CalyxOS Is (Almost) Back But Is It Any Better?

The Kallax OS comeback, the Canvas chaos, and Google Chrome's sneaky AI downloads. All of this and more is coming up on episode of this week in privacy. So stay tuned.

Welcome back to This Week in Privacy, our weekly series where we discuss the latest updates with what we're working on within the PrivacyGuides community and this week's top stories in data privacy and cybersecurity. I'm Nate, and with me this week, after several weeks of absence, is Jonah. How are you doing, Jonah? You know, I am doing great this week, and I'm always doing great to be back on the show here. It's always fun. How have you been doing, Nate? Pretty good. Pretty good.

As you know, lots going on behind the scenes here. Lots of videos coming up. We'll talk about that later. But yeah, I've just been keeping really busy working on everything we got coming up. Absolutely. Well, let's get into it then. All righty. Yeah. So let me swap the tiles here.

Oops. Our first story this week is about Calix OS. So full disclosure, we do not recommend Calix OS here at Privacy Guides as one of our... as one of our recommended, uh, Android distros, but it is still popular. Nonetheless, they do have a heavy emphasis on, um, open source, I would argue. And, uh, like that's kind of their whole thing is a lot of the stock apps they swap for, uh, open source apps. And we'll, we'll talk about that a little later.

But, um, for those who may not be aware, Calix OS actually, uh, went on hiatus in august of last year which is crazy to think about that it's been that long um but uh they went on hiatus uh they assured everybody they were like hey there's no signs of compromise or anything but um they had two major staff members leave they had nick merrill the founder and uh i don't know how to pronounce his name cheerio decide if i remember correctly um But he was like their,

their lead developer and both of them parted ways from the outside. It seems very amicable there. There was no accusations as far as I'm aware of from any of the team members towards anyone else. But either way, Calix decided they're like, Hey, we're going to use this opportunity to completely revamp our entire infrastructure. We're going to rotate signing keys. I believe they went and bought a hardware security module.

They really ramped up a lot of the behind the scenes infrastructure, but yeah, that is unfortunately kind of the end of the facts. And I, I'm going to go ahead and say, I have a little bit of a soft spot for Calix. I just want to admit where my bias is because they were kind of my first distro when I was getting into, to flashing custom Android ROMs. And I, I tried them out first and I liked it. You know, graphene obviously is way more private and secure, but it was, it was pretty cool.

It was very empowering to flash an Android for the first time. And yeah, But, yeah, so that they, they originally said it'd be about four to six months, which if I did my math right, should be somewhere between December and February. And here we are in the beginning of May, early May, early mid May. And they said that this is their latest progress report. I believe it's number four. And they finally have a test build with Android. Hey, Nate, you're coming across a little robotically to me.

So I wanted to ask people in the chat if that's happening to anyone else on the stream or not really quick. So leave a comment how the quality is. I might know what's causing that, but I'd have to step over to the other computer for just a second. Let me see here. Nope, that's not it. Well, yeah, let us know. It's just on my end. Yeah. Okay. We'll wait and see. Okay. So, yeah. So Calix said that they would go ahead and...

It should have been ready sometime, like no later than February, but here we are. In this new note, they basically say the Android-XVI build is ready. So the version of Kallax that's based on Android-XVI, they say is ready for community testing. So it's not in public yet. This is in beta. And, you know, I mean, there's some interesting stuff here. Like they say that it's based on Android-XVI QPR-II, which I think is the most recent one, but don't quote me on that.

Um, it does support pixels four through nine. So it does not, um, I don't think the tens out yet. I'm sorry. I don't keep up with a lot of hardware very well. Uh, supports the Fairphone four and five, and it supports a handful of Motorola's. That is one reason that Calix has historically been a little bit more popular is just because, um, they do support more devices than graphene and they do still support locking the bootloader. So most apps should work.

Okay. Not as good as graphene because with graphene, you've got the Google play services and stuff, but, um, definitely, uh, Yeah, it just, it supports more devices. And yes, Jordan informs me that the Pixel X is out. So doesn't quite support the Pixel X yet, but all their current devices. Supports the Pixel X currently, but this is their device list from before they shut down, if I remember correctly, because I think they supported the nine, didn't they?

I believe so, and I'm going to guess that's probably what their direction was. It's like, let's start with our current stable of devices that we already support, and then from there, we'll expand. That's usually kind of how they do things. So yeah, they do go on to say here that they've also updated some of their bundled apps. So they moved to FDroid Basic instead of regular FDroid. They still have Aurora Store. They moved up to Breezy Weather.

They used to be on Geometric Weather, but that one was deprecated quite some time ago, actually. They still include Signal. They still include the Tor browser. The Tor VPN is, I believe, a new project from Tor that's designed to replace Orbot. So they're going to be including that. CoMaps will be replacing Organic Maps. And other than that, I think most of these are things that they've already supported before.

So... And then they say there's some features that have gone away, things like the panic button for now. They say it requires a lot of updates to make it work. They say they're shipping Chromium with less features, which you can read about below. So, yeah, it's definitely a very early update. beta, I mean, really. I know our staff member Jordan did attempt to test it out, but I believe couldn't get the flashing process to work. They kept running into an error.

But I have seen some people just generally around the internet who have said that it has worked pretty well for them. But yeah, so I mean, that's kind of it as far as the facts of the story. This is a I think this is kind of a bigger story that we wanted to cover, even though, again, we don't really we don't formally endorse Calix OS as like a recommended distro, but it is very, very popular in the community. And this has been an ongoing saga. And I think this is like the first.

Big milestone in terms of like, oh, they've actually got something to show for now, you know what I mean? So, yeah, really, yeah. Really interesting stuff. Do you have any thoughts you want to start with, Jonah? Because if not, I got some questions I can throw your way. All right. Yeah, a couple of things. It was interesting, I guess not really about the OS, but some of the apps that they included.

Calix VPN, rather, being excluded from the list is interesting because I think that's been one of the big services that the Calix Institute has been providing for some time. I didn't even notice that. And they include Verizon VPN, which is kind of like... I mean, they probably don't consider them competitors because it's all non-profit and they're all just doing it for fun. But I mean, they're pretty much operating the same service so that they would include that one and not the other.

It's interesting. I don't know why the Kallax VPN infrastructure and capacity is... not where it was before, or if they were having issues for some time. If anyone used Calix VPN, you could let us know what the experience is. But I just thought that was an interesting thing to highlight. I also can't remember if we talked about Tor VPN in a previous episode or somewhere. I was just talking to somebody. Not since I've been here.

um maybe not then i don't know where i was talking about it but torby poor vpn is an interesting one too because it uses um the new tor implementation so instead of the one that was written in c the original tor backend service now it's written um in rust it's called rt and that was the main reason that it's replacing orbot so It's not just a rebrand. There's some modernization going on.

So if you're a Orbot user or a Tor VPN user, I think that that is going to make, I mean, that's going to be a lot nicer for sure, and hopefully more reliable and hopefully more secure. So I guess that's not really about Kallaxos either, but a couple of cool things about the apps that they're installing. What are you thinking about this release? Um, no, that's cool about the VPN. Cause I didn't, I've, um, I I'm subscribed to the tour blogs RSS.

So every once in a while I get notifications about RT's development, but I don't really know much about it other than like, it's a rebuild and rust. So when you said like, oh, this is basically a front end for Artie. I was like, oh, cool. So that's where they're going with this. Yeah. It's finally making it into, into tour software. I don't know when it'll be in like tour browser or anything like that, but at least we're slowly seeing progress for sure.

Nice. Yeah, I mean, overall, like I said, I admit that I have a soft spot for Calix. So I'm really disappointed that this has been well past schedule. And I'm really disappointed by a lack of communication, especially.

I mean, they've been relatively open in the sense that they have been publishing blog posts every... every other month, maybe, um, they've, you know, they went out of their way when they made the initial post and people started speculating like, Oh, is there some kind of compromise? They were like, no, no, no, there's no compromise, but really that's been it. There hasn't been any explanation for like, why are they so much further behind schedule than they expected?

And like, I, um, I've had in, in the past, um, I've worked at other jobs where we have clients that I have to interface with. Right. And I remember one of my, uh, One of my bosses got really mad at me one time because I told the client, I'm like, hey, we have to contact support from this company. And, you know, it's kind of like slowing things down. And my boss was like, no, no, no, never tell them how the sausage is made.

And I really disagreed with him on that because I'm like, if I was the client and you just keep telling me we're working on it, we're working on it, we're working on it, we're That's going to shake my faith in you. That's going to be, make me think like, dude, why is this taking so long? But when you tell me like, here's exactly what we're doing. Like we had to get in touch with support. Support has to research this.

They're shipping us a new firmware, like blah, blah, blah, blah, blah, whatever the case. That's when I know like, oh, you're working on it. And also this is a really complex problem. That like this is why I'm paying you is to handle these problems. So I say that to talk about this is like I'm really disappointed that Calix has decided to take the first approach where they're just like, oh, we'll just we'll just issue you little updates here and there.

But we're not going to address the elephant in the room of why is this taking so long and why are we behind schedule? So that that really does disappoint me personally. But I was curious if you could, cause I know there's some technical reasons. If you could just kind of fill in Jonah, if you wouldn't mind filling in users on why we don't really recommend Calix. Cause I know it gets, and it gets passed around or not passed around.

