think has an impact on the privacy or security. And yeah, like Jonah said in the chat here, literally fearmongering about open source actually.

Like this is like the silly arguments that we hear from like people who don't really know what they're talking about and who say like, open source that's like so much worse because like then everyone can see the code and like hack you it's just like not really it just it just means there's more scrutiny um and i think you know it doesn't really make that much sense um to do this it's we kind of talked about this a little bit in our group chat but the the the this company itself

cal.com is venture capital backed and basically what that means is there's people who invest money in the company to, you know, gain a stake in the company, I guess. And they want to be able to earn a return on that money that they've invested. And in a lot of cases, you know, open source software opens the company up to having their ideas and direction possibly copied by a competitor or to allow insights into their company from a competitor. And I think, This is kind of a little bit silly.

I think, you know, if you're making a really good product, which I think cal.com is making a really good product, then you shouldn't be concerned about someone stealing your ideas. Like I'm, I'm kind of not very familiar of that ever being the case. Um, I think it keeps the, it keeps your company kind of, uh, You don't even like you can have an open source license that doesn't allow people to use it for commercial use. You can still have the software be open source.

You can have the source available source code. So that's why I'm kind of confused by this. this move here but I did want to

hand it over here to Nate because there was actually a bit of a clap back here from discourse which is basically the forum software that we use for our forum but I'll just hand it over to Nate here to kind of tackle that Sure. Um, yeah. So quick shout out to our forum, discuss stop privacy guides.net. Uh, we are powered by discourse, which, um, I, it seems like a nice piece of software as far as I can tell. I haven't had to deal with it behind the scenes.

Jonah does all our, our hosting, but it seems to work pretty great. And, um, I mean, I'm not going to mince words. This was absolutely, like a clapback was a good way to put it. This was a response. But I want to give a shout out to Discourse because to me, this felt like a very, it was very direct. It was not watered down. but it was also not overly aggressive or unprofessional. And I feel like I don't see that a lot of days, a lot of the time these days, and I just really appreciate that.

So thank you, Discourse. This did not pull any punches, but was also... I don't know, just very professional, in my opinion, as professional as calling somebody out can be. But yeah, so discourse literally said discourse is not going closed source, which I think the cal.com was cal.com is going closed source. Yeah, that was a direct quote.

And basically, they kind of said everything that Jordan said, actually, which is, you know, they said here that like, their reasoning is that AI has made open source too dangerous for software as a service companies, codes get scanned and exploited at buy AI at near zero cost. Actually real quick before I dive into that, the cal.com one did have one statement that I did want to kind of sympathize with them a little bit.

So they talked about in recent months, we've seen a wave of AI security startups productizing this capability, which they're talking about scanning the source code. Each platform surfaces different vulnerabilities, making it difficult to establish a single reliable source of truth for what is actually secure.

So the way I compared this, I don't remember where I said this, but the way I explained this to somebody, or I kind of summarized it is like, if you're at home, like let's say you just moved to a brand new country, right? Like not even a state, you're in a totally unfamiliar place. And all of a sudden, a bunch of like salespeople come knocking on your door, insurance salespeople. And this one guy is like, hey, you need flood insurance.

And the next guy is like, no, no, no, no, no. There's a lot of wildfires. You need wildfire insurance. And the next guy is like, no, you need tornado insurance. And the next guy is like, no, you need earthquake insurance. And you're like, I don't know what insurance I need. And so Cal.com was basically like, I'm just not going to get any insurance. I'm just going to stop answering the door is basically what they did.

Yeah. So I want to give them a little bit of credit because I understand how that could be frustrating when you've got so many different companies and they're all giving you conflicting results. And it's like, well, now I've only got so many people. I've only got so many hours in the day. We can only fix so many things. However, you know, discourse here, they said, I understand where they're coming from. The industry is changing fast. New AIs with capabilities are being released every few weeks.

It's a scary world. And I completely agree that open source companies need to adapt. I do not agree with the decision that closing source is the solution.

and um you know they they basically had two main points one of them was exactly what jordan said like going closed source is uh for anybody who's new here it's what we like to call security through obscurity and that basically means like it's the code equivalent of hiding under the bed right like if i hide under the the sheets the monsters can't see me and that's basically what it is and they point out here in this this blog post they say that um Closed source has always been a weaker

defense than people want to admit. A web application is not something you shimp wants to keep hidden. Large parts of it are delivered straight into the user's browser on every request. Things like JavaScript, API contracts, client-side flows, validation logic, and feature behavior. Attackers can inspect all of that. And then there was another spot. Did I already pass it? Oh, those same AI systems don't actually need your source code to find vulnerabilities.

They work against compiled binaries and black box APIs. I will admit that I do not know... a lot about technical stuff and code but i do know that i see a lot of um I see a lot of people reverse engineering apps, right? Proprietary apps. And they decompile it and they find ways to get in there and go, oh, look at what this app is doing. Look at all the calls home it's making. Look at the fact that the traffic is not encrypted. What's this server it's contacting?

So clearly this is not, like the blog post says, it doesn't need to be open source. People can find ways into this stuff and they've been doing it for years. And so that doesn't actually stop anything. It's just security through obscurity. And it's... I think security through obscurity can be part of a larger defense. I don't know about in this case, but in general, I think there's times when it can be like a data removal, right?

If you pay for a data removal service, like Easy Opt-outs is one that we recommend on the website. That's a good start. But also like... using a PO box whenever you're able to, like not putting your address in every single form online. Like, you know, it's part of a larger defense. I wouldn't rely on that by itself. And so the other point they made, this is a very, very long post. They said that, yeah, Basically, they think that this is a...

The security argument is a convenient frame for decisions that are actually about something else. So one is, you know, Jordan mentioned that competitors can read your architecture and your product thinking. And then there's governance. They said open source communities push back. They file issues about decisions they don't like. They fork. It's exhausting to manage. I mean, fair. I will be the first to admit that every once in a while, I do get burned out on the community and I need a break.

But I don't know if that's a good enough reason to close source your code. So yeah, it's... And just to go back to the it's competitors thing, Jordan pointed this out too. There are a lot of companies that are open source and they're thriving. Look at Bitwarden, for example. I mean, granted, they do have investors, but they're still open source. You can self-host Bitwarden. They have instructions on how to self-host Bitwarden. There clearly is a way to do both.

And I do wonder if... cal.com explored any of those options uh it does sound kind of like there was just a lot of investor pressure and this was just the easy button right like if we go closed source that's going to make it harder for people to self-host they're going to have to pay for us we'll slap a bunch of scary warnings on our diy page which yeah that's that's not cool and actually to make that even worse if i can go back to their blog they did say that um where did it go here um

God dang it. Okay, yes. While our production code base has significantly diverged, including major rewrites of core systems like authentication of data handling, we want to ensure that there is still a truly open version. So basically, the cal.diy version is completely different from the cal.com version Which raises a lot of questions for me. And they also make it sound like, I don't know if they're actually doing this, but they kind of almost made it sound like, here's Cal.DIY.

We'll update it if we feel like it every once in a blue moon. But otherwise, like, we don't care.

This is just kind of shut up the purists, which, again, is a really crappy take from a community you claim to have... valued and whatever but yeah so um this is a really long blog from discourse but it is worth a read and again i i really applaud that like they pulled no punches but it also wasn't uh you know just like a like oh it's a pr opportunity like here's our facts here's our our experience our reasoning um so i really give them a lot of credit for that one but yeah that was a

It's such a wild story, and it's so... I hate to assume malice in a company, but yeah, it's so... What turned me off, I think, was just the fact that, again, that's all it was, was we're just going to go closed source, and that's going to fix all our problems. And almost immediately, I saw everybody was just kind of like, is it though? Is that really what this is about?

And it just kind of... I think that's going to do a lot more damage than if they had just admitted like, hey, this business model isn't working for us and we're going to try something else. I think they might end up losing a lot more customers because of the way they handle this. I don't know. Do you have any additional thoughts to the discourse response or anything?

Yeah, I just think trying to pass this off as selling for security reasons, I think is to people that actually follow and understand security is just laughable. And I think unfortunately those people are in a lot of cases, they're going to be the people that self host this software. So they're going to be the ones that realize you're being kind of crappy about it. Right.

Um, I think they should have been a bit more clear about the reasoning because, you know, we don't know if there's another reason why, like we were talking about with the VC investors.

But I think, you know, especially when we have like, you know, so many ways to analyze software um that's closed source even um so you know people can do like fuzzing they can feed programs a bunch of random data to get it to fail they can um do binary analysis so you can inspect memory dumps of like applications when they they run uh like reverse engineering stuff so you know i think it's kind of a little bit, uh, it's, it's, it's feels a bit disingenuous. That's the word I was looking for.

Thank you. Um, but yeah, like we see this a lot, like even the opposite way around, like there's, there's malware that we see and, you know, we're able to analyze that malware, stuff like that, um, to see what it's doing and to understand what what the code might be.