It gets touted and advertised a lot in the privacy community as like an alternative to graphene. And again, despite my bias, I don't think that's really an accurate representation. So like what, what makes a, I don't necessarily want to turn this into talking crap about him, but why don't we recommend... Why isn't that a really fair comparison in your opinion? Yeah, for sure. Before I get into that, do you know if MicroG was on that list? Are they still using that?

I know they were using it before, but I just didn't see it in this post unless you... yeah it's not in this list but i have to assume it's going to be there because otherwise i don't know okay how it's going to work maybe if jordan's listening and was able to test it out um they can let me know in the chat but um yeah there's there's a couple different reasons i mean i think the main thing comes down to the the changes that calyx os is making uh mainly come down to getting google

software out of the main operating system so they replace google play services with micro g for example and they replace all of the standard apps um with these open source alternatives like they don't have the play store they bundle after a basic by default um but beyond that they don't do a lot of modifications they've never been like super technical with like how the operating system works or additional features that can protect your security or privacy whereas um on graphene os for example we

see additional hardening features additional like permissions that you can you can restrict apps with um additional sandboxing with google play and all of that stuff you don't really see with calxos i think another big criticism with i would say micro g in general is that well it replaces all of the client software on your device and in theory makes it more compatible with the open source ethos.

All of these micro G services are generally still connecting to Google services at the end of the day. Graphene OS certainly would also have this problem in a lot of cases, especially if you use Sandbox Google Play. But if you don't do that, Graphene OS by default, removes, I believe, all connections to Google services, and they are really good about proxying any services that are required with Google, like connectivity checks, for example.

They proxy through Graphene OS servers by default, so you're not hitting Google servers directly, and you can typically turn all of that stuff off.

off completely if you choose to so those are some of the benefits in graphing os that we just don't see uh added in calyx os calyx os is more of a stock android experience with some bundled apps that are nicer than the alternatives but it's not really changing the android paradigm in in any way and i don't know in previous episodes and on other shows i've talked a lot about how Android is just not my favorite operating system in general because it's very tied to everything that Google is doing.

I think Chromium kind of has the same issue, but Android especially and Graphene OS just goes a lot further in making that less of the case. I think it's unfortunate that even on Graphene OS, most people have to rely on Sandbox Google Play to get a decent experience on Android. But what can you do? At least with the Sandbox Google Play and Graphene OS, you can install all of those as user-installed apps, basically.

Whereas even on Kallax OS, if you use Micro G, all of the Micro G apps have to be installed as system apps, which... will, I mean, which is a greater security risk than apps that have normal user install permissions. I think the other main thing that we would see with Graphene OS is just a much stronger commitment to updates, security updates, but also just updates in general. We saw, as you noted, the Pixel X is not even supported with Kallax OS yet.

i don't know i don't know too much else about the current like version of android that this is using i know all of this calyxos is still in beta they're just getting up and running but historically they have been a bit behind normal android releases and a bit behind graphene os whereas graphene os very often releases updates very, very close, if not at the same time as major Android updates.

And even now, Graphene OS has a partnership with an OEM that has access to these security updates that aren't publicly released yet. So they can issue those security releases before they're open source. Of course, if you don't want proprietary code on your device, you can you can disable those and wait for them to be publicly released.

But that is a security option that I don't think Kallax OS would even be able to offer as far as I know, because Google restricts some of those security updates to certain approved parties, which is a shame. So, yeah, kind of a lot, but that's typically all of the reasons. Kallax OS didn't really make sense to me, probably still doesn't, but I guess we'll see how this is going, because it seems like they'll be taking a... well, at least a different approach than they were before.

Yeah. Yeah, I agree with all of that. I agree that it's... I think they do a couple small things to try and make it a little more privacy-respecting. I think the advertising ID is removed by default or something. But it's really nothing compared to Graphene. It's definitely not even in the same ballpark.

I think really the only selling point, in my opinion, is that it would be... I would argue it's an easier setup because then with graphene, you need to go in and you need to install the play services. I mean, if you want to use those, which like you said, some people could definitely get away without those, but for the average person, you're going to need those for notifications and stuff. So with graphene, you additionally have to go in and install that kind of stuff and get everything set up.

But yeah, at the end of the day, it's... That is another downside of graphene OS. You are stuck with the official play services clients. If you are the kind of person who... prefers the micro-G approach, at least you have that option with Calix, whereas despite them being sandbox on Graphene OS, which is great, especially because you can restrict them to certain profiles, you're still running that proprietary Google code directly on your device, and some people just aren't going to like that.

So that is something to consider for sure. Yeah, I agree. I think I had... One other. Yeah. So in your opinion on that note, do you think there's any like redeeming qualities about this update? Like me personally, I'm glad to see them finally move to breezy weather because again, geometric has been abandoned for God, I think years at this point, like a good couple of years. So it's nice to see them finally move. I like to see them get rid of scrambled eggs.

If like that is also abandoned where I think, or at very least like not updated very often. I wish they would just roll that into the camera app like graphene does, but yeah, Yeah, I don't know. Do you think there's any redeeming qualities about this or anything that you think is a step forward maybe? You know... To be honest, I'm not the biggest expert on Android apps, so it's kind of hard to say. Some of these apps certainly make sense to pre-install.

I'm glad they're pre-installing Signal, for example. Some of them, like the ones that you mentioned, don't make a lot of sense. I can't remember. I saw DAB X five. I think that's the newer. I think I'm thinking of a different app that was discontinued. That's probably the newer one, so never mind. But yeah, certainly having privacy respecting defaults is good. Like comaps or organic maps they had before. It looks like they're switching to comaps now. I mean, it's greater visibility.

And I would say that this... list of apps is probably useful to people. I mean, even if you end up using Graphene OS, this would be a good list of apps to maybe look at. And maybe you want to use some of these. You can install FDroid on Graphene OS too, certainly. And we have a lot of Android app recommendations on our site as well. But yeah, any visibility to all of these third-party apps that are providing good services is a good thing, I would say.

Yeah, a user here says, nice to have you, Jonah. They said, breezy weather is goaded. And that's an example. I agree. I use breezy weather. It's pretty rad. I like it a lot. Before we move on to the next story, assuming there's nothing to add to that, sawed this all here, said, you love the PG polos. So I just wanted to, I would be remiss if I didn't take a moment to point out that we do have a merch store, shop.privacyguides.org.

We have this awesome, I know you probably can't read it from there, but this coffee cup, because I'm insane and I'm drinking coffee at five PM, has article twelve of the UN's Declaration of Human Rights, which is about privacy. I actually have some stickers here because I was going to ask Jonah a question about those later. poster in the back, all kinds of cool stuff. So yeah, and certainly not all of our merch is like these polos with just the with privacy gets loaded.

A lot of that is for the team members who want stuff for this video. But we also have a lot of merch like with that poster design in the background of Nate's video right there. And a lot of other cool stuff. So if you are interested in those privacy designs, I would check it out. And we hope to add more stuff there soon. Another thing before we start talking about this canvas story, I wanted to answer TG in nineteen ninety seven's question really quickly here.

We always have around five to twenty viewers. A couple of reasons were very generously supported by many of our members. We also get a lot of views on this show after the fact of especially various podcast apps we get A lot of downloads there. But it's mainly the support of our members and people who want extra perks across our site and our forum, which certainly has an active membership.

The other reason for this discrepancy in views is that we... uh stream on a lot of different platforms so like right now on streamyard i can see a hundred forty nine people are watching and on youtube that's quite a bit less um so yeah as somebody else just pointed we we live stream on youtube we live stream on x we also live stream on twitter and we live stream on streamyard.com which is the which is the streaming service that we are using to stream in the first place,

so it's kind of a native approach. We share the StreamYard stuff on our form, so a lot of different options for people to choose from, not just YouTube. But yeah, we would love to get more viewership. So definitely subscribe if you like these shows and share the show with a friend or two if you think it's interesting. Because we would love for more people to hear about all of this stuff. Of course, that's why we're doing it.

Not to dig into it too much, but nice to have Jonah says why you only see six people. Because we're in the studio, we can see the full list. It says here that we've got over a hundred and twenty people on Twitter. What's that? It just combines them all into one number. That's what I was looking at. But if we hover over it, it gives us a breakdown. So, yeah, there's six people on StreamYard right now, twenty two on YouTube. We got one on Twitch. I didn't even know Blue Sky did live streaming.

We can look into that, but it's really about what StreamYard. Yeah, Blue Sky doesn't do live streaming.

if you want to share um whoever said blue sky um what you're referring to i know you can um post a link to the live stream manually on blue sky and it will show up like around your profile picture um we have to do that basically every time we stream manually and we can't even link to youtube streams i think or stream yard we have to link to like twitch or something so it's just annoying to do on on blue sky but maybe we'll use that feature in the future i don't know what blue

sky features really have for live streams yeah we could look into it oh here we go somebody said the the new calyx os builds run great on the pixel six six a and six pro so there we go we have some uh boots on the ground from somebody who's tried it awesome Good to know.

All right. Well, let's take a look at our next story here. This was reported by Bleeping Computer. Headline is, Canvas login portals hacked in mass Shiny Hunters extortion campaign. The Shiny Hunters extortion gang has breached education technology giant Instructure again, this time exploiting a vulnerability to deface Canvas login portals for hundreds of colleges and universities.

The defacements, which were visible for roughly thirty minutes before being taken offline, displayed a message from shiny hunters claiming responsibility for the earlier Instructure breach and threatening to leak stolen data if a ransom is not paid. The message warrants that Instructure and schools have until May twelfth to contact them to negotiate a ransom or students data will be leaked. Moving down in this story here.

I'm not seeing it in here, but I read in a different article that this vulnerability was related to a service that Instructure has with Canvas that allows teachers from any school to sign up and create courses, even if your school doesn't have a partnership with them. So I know that they've disabled that feature, basically. But what the vulnerability is exactly, or I think what data has been leaked, as far as I know, is not necessarily clear yet.

But the hackers in question have claimed to have stolen two hundred eighty million student and staff records tied to eight thousand eight hundred nine schools, universities and education platforms using the Canvas learning management system, according to this source. article. So it is quite a cyber attack and it seems to be very widespread.

I know, I think it says it in this article too somewhere, but I just know Canvas is one of the, if not the largest learning management systems used by schools. So this is pretty extensive for sure. And I think what we're going to see out of this is I mean, especially if this data is leaked, but also, I mean, even if it's not leaked, these people could just keep the data anyways, or it could be leaked in the future, or they could just leak it anyways.

I think there's really no way to guarantee for sure whether this data is going to make it out there or not, regardless of whether that ransom is paid. So I think this I mean, this will certainly be a big problem for students, also staff, and maybe not even immediately. All of this data could be used in the future for various attacks.

I can imagine phishing attacks and other and other sorts of attacks against all of these students and and teachers to be very I think they'll be very prevalent if all of this data gets out. So yeah, that's pretty much the story. It's not great. As Jordan W. says, shaking my head with the centralization of everything on a single platform for learning. Yeah, I mean, this is definitely the big problem with decentralization.

It's certainly a double-edged sword, and it's the kind of thing that we see in the school systems. With this, with a lot of different tech services, I know all of them have switched to Google Workspace, for example, and none of these centralized services are immune.

um i know before the days of decentralized services schools would typically use various platforms or open source platforms like moodle um and there are downsides to that as well because then you're relying on the school or the district's i.t team to secure all of that which can have varying levels of quality and knowledge depending on what kind of people they can hire so That's certainly a problem as well, but certainly all of the centralization of data into a single database is also a

huge concern. So yeah, you kind of lose Either way you go, really. But obviously, this sort of attack has a much larger impact because this is going to affect schools all around the US and maybe around the world. I don't know where Canvas is used. I know it's huge in the US here, but I would imagine they sell to other countries as well. Yeah, I agree. And, uh, yeah, like you said, this, this, um, this is a big story, which is kind of why we're talking about it.

Um, so there's a lot of coverage out there. So, uh, there may be additional details in other articles. We tried our best to, um, pick bleeping computers are usually a pretty good source and some of their articles are actually like really super technical. So I like going to them. They're, they're one of the more reliable sources in my opinion, but yeah. Jordan says it's massive in Australia too. I would, yeah, I would imagine it's in a lot of different countries. I mean, that's a huge company.

Yeah. This article didn't really specify where they're, which is unusual because usually they do say like, Oh, it's popular in like the U S and parts of Europe or something. But yeah. Um, Yeah, I mean this is the question, right? It's nice to have Jonah said, what do you think should happen? Make it illegal to pay ransoms? Find companies for bad security? I mean I think – I fully admit that I'm not an expert on this kind of stuff in terms of like what should we do.

But I do think that's a good start is like I think we need mandatory disclosure laws because I remember there was a few years ago they raided – God, which ransomware gang was it? It was one of the big ones. Interpol shut them down and raided their servers, and we learned so much. They had hit so many more companies than we knew about because most of them just paid the ransom and made it go away. Made it go away. We learned that they, like you were saying, they never delete the data.

That was something we learned is when we pulled their servers, it's like, oh, look, here's everybody, including the people who paid the ransoms. They never deleted the data like they promised they would. They just hold on to it. So... I don't think – and when they do pay the ransom, that just encourages them to keep doing it, right? If we make it not economical, they're going to stop doing it. At some point, eventually, they'll stop doing it. So it's really – I think that's a good start.

And yeah, I do. I mean, personal opinion. I think the problem with bad security is that it's really hard to define in a legal sense. Like, I think there's certain things that like two FA, right? I mean, it's twenty twenty six, dude. No offense to any newbies watching this. I'm not trying to make you feel bad, but it's twenty twenty six. If you're not using two FA, you're you need to reconsider. I'll just say it that way.

You know, and I mean, ideally, yes, it would be nice if they had good passwords, but that's kind of an ongoing debate right now is like what defines a good password. There's a lot of nuance to that, but it's, I mean, that's like little things. Like if you have something that was patched or like if you have, of vulnerability from six months ago that the patch was already released and you still haven't updated it and it's a critical vulnerability, I think we can all agree that's negligent.

Like when you get closer to like a week lead time, like, I don't know, it's just my point being like, there's some nuance there, but I think there is a certain baseline we can establish. And it's like, yeah, you guys were just basically being negligent at this point. And unfortunately it's a, I've said this before.

It's like a lot of these, A lot of these smaller, or not smaller, a lot of departments don't get the funding they deserve because the bean counters just look at them and all they see is red. So like cybersecurity, for example, they're always like, oh, we're always spending money on technicians and software and this and that. And it's just spending money and spending money. They never make us money. We're just losing money on that.

And it's like, yeah, because that's what's keeping you from losing more money when something like this happens. So it's- Yeah. IT in general, it's always seen as like a cost center by businesses until you need them. The problem with IT in general is that I think the entire industry suffers from its own success because when everything is working properly, of course, you never notice it at all. Like it all just runs in the background. Exactly.

Yeah, and then the last thing is, like you said, a centralization issue, which that one's harder, right? Because that's kind of one of the hallmarks of the free market is people should be able to go to whatever company has the features they need and makes the best sales pitch and whoever they want to go with. So the centralization thing I feel like is tricky, but I don't know. Maybe there's some levers we can pull there too to try to encourage a little bit more competition. I don't really know.

That one's definitely above my pay grade, but it's all just kind of a big – know what the word i'm looking for is it's all just kind of a big soup of like a bunch of problems but even fixing a few of them i feel like would probably go a long way in my opinion yeah neville matthew uh on youtube points out same thing with epic uh electronic health record systems all hospitals use them uh that's a huge problem as well i mean the centralization uh that we're talking about this is happening among

pretty much all industries at this point. So we're definitely putting all of our data in single gigantic baskets. And I really don't think that's a good thing, which is why I always suggest decentralization as much as possible.

But not all organizations are going to do that and i think the unfortunate reality is that all of these organizations are going to choose the cheapest option um yeah i don't know if we pulled up this comment but nice step jonah said uh i'd rather use google workspace honestly google's locked into their security and their workspace privacy might not be terrible I mean, with Google Workspace, especially with the schools, you never know what they're doing with this data.

But according to their privacy policies, it's all above board for students. But no company is perfect at security, and it's very possible that Google could have a breach someday. I think there's problems with all centralized services. kind of inherently. So I wouldn't just rule out the possibility that Google will suffer some sort of security issue in the future.

I think a much bigger issue with all of these schools adopting Google Workspace for Education is just that it really normalizes I mean, the entire Google suite, a whole generation of students who are then going to demand that in the workspace and in their personal lives. People are just using alternatives like Microsoft Word or Apple Pages or whatever software was typically used in schools.

And now they just... are used to Google Drive and used to Google Docs, and then they will grow up and they'll continue using that or they'll use it in college or they'll say to their employers, like, you should switch to all these Google services. That's really the big Google play here. And there used to be more companies in the education space.

I mean, for a very long time, Apple was huge in the education space, and then they basically randomly gave up on supporting education customers, which is really dumb, in my opinion. You could certainly argue Apple isn't much better. And I would love to see... We talked maybe a couple episodes ago about these governments who are adopting Linux systems among... their own agencies.

I would love to see something like that in schools too, where more of these education providers adopt open source software like Linux. But we're not really seeing that right now. And even when Apple was in the game, there was at least some competition here, which is always a good thing. You always want to see competition. And right now, Google kind of has a stranglehold on the entire education industry, which is not great.

Maybe Apple will make a comeback with the MacBook Neo, but their software game has a very long way to go before they get back into a serious IT world, unfortunately. Yeah, I was going to say, I agree with the idea of like... Like I've complained about that. Not my last job, but the job before that. We were a very small company, like less than ten people total. And we used Google. We used Gmail. We used Google Drive. We used Google Sheets, Google everything.

And then I moved to the bigger company that was like super, super corporate. And all of a sudden everything was Microsoft. And I remember just being like, God, I would give anything to go back to Google because Microsoft's UI is just – everything about Microsoft is terrible. Full stop. I don't care. It's bad. So, but I really appreciate what you're saying about like, yeah, but then you train people into that way of thinking and that's what they're going to want. And, um, but, uh, yeah.

And another thing you said is just real quick. I'm, I've been saying for a long time and I know I'm not the only one that like, it blows my mind that public money can be spent on private things. So like, I usually say that in the context of policing and surveillance systems, but yeah, like Microsoft licenses for public offices. And it's like, dude, just switch to Linux. Like, And that's a new contract there too, right?

Like somebody has to write this software for Linux so they can manage the lakes or whatever. Like, great, that's a new contract. We just made new jobs. So I don't know. Yeah, it's crazy. Yeah, the whole tech ecosystem in general, once you get into like proprietary stuff is not great because we've really transitioned to like full subscription services. I used to work at a school district and towards the end of that, Google changed their education pricing.