So anyway, I don't think them switching to closed source is going to make it any, I mean, surely maybe a little bit possibly to these, to these basic AI vulnerability things, but I don't think it's a good enough reason to switch this because yeah, I think it's, yeah, it just feels really not great when they're trying to make up a reason that doesn't really exist.

Yeah, and I mean, something that just popped into my head is, you know, one of, there's a lot of reasons you might make something open source or even source available, like you mentioned. But one of the reasons I think is that it increases the chance that somebody could find a vulnerability, right? I want to make it clear real quick that open source does not automatically mean that something is more secure or more private. It just means that the opportunity is there.

And I think there is a certain critical mass where when we're talking about these bigger projects like Bitwarden or maybe Proton or some of these, because I know Proton, some parts of them are open source, some parts aren't. But you know what I mean? When we're talking about big projects like that, then... I think odds are it probably is more secure just because they're a big project and they've got a lot of eyes on them.

But especially for some of these smaller, like mid-level projects, I don't know how true that necessarily is. It's probably not true, but the opportunity exists. And where I'm going with that is I think, especially in this community, um, There's such a dislike for AI. I think they're almost going to reverse. They're almost shooting themselves in the foot. If this really were about security, they're kind of shooting themselves in the foot because the bad guys are still going to use AI.

They don't care. They're going to use any advantage they can to get ahead. They don't play by any rules. The good guys, not all of them will be using AI. Right? And they're playing by a different set of rules. So you almost need to like... Like we've been said a million times now, the bad guys are going to find the vulnerabilities no matter what, whether it's open source or not. By making it closed source, the only people you're stopping are the good guys who are not using AI.

So yeah, that's... I don't know. That just kind of popped into my head. Yeah, I think... I'm not sure if I a hundred percent agree on the privacy and security aspect.

I think it's more like a transparency thing, which I mean... is good uh for like trust and like stuff like that but like uh i mean i i think there's definitely there could be closed source software that's just as private as some open source software or they could be closed source software that's just as private as open source software. So, you know, it's, I don't know.

Uh, it just seems like a really silly reason to me, but I think we, obviously we're going to, we're going to push for transparency. Like transparency is important, um, rather than kind of a black box, which we have to work out things ourselves. Um, so yeah. Agreed.

Um, Alrighty. Well, before we dive into, we have a story coming up about, uh, Well, some updates to age verification or identity verification, let's put it that way. But first, we're going to pause and talk about some updates with what we've been working on at Privacy Guides this week. So in the video department, we're really excited. Bit of a soft announcement here. On Sunday, we're going to release an interview with Carissa Veiles.

And if you guys don't know who that is, you definitely should look her up. You're missing out. She wrote this awesome book called Privacy is Power. I'll grab it in a minute, but I actually have it on my bookshelf back there. And it's honestly, like I could gush about this book because it is so accessible.

You know, it's so like, I don't want to take drive-bys at other authors, but some other authors have written some very seminal works in the space that were very academic and kind of hard to read and pretty dense. And Carissa Vales is, I mean, she's a professor of ethics at Oxford university. So she is very academic as a person, but her writing is so like plain English and down to earth.

Like I could give this book to anybody and maybe they wouldn't read it because it's not their cup of tea, but they absolutely could read it because it is written so plain English and it's Um, but in still like full of useful information. So yeah, I, as you can tell, I'm a huge fan, but, uh, we got to interview her and we talked about her focuses on AI and ethics and, you know, what is AI going to do for the future of, of our society? Uh, we did talk about privacy a little bit.

Um, I mean, it was a, it was a great conversation. I, uh, again, not to like fanboy too much, but I was telling people like, I felt like I was smarter just for having been in the same figurative room as her. Um, unfortunately this was a remote interview, not an in-person one, but, um, yeah, so that's going to be out on Sunday. She's absolutely awesome. Go read privacy is power. If you haven't, uh, I've already pre-ordered her new book and you will get a taste of that on Sunday.

So definitely subscribe on YouTube or peer tube. And we'll be posting that when we come out or when it comes out, I can't talk tonight. Yeah, no, I'm really excited for the interview to get released. I've been working on like the editing side of things. Oh, there it is. There's the book. It's kind of a very recognizable cover as well. But yeah, I definitely am a fan as well. I think, yeah.

And Nate asked some, some really good questions in the interview about a lot of things that she hasn't talked about publicly, I would say as much. And a lot of stuff that was in the book itself. So it's like a teaser, like she's going to talk about some of the stuff in the book and, you know, I think it's interesting, yeah. So she's got a new book coming out called Prophecy, which is about AI prediction stuff. So, yeah, that's also pretty interesting.

So that could be interesting to check out as well. I think it's on pre-order until April XIX or XXI, XXI, April XXI. So it is looking quite interesting for that. But this week we also had some privacy guides news posts. So we had, looks like we had a couple from Freya and also a couple from Nate as well. So Nate did one on HackerOne pausing its internet bug bounty. So they also kind of were saying that they were having an issue with AI bug reports, which that's another problem, I think.

There was a data breach roundup from Nate as well. which I think is important to keep on top of, just scan the list. Just check it out and scan the list because you never know what you might be caught up in. And I think companies are getting to a point where they are being a bit more accountable where they're, you know, sending out notices to people, but it's also good to keep on top of that.

And there was also some articles here from Fria, like Nate talked about earlier, there's Mastodon getting end-to-end encryption, private messages. So Fria had an article about that. Fiverr exposing information of its users publicly on Google search results. Oh my goodness. It's horrible. India dropping proposals to require biometric ID app after strong opposition. So yeah, there's a lot of interesting things going on in India regarding that.

And there was also some stuff about Google Chrome adding protection against cookie stealing malware. But yeah, kind of interesting, interesting week. So definitely check out the privacyguides.org slash news section. I guess with that being said, all this is made possible by our supporters. And you can sign up for a membership or donate to privacyguides.org. or you can pick up some swag at shop.privacyguides.org.

Privacy Guides is a nonprofit which researches and shares privacy-related information and facilitates a community on our forum and matrix where people can ask questions and get advice about staying private online and preserving their digital rights. And yep, if you want to do that, you can visit privacyguides.org and press the red heart icon in the top right-hand corner. of the website. You'll also be able to sign up for a membership and get sweet perks as well.

But now let's talk about the future of warrantless surveillance in the U S Nate.

Yeah. All right. As the, uh, as the American, I guess I get to talk about this fun little topic and, uh, that is section seven Oh two, which, um, many of you may not be super familiar with. I, for the record, um, I follow many different news sources. The other news source that came up in my feed was TechCrunch that covered this story. I know I just want to throw it out there. I know this headline is obviously has a certain political leaning to it, but it had a lot more detail in it as well.

So that's why I went with this one. Definitely a lot more detailed than TechCrunch is like five paragraphs. But anyways, so for those of you who don't know, here in the US, we have the infamous NSA, the National Security Agency. I think for some reason, my brain just blanked. I know they used to jokingly call it the no such agency because up until the nineties, they didn't even acknowledge it existed, but it does exist. And they have so many different things.

One of them is called the foreign intelligence surveillance act, which basically authorizes them to spy on, um, communications that go in and out of the country. And they play really fast and loose with that specifically at section seven Oh two, which if I remember correctly, um, John Oliver did a piece way back in twenty thirteen where he talked about this and he went to Russia and interviewed Edward Snowden. Super funny. I highly recommend it still holds up.

Um, But the way he described or the way he read Section seven oh two is it allows for the collection of, quote, any tangible thing, unquote, related to like national security and like communications, which he points out is like so incredibly broad, like telling your teenager you can only use the car for like car related activities. So it's like, OK, hit and run, drinking and driving like these are all car like street racing. These are all car related activities, my dude. So yeah.

pretty broad stuff and the government has done so accordingly. And so section seven Oh two has been very controversial on both sides of the aisle.

Uh, there have been politicians from both political parties who have said like, Hey, we need to reign this in at least publicly have said we need to reign this in because for well over a decade now we have failed to do that, but that might be changing might be because, um, Section seven Oh two is one of those things that has to be renewed periodically.

And around midnight, I don't know why he did that, but for whatever reason, the speaker of the house, which is basically the guy running the house of representatives, the head representative, he convened a vote on, I guess this was last Friday. So this would have been after we recorded the podcast last week and called in lawmakers to vote on extending section seven Oh two. And it failed. by, I believe, where did it go? They said about a dozen votes.

And for those of you who are not keeping up with the US right now, first of all, I very much envy you. But our government is incredibly divided, potentially the most divided it's ever been. I don't know if that's actually true, but everything is very partisan right now. That is not me being snarky. That is just true. Everything is very partisan right now. And on top of it, the... what's the word I'm looking for?