I think it was around like when the pandemic was happening and there was a huge push for remote learning, but they were basically like, okay, all of these features that all these schools want now we're going to be charging something a month and it was still a lot cheaper than like Google workspace for businesses, but it just goes to show that like, all of this free stuff can't and really never does last forever, even for schools and nonprofits.

Google's whole plan is not just to lock students into this Google ecosystem, but also to lock schools and districts into having to do whatever Google says, basically, because now they're kind of stuck with all of the software and all their Chromebooks and Google can kind of charge whatever they want if they want to. And it's very unlikely that any of them will switch at this point, which is a shame. Yeah, very good point.

I think that's all we have on that story. In a minute, we're going to talk about Microsoft Edge and passwords. And boy, that's a wild one. But first, we're going to talk about what we've been working on this week at Privacy Guides. So like I mentioned at the beginning, it's been... You know, we kind of go through ups and downs, right? Like we kind of go through periods where we're releasing a bunch of stuff and then we go through periods where it seems like we're a little bit more quiet.

But that's because it's just we're always working behind the scenes. I mean, we're always working, but sometimes there's just a lot happens at once. And I think the last few weeks have been like that. So, for example. I'm going to share this little tab here. We have just released today a new video about how to run a Signal proxy. And we talk about this in the video for the record, but there are alternatives to Signal, but censorship is on the rise and Signal is around the world for the record.

And Signal is an extremely popular messenger. So you could try to get your friends and family to switch to something like SimpleX or Briar, or you could look into Signal proxies as a way to help around with that. So Yeah, if you're a member, that's already available on YouTube. If you are a Privacy Guides member, like you went to privacyguides.org slash donate and you're a member, it's also, I believe, available on PeerTube.

And we share that link directly in the member section of the forum, or I believe you also get it in your inbox. So yeah. Those are options there. And then that'll be coming out to the public next week. We usually release those about a week early for members. And then we have an awesome interview coming soon. Hopefully next week. Depends how much editing we have to do. But I don't want to say too much. It's just really exciting. It was a great interview. I had a lot of fun.

And it will include a bonus section, again, for paying members. Yeah, excited to share that. And actually on the topic of memberships, I just I keep forgetting to tell you guys that we're actually now posting the show notes for the show in the members only section. So throughout the week, you guys can see what stories we're considering discussing and stuff like that. So definitely check that out if you're interested. And I'll turn it over to Jonah to talk about what else we've been doing.

We definitely got a lot of requests for that because people wanted to ask questions about the stories we would talk about on the show, but I know this show time isn't ideal for everyone. It's pretty late in the year right now, so I know a lot of people skip it and watch it later. So hopefully that helps out some people with getting your questions answered during the Q&A that we have at the end of the show.

In other Privacy Guides news, the biggest thing that we launched this week is a new DPA directory. This is a tool that we have in our Activism section, which you can find at privacyguides.org slash activism, or you can click the Activism tab at the top of our website.

And the DPA directory is basically a tool that will help you find the main consumer privacy law in your area or region or country that describes what privacy rights you have as a consumer and the authority that's mandated to enforce the law, which is very important. because you should know where to report these privacy violations and what privacy violations may even be occurring. I think for a lot of countries, there are more protections than you might think.

Of course, in a lot of countries, I would definitely say the protections could go quite a bit further, but anything helps. And reporting privacy violations by... companies that you interact with not only has a benefit for you personally, but it has a huge benefit for your entire community because it causes these companies to make changes that will ultimately improve the privacy for anyone who are using these products or services. So definitely check it out. Find your region on there.

We have at the top of the directory, we have buttons where you can click by continent, basically, and then you can find whatever country. If your country isn't listed, either we couldn't find anything. We were able to do it for a lot of countries, but certainly not all of them. We hope to continue updating this with more information as we can and as we get it.

If your country isn't listed or if some of the information you want to update or what have you, definitely submit a PR or even open a topic on the forum sharing what information you want us to add or change and we can get that updated. Or just let us know what country you want us to update and we can look into it as well.

Whatever works for all of you, we definitely want to keep this updated and get as much information out as possible, so you can share uh what information you would find most helpful here and hopefully we can continue to build more legal resources and other resources like this in our activism section going forward so we'll continue to keep you updated with that um thank you carrie from fireworks firewalls don't stop dragons uh for the compliment i totally agree it is another

fantastic resource um it's one of the final resources that are former staff member m uh worked on with us and it it came out really great so i hope people find it very valuable um that was the main update that came out with our uh may release of all the changes on our website i believe all of the other changes were pretty minor um we just updated some information that was outdated and changed some logos. So not a lot of huge changes besides that.

But, you know, we're always changing the site, making sure everything stays up to date. So hopefully we'll see more changes in the future. I know we have twenty six pull requests open right now. So a lot of updates that we're hoping to get made as soon as we can review them.

this is episode fifty two of the show which means that we've been doing this every week for a full year which is fantastic it's it's been a lot of work to get this oh great Nate's celebrating if it works I think it's busted now I have a whole bag of them I'll find another one I had to buy these for a video one time it was like five bucks so now I don't know what to do with them I had another one.

But yeah, hiring Nate to get these done has been a real game changer for this entire show because we can really do this more reliably. And yeah, we plan to continue doing this every week for the foreseeable future. News briefs are another big thing that we do almost every day, pretty much. Freya works very hard on those, but we have other people on the team publishing those as well. I know Nate writes some of them on occasion.

And this week we had updates on copy fail, ChatGPT advanced account security, Fedora releasing sealed bootable container images, which is super cool. Definitely look into that if you're using Fedora, it's good for security. RCS end-to-end encryption in iOS, which I actually downloaded on my phone, but I haven't been able to use it too much yet. So hopefully it improves a bit soon.

Disneyland, California, facial recognition, the FCC banning a data broker from selling location data, ProtonMail launching post-quantum encryption, which I believe we are going to talk about later on in this stream, if that's of interest to you, certainly of interest to me, Chrome for Android, including approximate location, which is a new web standard that'll hopefully make sharing a location with websites a bit more private, and two more major Linux vulnerabilities in the same class as

copy fail. So a lot of news briefs, we can't talk about all of the news on this show specifically, but we try and keep all of the news briefs updated with the biggest stuff that we can't discuss. So if any of those things sound interesting to you, you can find that under the news tab at privacyguides.org, and we'll continue updating that and updating our form with all of the news stories we can find.

All of the stuff that we do at Privacy Guides here, again, like I said earlier, it's all supported by our generous members and other one-time donors. You can sign up for a membership or donate at privacyguides.org slash donate. Or if you want to support us by picking up some swag at shop.privacyguides.org, that is great as well. Privacy Guides here is a nonprofit organization.

and we research and share privacy-related information and we facilitate a community on our forum and other platforms to share advice, ask questions, get updated on the news with other people who are in this privacy activist space. So it's a great place, especially our forum, to get advice about staying private online and preserving your digital rights.

I think that's my spiel. We can move on to talking about how Chrome has been downloading some AI stuff to your device without telling you. Well, maybe not you specifically. You're probably not using Google Chrome, but Google Chrome users. Yeah, hopefully if you're watching the show, you know that Chrome is basically spyware, and that's not much of an exaggeration, unfortunately. Warn a friend about it. What's that? Be sure to warn a friend about it. Yeah, no kidding. Pass that on.

Friends don't let friends use Chrome, but seriously. So yeah, the latest Tomfoolery from Google Chrome is that they have been quietly pushing a four gigabyte AI model to your device without asking. Correct me if I'm wrong. But I actually did some digging into this and I was trying to put the four gigabytes number into context. And if I did my research right, that is about, what is that? About eight hundred to a thousand songs, depending on how big the file is, how long the songs are and stuff.

What is it? It's like a similar amount of photos. But the one that got me is that's about four to six hours of high quality, not like four K, I think, but like high quality video footage. Which is longer than the extended edition of Return of the Kings. And that just... That was my favorite thing I learned from researching this. So anyways, yeah, so Chrome has been pushing this AI model onto your device.

It's Gemini Nano. The article I don't think explicitly says it's on desktop, but it seems to imply that it's on desktop because it says that right here it says deleting the folder doesn't offer lasting relief. Chrome will simply redownload it. On Windows, the folder is here. It has also been confirmed on Apple Silicon and Ubuntu machines. So I think it's specifically on desktop. The weird thing is, from what I can tell, this does not seem to be...

Because a lot of Apple and Google are trying to do more, especially on mobile phones, they're trying to do a lot of AI processing on device. And I think for most of them, that has more to do with performance than privacy. But of course, never miss a good PR opportunity. So they're like, oh, it's also really private. And it's like, meh. So I think they try to do things on device. But from what I can tell, if I remember this correctly... Um, yeah, it says here, the downloads carry a notable irony.

Chrome's most visible AI feature, the AI mode integrated into the address bar and Google search runs on Google servers rather than the locally stored weights. The four gig folder is only used for writing assistance and a handful of other accessible or a handful of other features accessible, several menus deep. So it's not even like the, the most commonly used things that they would put on there. It's just such a weird, weird choice. Um, I don't know.

Yeah. So going back here, again, if you uninstall it, it just reinstalls itself. I do appreciate this article. Uninstalling Chrome entirely is the most effective way to remove it. However, for those who wish to continue using it, you can disable it by going into the Chrome flags and finding an item called Enables Optimization Guide on Device on Android and selecting Disabled. So apparently, that basically just tells it that your device can't handle it, whether that's true or not. So, yeah.

And then it looks like somebody is already accusing Google of violating European privacy regulations. And I unironically wish them the best because I want to see these companies sued every single... You know, we've mocked many, many times how when these companies get sued, it's always like, oh, they got sued for four million dollars. And it's like, bro... who's, who's in charge of Google? Sergey Brin. Did he move on? I don't know.

Whoever the guy in charge of Google, it's like his shoes probably cost four million dollars. Like that's nothing. They don't care. But my hope is that if we keep doing this, maybe it'll be like death by a thousand cuts. Like if we just do them every single time it happens, maybe eventually it'll start to add up. I don't know, man. I'm trying to be an optimist. I realize I'm probably delusional, but, uh, yeah.

So I mean, I, I think we kind of, to, uh, hit our, our main points going into it, but, um, Well, let me start by saying, I don't know. I guess I'll really just jump to it and say we don't recommend Chrome. I mean, in addition to just doing crap like this all the time that's incredibly hostile to users, that's incredibly unfair to users, that's really, really sneaky, I think it's so funny how they always try to roll these things out that they're like, oh, but this is good for users.

And it's like, well, then why'd you hide it? Why didn't you tell us how awesome this new feature is? But in addition to all this stuff, you know, Chrome is like over the years, it's really become a resource hog. Like everyone I know says that it takes up tons of space. It eats up your Ram. I don't know how true that stuff is. Cause I haven't used Chrome in several years, but that's what I hear. So I think I'll have to bounce over to the privacy guides website. I know that brave is a big one.

We recommend Firefox is, is pretty good, but it does require some some tweaking to really get the most out of it for sure. And browsers are one of those things that I know everybody kind of has their favorite browser, right? Like some people prefer... Yeah, I mean, here, I'll put you on screen while I'm looking this up. But some people prefer their LibreWall for Mulvad, which Mulvad's a really good one. Actually, here, I've got the page here. I'll bounce this up real quick.

Mulvad's a really good one that we do recommend. I think for a lot of the power users in the crowd, Mulvad will be fine. But there are, like, I remember when Mulvad came out, I asked some of my friends and family, like, hey, can you test this out for me for like a week? Because I want to know if this is a good browser I can recommend to the average non-technical person.

one person couldn't download it because their antivirus kept flagging it, which I still need to talk to them about why you shouldn't pay for third party antivirus. And then the other person was able to download it just fine, but they were like, Hey, um, and they weren't mad at me for the record, but they just told me they're like, Hey, FYI, literally none of my streaming services work like Netflix, Hulu, Disney, like none of them work with Moldad. So it's a great option.

It's just, you know, the average person may struggle, um, to do some like day-to-day things. Um, Firefox, like I said, is pretty great. There's just some settings you need to change. Add uBlock origin. Brave. I think for people coming from Chrome, Brave is probably going to be the best replacement since it's based on Chrome. So yeah. And then people are obviously leaving things here in the comments like Helium and Zen. Those are fine, I guess, if you want to use those.

They're not our official recommendations, but they're probably way better than Chrome, I think. So yeah, I think I've been talking plenty. I'll turn it over to you for a minute. Any thoughts on this? It was funny that you mentioned how many songs there are because I think four gigabytes was the amount of storage that the original iPod had in in two thousand one. And that classic tagline, a thousand songs in your pocket.

Now we're just kind of wasting that storage space on random AI models that it sounds like are going to be barely used in Google Chrome since most of this is still going through their servers.

So it just kind of goes to show how much tech has changed in the last twenty five years and how not not really for the better i think all of this software just becoming very bloated for very little gain um and i think at the end of this article um someone pointed out that pushing four gigabytes of data to the millions or billions of devices that have google chrome installed on them um results in like just a huge amount of data being transferred over the internet like all of

these software updates do um which is you know i mean that's kind of normal we get software updates all the time so it's not that crazy but That's still a huge amount of data there's there's always a cost to that sort of thing, not just financially, but in terms of CO two environmentally all of this Ai is just speeding up all of those issues in many different ways. So yeah technology is just. Crazy. Yeah, four gigabytes times the amount of Chrome users.

Absolutely. It's exactly like Kerry just said in the chat as well. When these stories pop up, you just got to stop using Google Chrome. And I think all of these browser solutions are going to be better. We obviously, the general consensus among Privacy Guide's team members and also people in the community on the forum is that Brave and Firefox tend to be the best choices for a lot of people.

But as other people have mentioned, and like Nate just said, there are other options that are coming up and becoming very popular. I've been using Zen Browser for some time personally, and I like it a lot. I know a lot of people are starting to use Helium Browser lately, which definitely has some good things going for it.

I would also throw in Brave origin as a great Google Chrome alternative in addition to Brave, just because it has a bit less of the bloatware like the VPN stuff that Brave does or the cryptocurrency related stuff. That obviously costs money for some people, but what I would say to that is if you don't want to pay the sixty dollars, You should be on Linux anyways, where Brave Origin is free. So you always have that option.

Linux is a great operating system to switch to, and you can start using that. A big benefit of Brave Origin versus these other platforms is mainly Just having the backing of a much larger company behind it, and Brave has been very timely with security updates and other Chrome updates for a very long time, whereas a lot of these other alternatives are somewhat hit or miss with those updates.

And just like with Graphene OS, like we were talking about before, staying up to date with those updates is super important from a security perspective. I would typically probably recommend Brave Origin to most people who are looking for the cleanest Chromium experience these days. But yeah, there are certainly a lot of options with their own pros and cons. And if you want to know any of the specifics of that, I would always recommend checking out our forum or asking your questions there.

I mean, with a lot of these browsers, I know there's already discussion threads about them where you can find out the pros and cons and why they're not necessarily recommended on the site yet. but can still be good in certain use cases. So the first generation iPod had a minimum of five gigabytes. And I don't know if this is going to make you feel old, but it made me feel old. The connection was FireWire. Yeah, that was an interesting time.

I will say, for everything I just said about technology going in a bad direction in some ways, I will say switching everything to USB-C is one of the biggest improvements that has ever been made, honestly. Having one universal connector is just so nice, so much nicer, if anyone remembers how it was before. Totally agree. Yeah, I do want to point out, I just want to drive home something you said, which is that I think there's something to be said.

Privacy Guides kind of operates under the idea, or under the philosophy, I should say, of recommending the best product. I think, kind of going back to our headline story, I would argue that... and maybe this is open for debate because of what you mentioned about like micro G running at an elevated privilege level.

But I would argue that something like, um, Calix is going to be a little bit better for your privacy, assuming it's fully updated and everything, but it would be a little bit better for your privacy than like stock Chrome or stock Android. Right. Yeah. But obviously we don't recommend that because graphene is even better and it's really not that much harder. So we recommend graphene instead.

Um, so where I'm going with that is I think, uh, a lot of the time I think, uh, this is something I've harped on before, is a lot of the time I think we in the privacy community kind of undersell how much we've learned and how tech savvy we are. I consider myself not very tech savvy compared to a lot of other people that are like developers and programmers and hackers. but even I like, I know how to self host next cloud. I know how to self host jellyfin.

Like I know how to mess with the settings on my router. I flashed my router, like all these kinds of things that the average person I think doesn't really know how to do it. And so I think, um, sometimes it can be really empowering to take those baby steps. And I think sometimes those baby steps are going to be, um, I think some of them are going to be like, even if you never go further than this, it's still better.

And so I'm kind of talking to the audience here where, you know, some people get mad that you say things like you in general, that we say things like, you know, like switch to brave. And some people are like, oh, but brave has all these problems, which is fair. But also like if somebody switches to brave and they're just like, oh, this isn't so bad. This is just like Chrome. Well, I hear that Firefox is better. What if I check that out? What about the small bad browser?

What about that might be the gate that opens them up to check out the gateway, the gateway drug that opens them up to check out other browsers. And maybe eventually they will end up at something way better and way more secure. But even if they never go further than that, like it's still better than using Chrome in my opinion.

So yeah, um yeah i just i guess i just kind of want to defend that uh not not that you were not doing that but just to the audience i want to point out that like i think these these can still be useful baby steps along the journey to get people because something like brave is going to be again i think i said this already it's going to be like the most familiar for people who are coming from chrome and then once they realize like oh that was really easy that

was simple maybe i'll check out firefox maybe i'll check out these other ones so you know it could potentially become a journey for some people so Absolutely. I think our general philosophy, at least mine, but I think the general philosophy among the team is that our recommendations on the site are geared towards being the best option with the least amount of downsides for literally pretty much any use case or threat model as much as we can.

Obviously, there's still going to be upsides and downsides to each of these. But like compared to Calix or even Lineage OS, it's our opinion that Graphene OS offers the most benefits with the least amount of downside to the most people. If we're talking about Calix OS or Lineage OS, Those both have some merits. Certainly, like Jordan just mentioned in the chat here, there's wider device support with both CalixOS, but especially LineageOS, and that helps people get into this de-Googled ecosystem.

which is always, I think, great from a privacy perspective. But at the same time, the downsides of using CalixOS or LineageOS are potentially very high, especially from a security perspective. And people can really shoot themselves in the foot, I think, if they don't know what they're doing. Whereas with something like Brave, not my favorite browser, but the downsides are pretty minimal and it's very easy to recommend to most people.

And I think... I think it probably goes without saying, we don't explicitly have it on our site yet, but we should probably just update it because Brave Origin is the same. But I think Brave Origin is even better because it's just the exact same thing as Brave, but less, which is typically good from a security perspective. You want to keep things as minimal as possible and also just from a user experience perspective.