The margin of control, like the ratio of, because we have a two-party system in the US, which is probably our first mistake. Our ratio of like one party to the other is like razor thin. So everything is very contentious. Right now, the Republicans, which is our conservative party, they have a slight majority, but it would not take a lot of votes to flip things. And that matters because about a dozen Republicans voted against renewing this thing. And that was enough to not pass it.

And they tried again anyways. They were like, hey, let's do another vote. Like the same night, they were like, let's do another vote. And then the number went up to like twenty. And I think that's when the Speaker of the House was like, oh, we should probably stop because I'm losing support. So they stopped. They did manage to pass. Sorry, I did a control F here. They did manage to pass a ten day extension. So Previously, it would have run out on Tuesday.

Now it's going to go basically until the end of the month. But even then, it's still – the US is so weird. It says later on here that – yeah, right here. The Foreign Intelligence Surveillance Court quietly recertified the program in a classified ruling on March I don't know how that works. Jonah commented on Mastodon. He doesn't know how that works either, and we're both natural-born American citizens as far as I know. We're a very confusing country.

But I think this is exciting news because it already failed to pass twice, and I have to assume that if it just full-on does not pass, like if they cannot get this thing passed through by the end of the month – then it's got a deadline. And I don't know what's going to happen when March, twenty twenty seven rolls around since apparently Pfizer can just decide to keep doing it. But I don't know. I think to me, I'm hopeful because this represents the first time in like.

over twenty years i think that we might actually have a shot of getting this thing defeated um but that's where we're at right now those are kind of the facts is uh it failed to vote twice it's got an extension until the end of the month um it really needs to i mean no matter where you are on the spectrum i know i'm probably mostly talking to people who are like good this thing should die but i i also recognize there's some people who are like well you know there does need to be some stuff for

national security, right? But this thing has been repeatedly abused for warrantless surveillance. Like again, the government is not supposed to collect data on American citizens and it finds all kinds of loopholes to do it anyways. This is actually the thing that like, they use this to buy location data from third parties. And I think that's one of the, it's funny is like the Democrats didn't even want to completely kill this thing. They just wanted to reform it.

They're like, require a warrant, stop buying data. And the Republicans were like no. So I'm glad to see at least some Republicans agreed with this. So I think the one thing I wanted to add is where did it go? There was – basically they did – the Republicans did try to introduce some quote-unquote reforms, which were already existing things. Like where did it go here? Yeah. So the amendment contained a provision that was in essence a fake warrant requirement.

It would have prohibited government officers from intentionally targeting Americans' communication without a warrant, which is already in the statute. It also offered the government a warrant path if agents had probable cause to suspect the subject is an agent of a foreign power, an authority that already exists. So basically they just wanted to reiterate things that were already in there without actually doing anything meaningful to rein it in. And just to drive home the point, ready to go.

The FBI has used Section seven oh two to run warrantless queries on a U.S. senator, nineteen thousand donors to a congressional campaign, Black Lives Matter protesters and both sides of the January six capital attack. So. I don't know what to tell you. To me, this is pretty obviously unconstitutional and needs to be reigned at very least needs to be reined in regardless of where your political leaning is. But it might just die altogether. And I don't know.

I guess we'll see what happens if it doesn't pass in March of next year rolls around. But yeah, I think that's all of that story. Did I did I miss anything, Jordan? I guess I just have questions that maybe people in the audience might also have. Yeah, go for it. I'm not a lawyer, but I'll do my best. Yeah. So like, I guess my question would be like, I thought that you did need a warrant to surveil people. Is this like a specific special case that people have to use like specifically or.

Yeah. So section seven Oh two authorizes warrantless surveillance on non-Americans. And I know we've talked about this briefly in the past in relation to other stories. The loophole is that like the, When I text you, for example, I mean, we use Signal, so they can't see it anyways.

But when I text you, since you're Australian... our communication crosses international borders and that's the justification the NSA uses to scoop up that surveillance or to scoop up that communication and say, we get to collect this.

And in theory, they're probably supposed to throw away like my side of the conversation or something, but it, you know, it doesn't stop them from basically spying on me without a warrant to be just because I'm talking to you, even though they might not have a reason to suspect anything. They just, it crosses international borders. So yeah. Yeah. So wait, okay. So I, but they wouldn't be doing that to everybody automatically, right?

Like it'd have to be like, if I was on a watch list, maybe they would consider doing that, right? Like, no. As far as I know, it's a like carte blanche across the board. They do not need a warrant to spy on any non-American citizen. Wow, okay. Yeah, which is kind of, it is very horrifying.

And it's also kind of crazy to me that, you know, when I think about like the US landscape, like conservatives are so like, and I don't even mean this as a ding, like conservatives are so like pro-American, like Americans rights, like I'm a US citizen. I get all these wonderful freedoms and rights. Then why can't we agree on the basics of like, stop spying on your own citizens without a warrant? But for some reason, apparently we can't even get that far. So I don't know.

I mean, I feel like spying on people that aren't American citizens is also kind of problematic too. I mean, I agree, but I'm trying to think of like the bare minimum base floor that we could all get to agree on. But apparently, you know, I guess the bar is in hell. It's so low. So I don't know. I'm very cynical about this stuff. So I guess another question that I have is, like, it seems like in this case it was, like, a lot of Republicans who were voting against this to block this.

Is that normal? Is this, like, sort of somewhat of a bipartisan thing, like, wanting the NSA to surveil everyone or...? Yeah, so our – again, for foreign listeners, I know the US doesn't truly have like a left-wing party, but our Republicans are our conservative party and the Democrats are our more liberal party. I'll put it that way. And everybody – again, I hate to say it, but it is true. Here in America, things are so partisan that people typically vote along party lines.

And so the Republicans, because they are more conservative, they tend to be a lot more like – you know, we, we need to give the, you know, the, I feel bad saying this, but this is their logic. And I swear to God, I'm not like trying to ding anybody. Um, they're very pro troops. They're very pro police. They're very pro, like our intelligence community is protecting us. And so we need to give them all the tools they can to protect us.

And I've literally seen, I am still mad about this to this day. I literally saw there was a, uh, An opportunity, I don't remember how it got there, but basically there was a moment where somebody actually got a law all the way up to, or a bill all the way up to our Congress that basically said like, require, yeah, require police to get a warrant instead of buying data. It was literally that.

And one of the Republicans who voted against it literally said, he's like, well, our enemies like China, for example, they can start up a shell company or they don't even just start up shell company. They can buy this data from any data broker, right? Just like we can. So if we require our people to get a warrant, that puts us on unequal footing.

And I have never wanted to scream at my screen so hard because I remember thinking, I'm like, then the solution here is to pass an actual data privacy law so that nobody can buy the freaking data. But apparently that's just, I don't know, that requires too many IQ points, I guess. But anyways, personal opinion aside, like, yeah, that's, it's...

Republicans generally tend to be a lot more lenient on military and intelligence and law enforcement and argue that we need to give them as much help as they can to do their jobs, which includes putting as few restrictions on them as possible. So, yeah. I see. Okay. Yeah, I did mention in here was like the House Freedom Caucus Republicans. So I don't know if that sounds like they might be like a libertarian type people. I'm not really sure. Yeah, I'm not super familiar with them either.

I saw that too. It looks like I'd have to look more into them. Well, it's good that they voted against it anyway. I think, you know, if we can put aside all the other partisan stuff and be like, you know, privacy is an issue that's important. Let's not surveil everybody and collect all their information unnecessarily.

I think we should try and against that which is uh unfortunate i'm sorry this i'm sorry it's so partisan yeah um because i think that definitely does make things more difficult you know if there's one party that's trying to get something passed it's like we don't want to do that because it's by those people it's like uh that's not really the point but it should be based on the merit of what they're trying to pass not like you know the party yeah it's It's extremely frustrating because that's

exactly what's happening is like somebody will put like this and, you know, like, hey, spying on people without a warrant is bad. Well, I don't like you, so I don't like your bill. And it's like, dude, come on. But I do want to point out on that note, there are some pretty big names in here that I think are really telling. Yeah. Not to get too deep into politics, but like Thomas Massey of Kentucky, I'm going to assume he's a Republican because Kentucky is a very deeply red state.

Chip Roy of Texas is a Republican. Lauren Bober, who used to be like one of Trump's biggest supporters. I don't know if she still is. He's kind of losing some of his key supporters. But I just point that out as like, man, these are big people that I would not normally expect to like. vote against the party line. So that's probably more indicative of like larger us politics, but it's good to see that.

Like you said, like there are some people who are just like, no, this, this is not a partisan issue. We need to fix this. So hopefully it won't pass and then we'll see what happens. Yeah, I think it is kind of frustrating. But you know, I hope it doesn't. I guess we're looking at that on Tuesday. Oh, no, sorry, not Tuesday. Sorry, at the end of the month. So hopefully we get an update for that in a next This Week in Privacy episode.

um but yeah i think we're trying to stay tuned for updates definitely make sure to subscribe and uh add this to your podcast app um but i mean yeah i think it's uh it's important we're trying to stay um when we talk about this sort of stuff you know we're just talking about this from the privacy angle um so you know we're not trying to Because I know I personally don't talk about US politics because I just feel like I'm going to offend someone.

I'm going to always offend someone if I say something. So thanks for kind of explaining that because... I definitely have less experience. I mean, I know a bit about US politics because it's kind of unavoidable. So yeah, but I think it's good to explain things. But I guess moving on to this next

story here, unless you have anything more to add. Nope, that's all I got. All right. So this next story here is about the EU age checking app. So basically... Yeah, we talk about this a lot, you know, age verification stuff. And now there's basically a movement in the EU to keep kids safe online with this new EU age checking app. Quoting from the article here from Politico, the European Union's age verification app is ready to be rolled out to protect kids online.

The Bloc chief Ursula von der Leyen said Wednesday, sorry if I messed up your name, our European age verification app is technically ready and will soon be available for citizens to use, the European Commission president said at a press conference. And basically, according to this article, the app is a critical part of the EU's plans to keep children safe online. The technology would allow people to prove their age through the government approved verified systems.

The EU said it has ensured it would also protect citizens' privacy rights and personal data. Now, I think that last sentence right there, that remains to be seen because basically every single age verification system we've seen so far has been not great from a privacy perspective. And quoting the article again, we're holding online platforms accountable that do not protect enough of our kids, maybe. Might have been a misquote there.

The new age verification solution and the enforcement of our rules go hand in hand.

so basically uh this app is ready to be downloaded um and just kind of highlighting a post here um someone on our forum posted a link of their blog basically going through sort of the uh the new eu age verification app um so if you haven't heard of them before privacy dad they do sort of like parenting related privacy stuff um and they've been you know, posting, uh, an update here about, uh, the EU age verification app. So you can kind of see what the flow will look like.

Um, and apparently according to them, they were able to download the APK and, you know, test out the app. A lot of the features aren't a hundred percent ready and it was, you know, has a testing mode, which you can basically see how it would work. Um, It does seem like you need to scan your ID into this app. So I mean, that's fine, I guess, if you're sending it directly to the EU government and there's no third party company involved here.

But I guess that would be like a separate governmental body that's been established for this. I'm not entirely sure about the whole process behind this. but you can kind of see the age verification credential stuff. Um, so basically how it's meant to work is you visit a website or an app and you can use this, uh, use this app to basically prove that you're over eighteen. It doesn't share your age, it just shares the proof basically.

Um, But it does look like you need to take a photo of your identity document and record a video of yourself. So that's not great from a biometric standpoint. So yeah, that kind of sucks. There's a lot of different things here. So basically it's just a move to basically change the... Oh, there's someone in the chat who asked a question here. Probably outside the stream subjects, but I noticed that hosts are using Apple products.

Is there a privacy related reason or just personal preference of hardware? Personally, I'm not going to talk about personally, but I'm just going to say for work, this is, you know, I need to use DaVinci Resolve. I need to use... applications that aren't available on Linux, which I would love to use Linux. I think it'd be great if I could use Linux. But as far as I'm aware, there's still a lot to go on DaVinci Resolve. It's quite annoying to use on Linux. It's missing some stuff.

It is less stable. It's less supported. I use Affinity for all the graphic design stuff we do here at Privacy Guides. And As far as I'm aware, that is also quite finicky. Generally, I want to be focusing less on the technical issues, like having a bug happen in DaVinci Resolve where like I can't render a video or like something like that, less if possible. So, you know, I think you kind of have to use what you have to. I mean, I don't have any personal information on this computer.

It's like a work computer. So I'm not really that bothered by using an Apple product to do this. Um, So I think you just have to compartmentalize things. But sorry, I kind of got off track. I just wanted to quickly answer that question because I guess Nate has got a MacBook and I'm using an Apple avatar. So I guess that was kind of a question that needed to be answered. But yeah, do you have any thoughts on that or on the EU age verification stuff?

Um, well, I guess let me start with the question. Um, so I am fortunate enough to have one of each computer and this is also a work computer. This was, this was given to me by privacy guides because my windows computer is from, I think. So in tech years, it's starting to get up there. I've had a couple of close calls with it already. And so this was kind of like, Hey, We should get me a MacBook just in case the day comes when my Windows computer doesn't boot and I'm not completely up a creek.

So this is kind of my backup, my computer. But then also like my Windows computer is like I've got all the cables dressed in and it's really nice. So it's like, cool, the Windows computer can stay there. And then I'll use this one when I travel or for the podcast or something. Um, cause I probably should do more work at a standing desk, but I don't cause my, my actual desk has like three screens and well, two plus the laptop and I have studio monitors and stuff. So yeah.

Um, I try to use Linux more for the actual, um, like basically anything that doesn't involve editing or gaming. I, um, honestly, I prefer windows just out of habit just because I'm so used to it. And also, again, I do some gaming and windows generally handles gaming better than Mac. Um, I've heard gaming's come a really long way on Linux.

I know Nick from the Linux experiment, uh, edits on DaVinci, but I also, I was an audio guy for like, I was a professional audio guy for years before I, I took this job. So, um, I, uh, I have amassed a collection of plugins and workflow that are very specific to Windows. So even if I moved over to Linux for DaVinci, there's a really good chance that a lot of the plugins I rely on would not move with me. Yeah, I don't know. But I... Yeah. I mean, that's kind of my workflow.

I, I use it largely for, um, production. I use windows for production and gaming. I use the plugins, which is why I'm still on windows. And also I use cubes, which is that's never going to do production or gaming to begin with. Um, not unless somebody wants to donate like a, a thousand dollar computer. That's just super souped up and I can make GPU pass through work reliably. which I've heard doesn't always, so yeah.

And also I hate to say it, but like, so when I got this computer, I used it as my main computer for like a week or two just to, and I edited like three or four videos just to make sure like this will do what we need it to. This is an acceptable backup. And I, it's weird. Cause in college I had a Mac and it was fine. You know, like I remember when I switched back to windows, I was like, which I did mostly because it was cheaper.

Right. Like when my Mac died, I was like, yeah, I'll just go back to windows. And I remember thinking like, I don't understand why people are so mad. Like you can switch between them. They're fine. They're easy. But for some reason, when I was using this recently, I was just like, these keys are driving me crazy and I hate it.

And like, even now I'd like, occasionally I put things in the wrong place or I like, apparently there's this thing where if you tap too hard, it like, does something different and i don't know if i'm making sense but i i tap things really hard and it does not work well so yeah it's just the workflow is i i could get used to it if i had to but it's definitely i was just kind of like you know what it works i'm going back to windows to be honest so i don't know um macs are

definitely much more private and secure i would argue and certainly a lot less annoying with the ai um this thing did not come with apple intelligence enabled and uh you know apple intelligence is also probably more useful than copilot i would imagine haven't used either but i would imagine so i don't know um yeah this it's not okay well either way um yeah i mean it's it's uh it's it's not my daily driver um and i don't even mind using linux it's just it's it's a

work computer mostly and it just happens to fit my workflow so anyways um yeah going back to the the eu story so Um, yeah, I mean, I think we just wanted to share this because it's a bit of an update to all this age verification stuff. The way I understand it is that, um, this is an app that can be used as is, but it's also designed to function as a framework for other companies to build on top of.

I could be wrong, but this is how I understand it is basically it's like, it's almost like, um, a lot of you guys might remember during COVID, um, Apple and Google released like a built-in contact tracing thing. And that way other states could build on top of that. And it was kind of like, look, here's a relatively private and secure, certainly more so than whatever crap your underpaid IT guys are going to cook up in the ten minutes you give them.

like, it's kind of like, here's a framework to start with. So you can at least start off on a good foot and build from there. And I feel like that's kind of what this is, is the same thing is where it's like, you could use this as is, but you could also like roll your own local version. Um, if I understand it correctly, I could be wrong, but I feel like I saw some people saying that.

Um, the last thing I do want to know real quick, I want to pull this up is, uh, For the record, I don't know who this person is. I don't know their credentials, and I haven't seen a whole lot of people verifying this, but I also haven't seen a whole lot of people contesting this. But this claims to be a security consultant who said that they found potential vulnerabilities in the EU's age verification app in under two minutes. So one of them is that I guess you can delete the PIN.

Like, there's a way, yeah, the attacker can simply remove the pin values from the file and restart the app. After choosing a different pin, the app presents the credentials created under the old profile and lets the attacker present them as valid. And I think they said there were some others. But I guess all that to say is, like, if you don't have to use it, I mean, obviously, we don't think you should use this kind of stuff in the first place, right?

Like, we are very anti-age verification people. Jordan made an excellent point earlier when they said that, like, this may have been before we were live, but I think we were live. But Jordan pointed out that, like, you know, parental controls exist. They're already there. They're already fine. So, but...