But if we talk about other browsers like Helium or like Zen Browser or even LibreWolf, like there are a lot of upsides for a lot of people, but there are also a lot of downsides, which make it very hard to recommend to a general audience who might not look into all of this stuff further than what we put on the site. I think that's a common thing.

misconception that people have with the privacyguides.org resources is that people think that if it's not listed there, that means there's some problem with it. But typically if something is omitted, it's not like an anti-recommendation in a lot of cases. And This is a reason why I think our forum has become even more popular than our main website at this point. It's because we can have these more in-depth discussions if people are interested in that.

So that's kind of the case with everything we don't recommend on the site. There are in-depth forum discussions where you can learn about these tools, but also learn about the potential downsides, which I think people should at least know before they use them. So yeah, I think that's kind of where we're at with the recommendations in general. Yeah, for sure. That is one nice thing about the forum.

Cause there's so much information and so much to consider that, you know, for some people may not be relevant and for others may be relevant. Like I know, um, and we'll, we'll get to the forum in a minute, but I know on the forum, there's been an ongoing discussion about only office and how only office like allegedly has some ties to Russia. And like the licensing is kind of weird. And, you know, some people are like, maybe we shouldn't list only office.

And me personally, I'm over here going, I don't care. Like none of that is part of my threat model. Um, Not interested, but I completely respect that there are people who are like, no, that's very alarming, and I don't want to be using OnlyOffice at my politically motivated nonprofit, right? So I think it's really cool that you can go to the forum and get that kind of in-depth because if you make a website too wordy, people aren't going to read it. Ask me how I know. Right.

So it's really cool that people have that supplementary resource they can go to. Not to shill the forum too much, but I like that about it. There's no way to shill the forum too much. I can shill it all day, any day. And it'll never be enough. You should check out the forum. Fair enough.

uh nice to have jonah just said in the chat is there no privacy respecting streaming option yeah unfortunately uh streamyard is not super great um either we mainly offer it as a solution because i mean it's a service that we're using so you're kind of getting it directly but and it's also better than literally all the other options but streaming is a pretty difficult system to to get up and running because you have to imagine, I mean, even if we're self hosting it,

every single viewer is going to use like a certain amount of bandwidth. So you just have to multiply that by every single user who's watching it simultaneously. The problem that we have is more to do with, I mean, we just can't have a great experience. We've got a lot of chats this week and we wouldn't be able to integrate chats with StreamYard if we were hosting a stream ourselves. And yeah, like you just pointed out, unlike YouTube, there's really no filtering going on with StreamYard.

So that's the main reason we offer this StreamYard option for most people. I would say like if people... I mean, I can see why you'd want to watch it live, but if you're not going to interact with the chat or anything, the most private option is probably just downloading the podcast to your app because then it's just a download and you can watch it anytime without being tracked after that.

So usually that ends up being the most private solution, but all of this chat being integrated into one place is super nice and that's why we are streaming on these platforms and not Not anything better, unfortunately. It's just more challenging, I think, than you would imagine. Yeah, for sure. And I also want to mention that the nice thing about StreamYard is like we were talking about at the beginning, we can broadcast to multiple channels at once.

So that's kind of, I think, one of the main reasons we use it. I'm sure there's probably other reasons behind the scenes that I'm not aware of. But that unfortunately also kind of limits us to... what they're able to support. Cause I mean, there might be some kind of like third party script that can mirror to pure tube, for example. But then like Jonah was saying, we can't see the comments there.

And it's just, it's, you know, it's like you were saying a minute ago, or we were saying a minute ago about switching to services and recommending services. It's like, we kind of have to balance like what's technically possible with what's going to give us the most. I don't want to say return, but you know, like we only have so much time and technical energy that we can spend in places and we need to make sure we're maximizing it. So. Yeah, absolutely. It will be on PeerTube.

It will be on whatchamacallit, on podcasts like you were saying. So we do our best to try and offer people private alternatives, but it can be rough. I think there was something else I saw that I wanted to mention. Oh, yeah. Somebody stopped by and just said, thanks for everything you're doing. So thank you. Just wanted to shout that out. Yeah, thanks for all your support.

I mean, even like just from an algorithmic perspective, one of the main goals, both with this stream and with our YouTube channel in general is to reach new audiences who wouldn't be interested in the in the type of content that we would publish on privacycast.org, for example. So any sort of engagement on YouTube, especially is helpful for us, even though we're asking you to use Google, which is not great.

But in terms of reaching people who have never seen any of this before, it's super helpful. And anything that we can do to improve that and maybe help other people get this information that they otherwise wouldn't is super good.

Because it's exactly what Nate was saying earlier, not just about software being a good entry point, but I'm hoping that a lot of the videos that we're publishing is a good entry point where people will then feel inspired to check out the privacyguides.org site or check out our forum when they otherwise wouldn't have any awareness of it at all. So that's a big goal for everything that we're doing on YouTube and our videos in general.

I think the last thing on that note, what Carrie said about our conversation a minute ago is I was pointing out that for some people, when they start software, it could be their entry point to move on to other things. If something's too complicated or onerous, especially as a first foray into privacy, it can derail people. So yeah, kind of similar to this whole streaming thing.

If we tell people like, oh, you can only find us on PeerTube, and by the way, there's like a hundred million instances and just trying to be user-friendly to everybody in that sense. Lots to think about.

Anywho. Yeah, let's move on to our next story here. This was reported by the Proton blog. Looks like in their business section, but They wrote about Microsoft Edge keeping all saved passwords on your device unencrypted. So if you save passwords in Microsoft Edge, this article says there's a security risk you should know about.

According to a new disclosure, whenever you open Edge, the browser immediately loads all saved passwords into memory in readable form, not just the password for the website you're logging into. That means credentials for every account saved in Edge could be exposed if malware, a compromised admin account, or another attacker gains access to your device or user session.

This is a really interesting story to me because, as I believe it's pointed out in this article, this isn't typical for Chromium-based browsers in general. If you look at Google Chrome, they will only release the password in the memory. when you're using autofill, and then they delete it after. And your passwords could be at risk if you just leave Microsoft Edge open, like it's showing on the screen there.

Which is probably happening most of the time for people because you always use your browser. But I mean, even if you open it for a second, malware can potentially get all of that information at any time, which is not great. Microsoft kind of defends this with a similar excuse to what Signal has said in the past about their desktop client, which is basically...

If this is something that's going to compromise your data, you probably already have malware on your device that can get access to all of this data. And that's certainly true. I mean, you probably have, in such a case, you might have bigger problems to worry about than just this alone. There are a lot of ways that malware can exfiltrate your data without your knowledge. Yeah, you just don't want to have malware on your computer, obviously.

But at the same time, and again, when signal desktop had some issue with information being available to other programs on your device, we also said this, like, there are technologies that edge could be using that would improve the situation beyond beyond this. And for them to do this means that they've explicitly changed some aspect of Chrome because, again, stock Chromium doesn't have this behavior. So it's just an edge-specific problem if you're using edge in Windows, which is... Not great.

I actually don't know if this article says whether this occurs if you're using Edge on another operating system like macOS or... I think there's a Linux version of Edge, isn't there? I don't remember. Somebody tell me. But there is. Yeah, but I don't know why you would be using Edge on any of those platforms. So it's probably not a huge issue, even if this is the case in other ones. But, you know, on Windows especially... Windows is still super popular and edge.

Microsoft really tries to force it to be your default as much as possible. So I mean, I would imagine this would affect a lot of users. But at the same time, only only making this available to like local users or local software like malware. It's not the worst thing in the world. It just seems completely unnecessary. So I don't Yeah, that's what I would have to say about the edge stuff. Did you have any other takeaways from this article, Nate?

Um, I think just the, uh, um, yeah, I mean, it's, it's, unfortunately it's, uh, it is unique to edge, which kind of weakens the argument of like move away from that stuff. Cause I don't know a lot of people that do use edge, but, um, I think my big thing is it reminded me of, you know, and of course Proton's going to take this opportunity to show their products and they say use a password manager, but I, I kind of agree with them on this one.

Um, I think there's a lot of reasons to use a third party password manager. Um, one of them is, um, their browser agnostic, right? We were just talking a minute ago about maybe somebody starts off using Brave and then eventually uses other browsers. If they have a third-party password manager, that makes it a lot easier for them to switch browsers because that's one less thing they have to worry about switching.

There are also, I believe, correct me if I'm wrong, but I know there is malware that is capable of stealing data that's stored in the browser, like passwords, history, credit card numbers. And I think that it does not work anywhere near as well, if at all, on third-party password managers because of the way that they're segmented away. But I think a lot of other browsers are also segmenting it away in a similar manner.

I mean, obviously, in most browsers except Google, It's optional in Firefox, I believe you can do this, but you typically don't need a master password to unlock your passwords or anything, so there are certainly ways to get into that locally.

As this article points out, on the disk they're using standard encryption, but what's happening is all of the passwords are always being loaded into readable memory or RAM as soon as you launch the browser, so Since the browser is open most of the time, the fact that it's encrypted on the disk is probably not super relevant. But yeah, another... Oh, can't talk today. Another thing I wanted to point out that I just remembered was, I mean, Microsoft, this has happened before.

There was a similar issue with Microsoft Recall, where they... just let anybody access all of that recall data, all of your screenshots. Any malware on your device could access all of that without any protections in place. And that just seems to be Microsoft's MO when it comes to developing software these days. They don't seem to take into account any sort of local attacks, unfortunately.