Yeah, if you're – I mean we're not telling you to break the law, but if you're in an area where this is not required yet, definitely I would not advocate for downloading it because it seems like there might potentially be vulnerabilities. So I would wait for more people to do some research and kind of look into this and – Hopefully they'll fix these vulnerabilities. Cause I mean, it's, it's like the very least they can do, right? If they're going to be like, everybody has to give us our ID.

Like the very least they could do is actually secure it in a way where you can't just like delete the pin and restart the app. Like that's completely insane if true. So I don't know.

I think actually we're, yeah, we're, we're going to talk a little bit more about age verification here, here in the U S so I want to point out, this is a brand new hot off the presses story. And as a result, it's probably sitting in my RSS feed as I say this, but I have not seen any of our usual, more reputable outlets cover the story. So unfortunately I had to go with a press release from a Congressman from New Jersey, Josh Gothamire, Gotham here.

I don't know, but yeah, no offense to him, but I'm just saying like, this is a press release. It's going to be a little bit, what's what I'm looking for polished in overly optimistic and maybe not the most balanced piece out there. So take this with a grain of salt, but apparently the U S has introduced a bipartisan parents decide act to protect kids online. And, uh, this is basically the, uh, the operating system level age verification, which again, I keep calling it age verification.

I should be calling it identity verification because it will require everyone to do it. Not just kids.

Um, But yeah, it will require operating system developers such as Apple and Google to verify users' ages when setting up a new device rather than relying on self-reported ages, allows parents to set appropriate content controls from the start, ensure that age and parental settings securely flow to apps and AI platforms, and prevent children from accessing harmful or explicit content by creating consistent, trusted standards across platforms.

I... I feel especially cynical about age verification in the US. I will admit I got this from another video. This is not an original thought, but it's a good thought. First of all, we don't even have a national privacy law. Nothing. Nothing at all. So do whatever you want with this data. I think just last week we covered a story. It was either last week or the week before.

We covered how the governor of... wisconsin i think it was vetoed a state level identity verification law because he's like we don't have um he's like this this thing doesn't have any protections against like selling the data or securing the data like there's none of that and and that's true at a national level so first of all there's that um I will forever remain cynical that schools have data breaches left and right, and nobody seems to care, but somehow encryption and you know,

all this is what's putting the kids at risk. Not the fact that the LAP or not LAPD, but the LA school district just leaked the date of birth, email address and home address of every child in the city. No, it's, this is the problem here. I'm being very sarcastic in case you can't tell. And, um, There's also the lawsuit just the other week where Meta and Google got legally found to have addictive algorithms.

And I think- again, not an original thought, but I like this thought that I've been attached to lately is the idea of like, it's so ridiculous that we're saying that this is only bad for kids. But once, once you're an adult, it's fine. Like you, you can go ahead and let these companies abuse you and just mistreat you and use your data, but you have to be a certain age. It's just, I don't know. It's, I think we're regulating the wrong thing.

And I think, um, Jordan and I had this discussion recently too, where in a lot of other countries and maybe here in the US, sometimes here in the US, when you set up a new device, it prompts you like, is this for a child? And if you click yes, it will tell you about all of the potential parental controls that exist. And I really think that's a much better way to go. Like, I like parts of this, right? Like, allow parents to set age-appropriate content controls.

I don't know who's not allowing parents to do that, but let's pretend. Ensure the age and parental control settings securely flow to the apps and AI platforms. You know, like, I think those are good things, of course. But I don't understand why we can't start there. Like, why don't we start by empowering the parents to know that these controls exist? Because, again, you know, like...

I'm so tired of talking about age verification, but you know, this whole like prevent children from accessing harmful or explicit content. Okay. What about classical artwork? Right? Like that's a class, a common example, like ninety percent of these classical era Da Vinci's and whatever, like they're both men and women are partially or fully naked. So like it, does that count as explicit content or is that like valid because the artwork, you know, I just watched them.

Obviously this is not a one-to-one, but I just watched the sci-fi movie the other week called any aura that is like soul crushingly depressing, but it had artistic value. Like, yeah, it was a really sad, depressing movie, but it had an artistic merit to it. It wasn't just like, I'm going to go watch something depressing for the sake of it. So it's, it's very like I use that as an example. It's just very like, I don't know. I don't know what I'm trying to say. It's getting late.

But it's so depressing that we have no protection for data in the first place. And now we want to pass this national law that says turn over your ID when states can't even agree what counts as harmful content. And, um, yeah, you know, Swiss, Swiss kill said here, like whose responsibility is it to raise their child? To be honest, it's not even responsibilities for me. It's like, right.

Like to me, it feels so taking away the agency from the parents to say like, okay, the government's going to tell you what your kids can look at now. Like, that's really what we need to start, how we need to start wording this because I guarantee you parents on both sides of the aisle are not going to be cool with that. And it's just, it's, uh, yeah, it's so frustrating to me.

I don't like I don't – nobody is saying the internet is perfect, but I think most of us can agree that this is not the way to solve it. So I don't know. I feel like I'm just going to keep going in circles if I keep talking, but yeah.

Yeah. Yeah, I think they should rename it to Corporations Decide Act because a lot of times, you know, like a lot of these things that this Gottheimer, Josh Gottheimer guy is announcing in this press release are like, you know, require operating system developers like Apple and Google to verify users' ages when setting up a new device rather than relying on self-reported ages. Um, that's fine, I guess.

I mean, but that's also all that information is going to be throughout flowing through Google and Apple. Is that really what we want? All of this personal information, like flowing through big tech corporations who, you know, we know Apple and Google are not, they don't, they don't have a respect for our information.

So, um, you know, I don't think that's a great idea, but it's also just, you know, These app stores, like it says in here, allow parents to set age-appropriate content controls from the start, including limiting access to social media apps and AI platforms. So a lot of times that's going to be done through an app store. And like we saw with the app store, I believe it's called the App Store Accountability Act. Am I correct in that? Okay. I think so. If we're thinking of the same one, yeah.

Right. Yeah. And that one was also trying to be passed in the U S and I think it's, this is like almost a similar thing.

Like it's, it's kind of pushing this onto the app store, which we've talked about before, but like, and Nate mentioned a little bit there, um, like, you know, how do we know what they consider is mature or like, how do we know what they're choosing to take down and not allow people to access is, um, age appropriate like who decides that um so that's another another slope of things um I think you know there's definitely easier ways to do this than having to

do such aggressive measures um but I think it kind of does take the agency away from parents a little bit because like I think you know it's definitely a thing where parents have very different ways of raising their children, right? Like some people will do something a certain way and some people will be the complete opposite of that. So I think, you know, forcing people to do things a specific way and to have access to certain stuff is interesting.

I think there's different ways of doing that from a parenting perspective. Um, so I dunno, I think a lot of times though, you know, maybe we shouldn't be giving, I mean, this is completely a personal opinion, but maybe we shouldn't be giving children, you know, devices that can just access the entire internet. Because I know when I was like younger, uh, having access to the, to the internet, unrestricted access to the internet was probably not the greatest thing for my development.

Right. And I'm sure many people who are like, you know, iPad kids or like Gen Z type people might also like share the same thing. Like basically having answers to any question and, you know, access to anything at any point is not a great thing in some cases.

So, you know, I think that's, that might be something that needs to be tackled from a different angle from like parents or, parental controls um but I don't think it's I don't know I don't think this should be up to the government to decide um so and it doesn't really seem like it respects people's privacy anyway so yeah I don't really have any more to add here Yeah. I don't, I don't think I do either.

It's just, um, I think the thing I'll end with is if you're in the U S uh, definitely contact your representatives. I certainly will be, um, this coming week and, uh, you know, try to outline, I would argue, try to outline why you're against this. Um, I don't know if that will increase your odds, but I feel like it would be a lot more effective instead of just be like, Hey, I'm against this thing. Be like, I'm against this thing because it takes away agency from the parents.

It, there's no meaningful protection of the data, uh, you know, all these kinds of like, maybe we'll get lucky. And maybe some of these politicians will read, I mean, obviously they won't, their aides will read this, but maybe some of their, their assistants will read some of these responses and just be like, Oh, you know what? These are like legitimate concerns. And, and I think also spreading awareness around us.

Like, I know I'm always the first one to be like, Hey, contact your politicians, but, um, I really think telling the parents around you, this takes away your agency as a parent. What happens when there's a data breach and your ID gets leaked? I think those are things that will get their attention and get them to sit up and realize, oh, yeah, maybe this isn't the best way to go about this. Because a lot of people really don't see what the issue is, right?

There's all these false equivalencies, like, oh, you have to show ID to go into a bar. But it's just... Yeah. So and also real quick, Swiss Kill said here is, you know, it's more effective than stop that. I also want to point out, like. Be nice to people, because if you just send them an angry message about like you're an idiot and this is the dumbest law ever, like they're just going to put you on the block list.