Carrie just pointed out, even though Signal originally said that plain text messages while the app was running wasn't a problem, Didn't they eventually fix that? And yes, they did. And this is a case where I wouldn't be surprised if Microsoft fixes it as well, just because, again, this is non-standard behavior. I have no idea why... Microsoft would choose to do this. I don't know what feature that they thought this would enable.

I don't know how they I have no idea how they use this or why it would be necessary for them to change it. But now that it's getting attention, they might do it. Of course, on the other hand, Microsoft isn't a company super well known for security. So unlike signal, so I also wouldn't be surprised if they don't fix it. I guess we'll just see what what happens there. Microsoft, not well known for security. That's blasphemy. Yeah. Yeah. Signal kind of dragged their feet with fixing that.

They like kicked and screamed about it, but they did eventually. So, yeah.

um yeah i mean i guess that's that's all i got that was my big takeaway is to use a password manager and that kind of eliminates the problem and also we don't recommend edge anyways so um but yeah definitely uh hopefully they will fix it because i know i mentioned before at my last job um i used edge on the work computers because first of all they issued us those computers and we were so deep in the microsoft system that everything just integrated better with edge and like if i used any other

browser it added so much more friction which i didn't have a desk job anyway so it's like the less time i spent on my computer the better if i was spending a lot of time on my computer something was wrong because we were like searching for manuals or trying to get a hold of somebody or like tech support or like so yeah i just used edge because again work computer i didn't have anything personal on there that's their problem if it gets breached but um it was you know

What I mean by that is it's their problem because they're the ones deciding that we want to use all this insecure crap. But anyways, so yeah, I mean it's very popular in corporate environments, and they should probably fix that.

I think, I guess that's kind of all we got now on those stories. So we're gonna start taking viewer questions here in just a moment. So the chat's been really active, which has been super, super awesome. But if for some reason you've been holding onto questions and you haven't dropped them in the chat, go ahead and do so. But for now, we're going to check in on the community forum. And I mentioned that there's a pretty active week. I mean, it's always really active.

But there were a lot of good discussions this week. Ironically, we're actually going to talk about Proton again for a minute here because Proton now supports post-quantum encryption. And I think it was last week that Jordan and I talked about this a little bit because somebody asked about it in the chat, but I thought this could be a good opportunity to talk about post-quantum encryption specifically and what it is and all this kind of stuff.

So definitely correct me if I'm wrong here, but I think... without turning this into a deeply, deeply technical video that hurts my brain. Basically, quantum computers are like the next generation of computers. You guys probably know this stuff, but just in case. And basically, they're exponentially more powerful than current computers, aka classical computers. And it matters. I mean, it's a good thing in a lot of ways because they're way more powerful. They're way faster.

They can do a lot more computational work. But it also has a lot of implications for cybersecurity and concerns about being able to crack certain forms of encryption, even without a zero day or a vulnerability. Like they're just so powerful that they can do. Cause here's where I'm starting to get a little out of my element.

Cause modern cryptography basically relies on the idea that like, The numbers and mathematical equations we're using to create this encryption are so astronomically high that no computer could realistically do these kind of computations at scale without knowing the password and the key. And quantum computers kind of laugh at that and say, hold my beer. So yeah, we're seeing a lot of companies both in and out of privacy are really kind of starting to roll out post-quantum encryption.

Signal is one in privacy. Tudor's one. Proton's one now. And outside of privacy, we've seen Apple. I mean, arguable privacy on that one. We've seen Apple. We've seen Cloudflare. I'm sure there's a lot of others that I'm forgetting. I think Google is messing with it a little bit too. So yeah, I think, was that a pretty good summary so far? Yeah, I believe so. I mean, the quantum computers, I guess it is sort of the next generation of computing.

Not in the sense that it's going to replace any of our current computers right now, though, because quantum computers are never going to be good at certain things. It's very niche. But certainly breaking encryption, some encryption schemes, is one of the things that they can do. Not currently because they're extremely not powerful, but maybe in the next ten, fifteen years, it's a very real possibility.

And post-quantum encryption today is Super important, in my opinion, because there are definitely a lot of scenarios where all of this data could be stored and decrypted later by any number of parties.

I would imagine governments are probably... uh working on collecting as much internet traffic as they possibly can um without really knowing what to do with that traffic yet but we know like for many years now the nsa for example has built that huge data center in utah basically just to store a huge amount of data um so for some people and for some threat models i think this is a real concern when quantum computers would get into the hands of normal attackers.

It's hard to say if that'll happen, if ever, but certainly within the realms of governments and probably within the realms of huge companies that you might be concerned about to get quantum computers in ten, fifteen, twenty years or whatever. We do have a full video on post-quantum encryption on our YouTube channel that I would definitely recommend checking out because There's a bit more nuance to all of this, but I think it's a good explainer.

Yeah, I was just logging into Proton right now to see if I had access to this. And this is a big problem that I have with Proton that annoys me a lot, that even though I have a visionary subscription that they say will get you access to all the features when they come out. They never give me access to features first. It's always like randomly after a lot of other people get them. So the blog post does say they're rolling out gradually.

You probably won't see it in your account yet, but maybe some of you will. Unfortunately, I don't see it yet. But what can you do? I can complain about Proton all the time, and they probably won't change this or improve it for me. But maybe they will. If anyone from Proton is listening, you should do things better for visionary subscribers. I know it's a very niche problem. This is like first world problems to have, because most people are not going to be on a visionary subscription.

But yeah, if you do have access to this, let me know how it goes. I believe it's optional. You have to upgrade to it, but that does make a bit of sense because, I mean, Proton can't do it for you because they can't decrypt your data in order to re-encrypt it. I would imagine at some point, maybe Proton could... do it automatically when you sign in, but they're obviously not doing that now.

And it's probably a good thing that they're not doing it now because it would be very hard to do that automatically in a way that perfectly protects your data, I would imagine. So yeah, it's an optional feature. Definitely upgrade to it when the feature becomes available to you because I think it's important to get going now. And again, in our video about it, we explain more of the reasons why it's important to get started with it sooner rather than later. Yeah, there's the video.

Yeah, sorry, I just found it and pulled it up. Yeah, so for any audio listeners, it says The Threat That Makes Encryption Useless. That's the title of the video from October of twenty twenty five. So definitely check that out. And yeah, I real quick on the topic of proton and not having that switch. I think they paused it because I think a lot of users were reporting issues that it was like breaking proton drive or something like that. So I think that's why you don't have it.

I think they paused it while they're trying to figure that issue out. Interesting. Okay. But yeah, one thing I wanted to address here is Jordan said it feels a little bit like AI hype. Yes and no, because I agree with you. I've heard a lot of experts talk on this topic on like various podcasts and stuff. And I've heard a lot of them say that like, it's probably not coming anytime soon. Like there's always certain technologies that are like in the next five years, right?

Like the running joke is cold fusion. Um, for decades, scientists have been like, no, no, no. Like, like we're right on the edge of cracking it. Like in five years, we're all going to be using cold fusion. And they've been saying that since like the eighties, probably even earlier than that. So it's kind of become like a running gag. Like, Oh yeah, it's always like five years away.

And, uh, a lot of people are saying that about like, uh, AGI, uh, artificial general intelligence, which is like the actual, the stuff you see in sci-fi movies. And it's like, you know, of course Altman and, and everybody's out here trying to hype up their stock prices. Like, yeah, man, we were just going to roll out next year. It's like, uh, yeah, that and cold fusion too. Sure thing, buddy. Um, this one I've heard people be a little bit less pessimistic.

In the sense that they're like, well, it's probably not five years away, maybe ten years away. I mean, it's probably possible. It's just like they're definitely overhyping how close it is. But I think you may have said this is like I do still think it's a good thing that we're getting ahead of it because you mentioned the harvest now decrypt later where like. The NSA, which a quick little piece of trivia for anybody who looks at my online presences, it's a selfie of me outside of a building.

That is the NSA's data center in Utah. I've done that twice now. I am absolutely on a list. There's not a doubt in my mind. So yeah, I think the whole point of the NSA's data center is just to collect as much information as possible so they have it later when they... quote unquote want slash need it. So, um, yeah, I think it's really cool that they are getting ahead of this, but I'm with you. I think I'll probably turn this on whenever they roll the feature back out.

And, um, whenever I stopped seeing people say that it borked their proton drive, not that I use proton drive a whole lot, but still it's, uh, it's good stuff to have. I think personally, um, I think somebody else said something too. yeah i'll look at this question from uh terracotta pie on youtube um and i'll actually um share a thread that i saw on on x about this from Matthew Green, if I can get this pulled up. I'll sum it up so you don't have to read the whole thing.

Matthew Green, if you don't know, he teaches cryptography at Johns Hopkins, and he's a big expert in the cryptography space. And basically what he says about the whole quantum computing thing and why it's probably not a huge issue now is that There isn't really a lot of reason to invest in quantum computing for businesses. Unlike normal computers back in the day, traditional computers had very clear business impact.

This is going to improve businesses in so many ways as soon as they were developed. No matter how slow they were, there were huge practical applications for regular computers to get those developed and make them even better as fast as possible that don't really exist for quantum computers right now. There's not a, there's just not a lot of reason that businesses would need them in the first place. So that slows down investments into it and that slows down development overall.