Well, I don't think legally they can block you, but they're just going to ignore you. So, yeah, my mom used to say you catch more flies with honey than vinegar. So, yeah, I don't know. Could you maybe offer some... How exactly can you get in contact with this person in particular? That's a good question. Hold on. Let me look it up here because I did... I'm not going to show my own blog, but I did write this really long opinion piece on my own blog. And I did include...

Um, so congress.gov, house.gov, senate.gov are all websites you can use to find your state level politicians in the U S which you probably want those people right now because, um, this is a national law.

There's also common cause.org and usa.gov are some additional websites to help you figure out who are your representatives, which honestly, if you just web search, like who are my political representatives, usually several websites will pop up and you will, um, In case anyone is not aware, you will have to put in your address because that's what determines what districts you fall in and stuff. But yeah, I don't know. To me, it's worth it.

Yeah. And, and real quick, Canada said, I was under the impression that Google and Apple oppose age verification. They all do, which I think should be extremely telling that like meta doesn't want to do this. Open AI is one of the companies that's been lobbying these groups behind the scenes. I forget where that came from recently, but yeah, like Google and Apple have openly pushed back against the app store accountability act. Like nobody wants to be responsible for this data.

which to me is extremely telling. Like the one time that all these companies that are just built on violating your privacy, monetizing your data, collecting every... Like meta... built an app that purposely opened up ports that it doesn't normally open up to get around the sandboxing built into the phone. I think this was on Android, but it may have been iPhone. It may have been both. I can't remember.

But either way, like I forget the exact details of the story, but they purposely found ways to get out of the sandbox and bypass the protections built into the device to spy on the other apps on your phone. This is the same company who said, we don't want to be responsible for this. And I think that should be extremely, extremely telling. Thank you for coming to my TED Talk. Tip your servers. Yeah, that's all I got. Nice. Yeah. So I guess with that being said...

I guess in a minute we can start taking fewer questions. We've already kind of had a couple here. So if you've been holding on to any questions about any of the stories we've been talking about so far, go ahead and start leaving them. You can either leave them in the chat or you can also leave them in the respective forum thread for this live stream. And for now, let's check in on our community forum. So there's always a lot of activity over there.

And this week was no, You know what I'm trying to say? No exception. No exception. Yeah, this was a very, very busy week. So I guess this first one here is there was a Visa card vulnerability.

So if you haven't seen this already, there was a video from Veritasium, which was just a quickly... recap what the video was about basically they did a collab with uh mkbhd where they basically had his uh phone and they were able to extract ten thousand dollars from his credit card um without any input from him like they just had his phone and they were able to extract ten thousand dollars Um, so that was kind of concerning, uh, definitely a very interesting video.

I haven't had a time to watch the entire thing yet. Um, cause this week has been incredibly busy, but, um, Definitely worth checking that out. And I'll just highlight Jonah's comment here because he did watch the video. I just finished watching this video a minute ago. I knew this would be express transit related, but this interplay between that and Deezer is interesting.

So basically the way that this kind of exploited it is it uses this thing called express transit mode, which I mean, I can't comment on if this is in the US quite a lot, but in Australia, like it's kind of very common. So basically when you tap onto public transport, you can basically use your phone to tap on, but you'll have to also authenticate yourself. Usually that's how it normally works.

But if you enable express transit mode, it actually just allows you to tap your phone without authenticating at all. So that's why this becomes a bit of a problem, right? Because it would be fine if you had to authenticate and then it goes through. But basically this exploit was able to basically extract ten thousand dollars from MKBHD's phone and without him verifying anything. And apparently this was due to a vulnerability in Visa.

They didn't have any, they didn't like cryptographically check the transaction or something. I'm not entirely sure of what the specifics are behind that, but there was some more people saying, there was another post here from Jonah asking whether express transit mode was enabled by default with a credit card on their device. I mean, I can comment on that, that it is a specific thing you need to enable. And sometimes it does. We don't have public transit in the US. I thought you did.

I thought you did. Oh, is it private? We do, but it's pretty garbage. So for all intents and purposes, we don't. Years ago when we were still dating and we first started living together, my wife had a job that was maybe about a twenty minute drive by car. And long story short, I had had... The particular place we lived at, it was really easy for me to get downtown to go to work. And so I was like, you should try the bus one of these days. Just try it. You don't have to drive.

You don't have to park. It's really handy. It took her three hours by bus. And she never did that again. So our public transit in the US is absolute garbage. But continue. Oh, I see. OK. I definitely have seen some public transit stuff. I mean, I think there's definitely some places where it's a little bit better, from what I've heard. Yeah, like New York is okay. I had good experiences in San Francisco, although I know everybody who's from those places are just like, really?

But yeah, it's definitely not great in most places. Okay, right. I don't know. We've basically had this massive blitz from Apple in Sydney where they were basically saying, like, use Apple Wallet to use transit. Use Express Transit mode to speed up your commute, like all these ads from Apple, which is kind of funny because...

Now we're learning that there's a vulnerability with visa cards and express transit mode, um, which, yeah, um, I personally enabled it once and I accidentally tapped onto some transport twice and then I disabled it because, yeah, you probably don't want it to automatically activate like that. But it is something you have to opt into and it is part of the flow when you set up a credit card in Apple Wallet. I do wonder if this... could also be exploited on Google.

Um, it does say in this video, there's a picture of a Google pixel in the thumbnail and, um, it says safe, but I believe express transit mode is also available on Google wallet as well. Um, but maybe there's more checks going on there that secures that better. Um, But yeah, there were some comments responding to Jonah's thread there saying that their credit card wasn't enabled by default with this feature.

So unless you accidentally enabled it or did something in the setup process, then it's probably not enabled. I think this was kind of unfortunate for MKBHD because he just got ten thousand dollars removed from his credit card. Obviously, they gave it back. But, you know, it's like imagine if he wasn't in a. Imagine if that was an attacker, that would be ten thousand dollars stolen and all you'd have to do is steal someone's phone. So, you know, I think.

trying to reduce the things that thieves can do with a mobile device is good because it makes it less likely to be stolen. Um, I don't think stealing an, an, an iPhone or a Google pixel or any of these other devices is a very good idea. You're basically stealing a tracking device at that point. so yeah. Um, Definitely an interesting thread there with some discussion. Do you have any thoughts on this one, Nate? Yeah, I think it was really the video that everybody found interesting.

But it seems that this is primarily limited to Visa cards. Like, again, that comment you were looking at from Jonah, he said... Again, I didn't watch the video either because it's been a busy week. But he said, I'd have to agree with Apple that this is primarily a Visa issue. But Visa's point that it is not worth fixing is probably accurate too. So I definitely want to try to watch the video this weekend.

But yeah, I was kind of asking Jonah a little bit more about this before we started streaming. And there's not really any defenses at this time other than just to disable the – the automatic transit or whatever it's called, the express transit.

And so it's just kind of a reminder, I guess that like privacy and well, yeah, privacy and security and convenience are almost always i i want to push back on always because i think there's actually been a few times that privacy and security have actually made my life more convenient but definitely ninety plus percent of the time they are on opposite ends of the spectrum with each other and that's kind of part of a threat model right is you have to ask like what am i

trying to protect who am i trying to protect it from how much trouble am i willing to go through to protect this thing and i think I don't really use a lot of tap-to-pay stuff myself, mostly just because my phone doesn't support it. So I can't say for certain, but I would have to imagine that for most people, it's pretty like... It's probably not the end of the world to disable this express transit. Sure, it'll slow you down a little bit.

And I mean, I also have to ask, again, I didn't watch this video, but genuinely asking, how easy would this be to pull off? Because just because it can be done, I mean, we can put people on the moon. Kind of hard. We haven't done it a whole lot. So, you know, it's the same thing here. Like, just because this can be done doesn't necessarily mean that it's something that you have to worry about every random person on the street doing this.

So, if it's something that's very unlikely and you're in a really, really busy area where it's like, no, dude, that extra, like, two seconds it would take me to do this would actually kind of add up over time and get really annoying. Like, okay, maybe it's worth leaving it on. But if it... if it's not really going to impact your life, it's probably better to err on the side of caution.

And somebody also said here that MasterCard has resolved this issue and Visa stands on that this is possibility of this to happen is so small. I agree with you. If it's one of those things where it's like, we know there's a solution and there's really no reason not to do it. I mean, that's what I'm basically saying, right? Like if you have no reason not to turn the setting off, then just turn it off. And I agree with you a hundred percent.

Like if Visa could easily fix this, then they really should. But yeah, It doesn't sound like they're going to do that anytime soon. So unfortunately, it's on us. As usual, it's on us to care about our own privacy because these companies do not, or our own security in this case, because these companies do not. So I think that's kind of my takeaway from that one. Yeah, I just want to highlight Pineapple Express's comment here. Transit... That's a good comment. Yeah. Thanks for commenting. Transit.

Thanks for adding to the discussion. But I think, yeah. Wasn't pineapple express a type of weed in a movie? Sorry. Possibly. It's an old movie. Yeah, it's definitely, I feel like it's definitely some references in the chat usually. But yeah, I think, yeah, I mean, I think it's like, so the process between like, I feel like it's the... the process between authenticating and tapping is like so little that it's like, really, like, are we really doing, is this really necessary?

Um, so I feel like it's not really that much of a concern. Just disable it. Just don't use this feature. Like it's, I don't know. You kind of know when you're going to get off transit, you know, when you're going to get off a train, you know, when you're going to get off a bus, a ferry, whatever. Um, so, you know, just time it with how you're doing it, just authenticate and then tap. I think that's the easiest way to get out of falling into this issue.

But I guess there was also another thread here from someone talking about airplane mode on Graphene OS. I'm just going to read their comment. I'm not going to mention their name for privacy reasons. I think people should be aware that airplane mode on Graphene OS doesn't completely turn off the SIM as you can still receive and make calls over Wi-Fi, a technology known as VO Wi-Fi. I am not certain about it, but I think this means your ISP can know your location, at least when you stay home.

VO Wi-Fi might only work on router from the same ISP as your mobile. You can disable it in the SIM settings. This is interesting. Do you have any thoughts on this? I don't even know if this is a thing in Australia. So you guys don't have airplane mode in Australia? I mean, the VR, VR, wifi. Oh, voiceover wifi. Yeah. I don't know if we have that here.

Like I know there is, um, in a lot of phones, there's a setting to enable wifi calling, uh, which maybe that's the same thing, but, uh, maybe voiceover wifi is like the protocol that enables that. And that's just what the settings called is enable wifi calling. But yeah. Um, no, I think I, I wanted to highlight this because, uh, we do recommend on privacy guides to use airplane mode whenever possible.

And, um, I think I just really wanted to point out that this is one of those things where it's like it's kind of a very niche, like a more advanced thing, but it's still something that's good. Like it's always good to have things on your radar, right? It's always good to have that information and make decisions accordingly. So here's actually one of the comments that we wanted to highlight to kind of explain this. Disabling your SIM does not... Where does it go?

Airplane mode is intended to disable cellular radios, not your SIM, and is well documented on how it works on every mobile OS. I think they said that Graphene documented that. Graphene has really good documentation. They said, likewise, disabling your SIM does not disable your cellular radios, and your device will still ping cell towers unless you enable airplane mode.

It's in the name really airplane mode exists solely to comply with regulations requiring cellular radios to be completely turned off. The privacy factors are a side effect. So basically I think what, what they're saying is that if you enable airplane mode, you are turning off the radios, but not necessarily the SIM card itself.

So if you do have other things turned on like voiceover wifi, then that is a, potentially, if you're not using a VPN, for example, I'm assuming a VPN would beat that because it's voice over Wi-Fi. I mean, it's a really good thread because a lot of people talked about, apparently on some phones, the voice over Wi-Fi still goes outside the VPN, but Graphene tries to send everything through the VPN as much as possible.

So it's one of those things where, again, I think this is probably... more extreme privacy thing. I think it's probably not going to make or break most people, but it's still definitely something that you should know of and you should be aware of. And if that is part of your threat model, you should factor that in. It's good information to have because I was also kind of under the impression that I don't know.

I think I was kind of under the impression that turning on airplane mode would kind of turn off the sim, or at least, I don't know what I was under the impression, to be honest. But it's definitely something interesting to keep in mind, for sure. And yeah, I see you highlighted, Jonah said that voice over Wi-Fi and enable Wi-Fi calling are the same thing. So good to know. OK. Yeah, I've never heard it called VO Wi-Fi before. I thought it might be a different thing.

But yeah, Wi-Fi calling, we do have that. Yeah, same here. I think one thing as well is airplane mode. As far as I'm aware, like if you make a call to emergency services, it still connects to the tower as well. So yeah, I think I'm not entirely sure if it's, I'm pretty sure the whole point of airplane mode was to stop signals coming out of the device when you're in an airplane. So yeah, I guess that's fine, except if you launch an emergency call, I guess.

I guess there's maybe laws that have to, that say it has to be bypassed for emergency situations. I'm not sure. Yeah, and to be honest, I didn't, I don't know how it works in terms of bypass. Like, I don't know if, I'm assuming not, just based on the true crime stories I've heard.

I don't know if cops can like, still continue to track you like okay obviously what i'm saying is if i have airplane mode on and i call nine one one yes it's gonna go through um what i don't know is can they reverse that could the cops just surreptitiously decide to figure out where i am when i have airplane mode on my money says no but i could be wrong on that one um yeah i don't know it's interesting stuff i think one thing nah that's not not really relevant i was going to talk

about uh the the different triangulation with a cell versus wifi, but I don't think that's really relevant to this. So it's, it's interesting stuff though. Like I said, I think it's one of those things that if you guys have some time, definitely go check out that thread and just kind of give it a quick browse. Cause it's, it's, it's not a very long thread. I think there were only what, like not even ten replies or something. And so it's just one of those, like the more, you know, kind of things.

On that note, we're going to take viewer questions and we're going to start with the questions on our forum from our paying members. You can become a member by going to privacyguides.org and clicking the red heart icon in the top right corner of the page. Or I keep forgetting, we also have privacyguides.org slash donate, which will take you right there.

Um, so we only had one question this week and somebody said that privacy guides currently does not recommend to enable the tell websites not to sell or share my data feature in Firefox. Should we enable this? If so, is it still worth enabling? Even if you don't reside in a jurisdiction that makes GPC opt out functional, but more of a statement of preference. So, um, I have a lot of beef with Mozilla, but one thing I will give them, it's both a pro and a con is yes.

If you click the button that says tell websites not to sell or share my data, I, on Firefox, that does not enable do not track. That enables GPC. And on the one hand, I wish they would make that a little bit more obvious. I did have to dig into the documentation to learn that. But on the other hand, the average person probably doesn't know the difference anyways. So what does it matter? Crap, I'm out of water.

So as I understand it, and someone please correct me if I'm wrong, I don't think there's a drawback to enabling GPC. In the past, Do Not Track had this thing where when you enable Do Not Track, it basically did something in the headers that ironically made you stand out more. It created a header that wasn't there, and that was one more data point they could use to track you.

And since there was no legal enforcement behind it, a lot of websites straight up say in their privacy policy, they're like, we do not respect Do Not Track requests. which is crappy, but at least they say it. So... I don't know. What I was told is that the way that GPC works is somehow more privacy respecting. And I don't, the technical stuff goes over my head. I don't understand how, but it's one of those things where they're not supposed to be able to track you.

Like that was a lesson learned from Do Not Track is now we've implemented this in a way where it cannot be used as another fingerprint data point. So even if you're not in an area where GPC is required, as far as I know, it still doesn't hurt to turn it on And, you know, if they don't, it's one of those things where, you know, a lot of people say like, there's no point. Sorry, let me back up.

So I was told by a lawyer one time that if you do not interact with a cookie banner, companies are supposed to treat that as the same as saying, don't track me. And they're not supposed to track you. They're not supposed to put the cookie there. a lot of people will argue that like the cookie banner doesn't really matter. And they're just going to track you anyways. It's one of those things where like, in my opinion, it doesn't hurt to say no, because it just, I don't know.

I'm having a hard time with words tonight. It just doesn't hurt is what I'm getting at. As far as I know, if, if it doesn't, If the company's not going to respect it, they're not going to respect it regardless. But if they do respect it, it's not going to make you any more fingerprintable. I know I remember, I wish I could remember what it was, but there was a period where I was like going to websites and I would keep seeing a little pop-up just for a second, a very non-intrusive pop-up.

Imagine that, crazy. That just said like, hey, we saw your browser has GPC. We respect that and we're not tracking you. And I was like, holy crap, that's awesome. I haven't seen it a lot lately, but yeah. So as far as I know, in my opinion, I think it's totally worth enabling. Um, Jonah said we'll have to make a video or something explaining it more. So, uh, he didn't say I was wrong, so that's good news. I think, I think I was right about that. Yeah. I mean, I agree with all points. Well said.

Um, I didn't really have anything to add to that. Um, yeah. Cool. That was our only question in the forum. The only other one person said that Chrome is planning to add the GPC toggle this year. We still don't recommend Chrome. Someone else said that it is enabled by default in LibreWolf, which makes sense. And we do have one question in the comments so far. Swisskill is asking about any router recommendations in the EU after the US banned foreign manufactured devices.

I don't have any reason to believe that there's any backdoors. I don't... Okay, I'm going to be a little political here. A lot of what the administration is doing does not make sense, even to a lot of us Americans. Some of it does, I will say. That doesn't mean I agree with it, but some of it does have a logic. Some of it very much looks like somebody just woke up and decided something one day.

And this is one of them where there's no... as far as we know, at least there's absolutely no evidence to suggest that any of these routers, cause they're all like, if you go back and watch, we, we made this our headline story when this happened on the podcast. Um, so go out, go back and check that one out. I don't know what episode that is, we don't know of any existing backdoors. All routers are currently foreign manufactured anyways.

So this whole idea of like the U S is banning foreign manufactured routers. The U S is banning all routers, basically a quick update, actually net year finally got their first exemption. That was almost one of the stories we covered, but a pretty crowded week. So we decided that one was the weakest one, but I don't know, personally, I wouldn't worry about it. What I would focus on instead is looking for a router that's, um, compatible with open source firmwares like open WRT.

Um, I've had good experiences so far on fresh tomato is still working great for me. DDW RT used to work really great up until about a month or two ago. Um, so yeah, I would, I would focus more on like looking for an open WRT router or something similar personally. That'd be my recommendation. Yeah, I feel like the big one that I see a lot of people using is the GLInet routers, which I believe they all come with.

Well, not all of them, but the majority of their more reasonably priced ones support OpenWRT, and they also have their own spin of OpenWRT, which is what it comes with, which is a bit more user-friendly because OpenWRT is... It allows you to do a lot, but its interface is not the greatest, let's just say.

I'm not like any networking expert, but I have had issues with configuring stuff properly because I'm not really... super network savvy where like, you know, it's so easy on like GLI net or like DDWRT or like fresh tomato to basically, um, you know, set up separate networks, set up VPN connections, all that stuff is a lot easier on those. Um, so GLI net is one that I see recommended a lot. Um, I don't know if this, this probably a pretty regional thing, but we have Dray tech.

Uh, I think they're a Taiwanese company, but a lot of their routers also support open WRT. Um, yeah, I can't really think of too many, uh, other companies that I would, I mean, I guess there's, Yeah, I mean, I can't really think of any European companies that make routers, really. Can you? I think there's one. Oh, my God. Jonah and I talked about it because I remember the subtitles got it right, and I was like, I've never heard of this company.

And so I had to ask him if that's Microtech or something. I think they're like a Finnish company. Everybody's going to be so offended that I can't keep my European country straight. Microtech is Taiwanese company. No, no, no. There's another one. There is. God, what a... Yeah, Microtik. Yeah, Pineapple Express got it. It's not like that. Latvian. They're Latvian. That's who they are. Okay. I knew they were European. Apologies to Latvians.

But yeah, so they're a Latvian network equipment manufacturing company. I don't know much about them, but I remember Jonah mentioned them when we were talking about this story in the first place. Yeah. And I also just wanted to say, I checked, because I know we have a page about routers. OpenWrt and OpenSense are currently our two top recommendations. So if you can find something that's compatible with those, that would probably be your best bet.

Yeah. I mean, you can also buy the... I got the OpenWrt one, which is like... It supports the OpenWrt project. But again, that's... as far as I'm aware that was coming from China. So, you know, Oh no, I guess, but I feel like everything's made in China. So I feel like that's, I haven't heard of a EU made router or anything. So, Yeah, I was going to say, that was kind of the point that Jonah and I kept harping on when we talked about this story, is that there are no American-made routers.

They're all made in China, except for apparently there's one from Starlink, which I'm sure is a total coincidence. But anyways, so I mean, this whole idea of like, yeah, I don't know. And I don't know if Europe's any different, but here in America, for sure, there are no made in American routers. Like there's some of them are designed here from American companies like Netgear and Cisco, but they're all manufactured and assembled in China or overseas. So, yeah.

I am seeing some interesting stuff about MikroTik. Um, apparently a lot of their stuff isn't made in China now. It's made in other countries. So that is interesting. Um, so I guess we're seeing a lot of companies kind of divesting from, or at least trying to, uh, I guess, uh, what do you call that word? Like have multiple bases of manufacturing diversifying. Thank you. I don't know what it is today. I can't find any words that I'm going to say. Me either. Words are hard tonight.

But yeah, so yeah, I mean, it's good to see that there's more stuff. I mean, I think it's still like the national security concern is probably still the same, right? Like Vietnam or like Malaysia. I mean, there's still the possibility of them being. doing something sus, but I think it's probably not that likely. I mean, I haven't seen any evidence that there's been any routers that have been tampered like that from, like, any of these big American companies.

So I'm not sure how much of a risk that is. And just to point that out, yeah, it's like we – first of all, we don't have any evidence that there's been any issues. This is all stuff we went over in the show. And I think the bigger concern would be like the cheap off-brand stuff or like the knockoff stuff because we have seen – I don't know about routers specifically, but we have seen like Android TVs.

Like if you buy the really cheap Android TVs on Amazon, we've seen articles that talk about how like, yeah, a lot of them come preloaded with malware and they run botnets and stuff like that.

So I think if you're getting a good reputable name brand router from a reputable source, i don't think there's really that much to worry about and then i think if you want to go the extra mile and be extra safe which of course we always recommend then you should put something like open sense on there um i i definitely want to get the open sense one next time i buy a router i have been very excited about that project i think it's really cool um i just my current router still has a lot of life

left in it so i'm not ready to do that yet but um yeah i don't think it's a huge i I really disagree with the government on this whole like it's a risk thing because it literally is just trust me, bro, I said so. And not to get too far off topic, but that's an issue I've always had. Like I've literally met people that when I talk about privacy, they're like, well, I have a buddy who works in national security and he says like they've stopped so many bad things.

And I'm like, then your buddy needs to come forward and tell us about that. Because right now, every study we have says that mass surveillance has literally never done anything and always makes things worse than better. And so if it is actually making the world a better place, we need to have that information so that we can have this debate in good, honest faith. Because right now it doesn't seem like that's the case. And so that's how I feel about this whole like router ban.

It's like, oh, these things are national security risk. Where's your evidence? Because right now there is no evidence and you sound like an idiot. So yeah, I don't know. That's my opinion. Yeah, I think, yeah, I don't know. I don't know what it's like in the US really that much. But in Australia, there's a lot of, yeah, fear mongering about that sort of stuff. How we need to have more laws to see criminal stuff. I mean, we have the assistance and access laws.

which basically means that police get access to stuff without a warrant and stuff um you know i think there's plenty of countries that are doing a similar thing um i just want to quickly uh circle back to glinet uh apparently i mean i don't i don't really research this because i don't own a glinet one i just see it that's what a lot of people use um it does look like they are based in at least according to their websites uh one of their offices is in hong kong and the other one is in

shenzhen um so i guess just be aware of that if that's a concern i mean i think basically all these router companies are even the open wrt one is manufactured and like done in china so i'm not really sure what the risk is there um against another company I think GLINET is very reputable so uh what's someone saying uh Sino Sinobu Sinobu it's actually worse in China and North Korea they're constantly tracked yeah yeah so like in a lot of these countries there is I'm not

sure about North Korea but I know I've definitely seen stuff in China with like you know the mass surveillance they have they have like more cameras than people right like well not more but like they have a lot of cameras um if you've ever been there's like cameras literally everywhere um it'll be kind of striking thing to see um so I think yeah we obviously we don't want to have cameras literally everywhere tracking everybody or at least recording what everyone's doing um So yeah, I don't know.

It's kind of been a thing where I feel like a couple of years ago, people were kind of making things about how China had a digital ID system, and it was super dystopian. But now we're like, oh, no, let's introduce a digital ID bill. It's like, guys, what about what you were saying a few years ago? What's happening?

I've literally seen some politicians here in the US point out, or maybe not the politicians, but I've seen people point out, they're like, this is literally the stuff we criticize Russia and China for. Why are we doing this? So yeah, it's not cool. Yeah, it's kind of frustrating. But yeah, I mean, is there any other comments you can see here that we haven't already got to? No, I haven't seen anything.

Looks like everybody's been a little bit quiet this week, but we still appreciate you guys tuning in and watching, even if you're lurking. Thank you for listening.

All the updates from This Week in Privacy will be shared on the blog every week, so sign up for the newsletter or subscribe with your favorite RSS reader if you want to stay tuned. I want to remind you guys, we send the newsletter at the same time that we go live, so it also works as a really good reminder that we're going live. Little notification there. If you prefer to listen on audio, we also offer a podcast available on all platforms and again on RSS.

And this video will be synced to PeerTo. Privacy Guides is an impartial nonprofit organization that is focused on building a strong privacy advocacy community and delivering the best digital privacy and consumer technology rights advice on the internet. If you want to support our mission, then you can make a donation on our website, privacyguides.org. To make a donation, click the red heart icon located in the top right corner of the page.

You can contribute using standard fiat currency via debit or credit card, or you can donate anonymously using Monero or your favorite cryptocurrency. Becoming a paid member unlocks exclusive perks like early access to video content and priority during our Q&A. You'll also get a cool badge on your profile in the forum and the warm, fuzzy feeling of supporting independent media. So thank you again for watching and we'll be back next week.

okay um all right so oh do you have to go okay oh god my phone is almost dead no