Um, the other point that he made, and I think this ties more into, um, Well, I guess, yeah, I guess your question, whether there's a concern about whether these could already be in use, I think it's fairly unlikely. Just because these companies really don't have access to super powerful quantum computers and If they did, I mean, there would probably be big announcements.

The other point that Matthew Green points out in this thread, though, is that we don't really know exactly what the government's capabilities are. There's different trains of thought on this. Some people would think that the government and their technical capabilities has really fallen behind the academic and tech community, and that big tech is really pushing all of these improvements. And the what's available to big tech now might just be the best in the world.

But some people think the government could be like, thirty years or fifty years ahead of what's publicly known right now, and they could have access to all of these quantum computer resources and could be using them to break encryption at the moment. So it depends on what you think about the government, but we likely wouldn't know because As he points out, if the government has access to this capability, they would try and keep this as secret as they possibly can.

Um, which has always been the case when governments have new encryption schemes or whatever, you can think about like the Enigma machine back in what world war two. Um, the, the British, once they, once they cracked it, they went to extraordinary lengths to hide the fact that they could now break this encryption scheme that, that the Germans were using because. having that power and keeping it to yourself and not sharing it is super important.

And if they had quantum computing resources, that would be like a huge massive advantage to every government and they would be definitely trying to keep that as secret as they possibly can. So this whole thread was basically in response to a lot of crypto people and Bitcoin people are like, well, we're going to know when quantum computers are powerful because somebody will use it to hack Bitcoin, basically. And the point of this thread is that it's not really the case that that would happen.

I mean, in the grand scheme of things, there's a lot of money in Bitcoin, but it's not like to the government or to somebody else who would want these quantum computing resources.

The whole Bitcoin market uh value is probably a drop in the bucket for them and they would be much more incentivized to not not do something like that and to keep it secret instead so yeah that's basically the whole thing i would say we don't know for sure um but i i would say it's fairly universally accepted that's probably going to be a problem you know within the next I mean, even conservatively, probably thirty to fifty years, because there is progress being made on all of that.

Neville Matthew on YouTube asked, I'm assuming there's a considerable amount of compute power to crack these encryptions by quantum computers. I don't, okay, I don't understand what you mean exactly. I assume you're asking whether a considerable amount of compute power is required.

And the answer is yes, you need like a massive amount, like quantum computers are nowhere even close to being near to what you would need to have any sort of practical application and to, to, craig encryption so we're we're very long ways off um in the quantum computing power as far as we know like i just said doesn't exist yet um so i think that answers it either way right now there is not a considerable amount of quantum computing power um at least among these tech companies and

the academics who are publishing this stuff. And yes, you would need far, far more than what we have now to do anything practical with it. But, you know, progress is always being made. My only thought is what you said about governments aren't interested in the market cap of Bitcoin. Asterisk does not apply to North Korea. Yeah, that's certainly true. I don't think North Korea is on the bleeding edge of quantum computing, but you never know what's going on over there. Yeah, no kidding.

I never miss a good chance to take a pot shot at that guy. We did have one other forum thread here that was interesting. It's about IVPN has revamped. I'm actually going to share their blog post here. Not the forum thread, but the blog post from IVPN. Let me swap it around here a little bit. IVPN has revamped their plans. So for those of you who don't know, I want to say about two years ago, I want to say it was the end of twenty twenty four.

IVPN purchased Safing, which is the company that makes Portmaster and SPN, which is a pretty awesome. I think Kerry Parker once described it as a reverse firewall. It's kind of like a like on Mac. We have things like Lulu and Little Snitch. And Port Master is probably the best Windows version of that. I know there's also things like Simple Wall, for example. But Port Master was really slick. It's really good. It comes with good defaults out of the box.

I think I mentioned in previous episodes that whenever my wife gets a new computer, she asks me to set it up and do all the privacy stuff. And that's one of the things I do is put Port Master on there. Admittedly, it does not work very well with other VPNs. It's designed to be used either by itself or with SPN, which is their version of a VPN. It's not really a VPN per se. It's like a multi-hop VPN. It's interesting. They do some interesting stuff with SPN. I like it a lot.

Um, yeah, so IVPN acquired safing and, uh, they basically said that they were going to roll port master into IVPN and there was going to be not a required functionality. Like you could still use them separately if you want to, but there was going to be interoperability. And, uh, they also announced that they were working on some other stuff like, uh, an email aliasing feature and a DNS feature. And that all appears to be coming to fruition now. So there are three plans for IVPN.

There's standard plus and pro, which are sixty, eighty and one hundred dollars a year, respectively. And basically the changes are the standard VPN is now including multi hop and a five device limit, which I kind of wish they did. Oops, wrong way. Still getting used to max. I kind of wish they would have a. Oh, OK, here we go. So for the standard plan, it was two devices and did not include multi-hop. The plus plan will also include the new email, AOListing, and DNS that I mentioned.

And the pro plan will offer a ten device limit and access to all additional services, including Port Master Pro, which for the moment is only available on Windows and Linux, unfortunately. And they said that there are no price changes on existing pro and standard plans. Pro is now the pro suite. So, yeah, I think if I'm reading this correctly, basically prices haven't changed. You're just getting more bang for your buck regardless of which plan you're on because.

Again, like even the lowest plan. Now you've got more devices. Now you've got multi hop, which is super cool. Multi hop is, I would argue, not necessary in every situation, because there is a considerable hit to speed. But there are times when it absolutely makes sense. Yeah, it says pro went from seven to ten, and you have access to all these different port master pro male x and mod DNS. So yeah, Yeah, I like IVPN. I think they're really cool. I know I cannot find it to save my life.

I should probably try again because it's been a while. But I swear back when I was on surveillance report, there was a period of time, like a six month window, I think, where we were covering VPN vulnerabilities. And I swear to God, every single one of them was like, oh, it affects this VPN, this VPN, like Nord, Surfshark, Proton, but does not affect IVPN. And they were like, I swear to God, there were like four or five of those in a row where they would find vulnerabilities.

And there was something about the way IVPN was running their architecture that it didn't impact them. And I always thought that was... I always thought that really spoke to their security. So they are one of the VPNs we recommend. We also recommend Mulvad. We also recommend Proton. They're all really great choices. They all have pros and cons. IVPN has a few cool features that I really like, but yeah, I think that's kind of these new exciting changes.

Jonah, did you have any thoughts about IVPN's new direction? I was just taking a look at the forum thread here.

I don't want to like, volunteer him to answer a ton of questions necessarily but i will say victor from ivpn is on our farm and it's pretty active at least in ivpn related threads um and i saw he was answering some questions about the changes in this forum thread so if you want to check that out if you have any questions he might have already uh shared some stuff i totally agree that um The device limit changes are very welcome.

Two is very limiting for sure, especially as Jordan just said in the chat. To me, it never made a lot of sense because I think a lot of services were offering more than that for quite some time. Also, there are workarounds for it. Like on your home devices, you could use IVPN on your router to kind of connect as many devices as you want. But then you can only do that at home. You can't do it for a lot of remote devices. Obviously, you have to distinguish your pricing plans somehow.

But yeah, I think it still makes sense for them to increase it at least a little bit. Otherwise, yeah, it seems to be a good value. As far as I know, they had they had all three plans before, right? There's not a new one. I don't remember what the difference was between them, though. I'm gonna go dig it up on the web archive. Yeah, cuz I'll just I'll just go back like a week or something. Because I don't remember how you got access to mail exit my DNS before. No, no, no. Those are new.

I think those didn't exist before, but that's being added to the plan. They existed before today, though, I thought like male X was announced a while ago, I believe. It was, it was announced a while ago, but I think it was in like closed beta because I remember they actually, I feel bad about this. Um, they actually sent me an invite to test it out and I got it. Like I made an account, I got into it and then I like, I was like, okay, now I need to find something I can sign up with.

And I just kind of forgot to go back. Oops. Oh no. It looks like a week ago. It looks like there were only two plans. That's what I was. Okay. So what were the two plans? So there was IVP and standard that says all protocols, two devices and anti-tracker, and that was. A year. And then there's pro that's all protocols, seven devices, anti-tracker and multi-hop and that's the a hundred dollars a year. So it looks like, so they added the plus plan. Yeah. And, and then ups the device limit.

Okay. Okay, that's what I thought happened because I did not remember three before. But the changes are welcome. I definitely think if iVPN is going to add more services like MailX and ModDNS, it is great that they added an intermediate plus plan instead of... just increasing the price of the standard plan. You always want to see a bit more delineation, especially with features that probably not everyone needs. Some people are going to IVPN just because they only want a VPN and nothing else.

And it's nice that you can still get the standard plan that they had before with the increased device limit for the same price. And it's also nice that you can get these additional features In the meantime, as an intermediate plan, I haven't used Portmaster in quite some time, so I'm not sure whether I would say it's worth the extra money, but maybe it is. A lot of people on our forum seem to use Portmaster and like it, so... Definitely worth checking out, at least.

I should check it out again, although I see they still don't support macOS, which is what I told them I kind of wanted from the beginning when Saving launched Portmaster. And it seems like that has never changed. So I couldn't use it on all of my devices, then only my Linux devices, which is kind of unfortunate for me. But I guess if you use Linux, you wouldn't have that problem.

Uh, and they also, I was just going to say on their old pricing plans, they advertised like the two and three year plans with an additional discount. It looks like they, they do still have those. They just don't show it on the pricing plan anymore. So if I try to buy a plan, you can see those additional tiers. Um, and that seems like a good option if you want even more of a discount, um, than, than they already provide. Nate, you're muted. Okay. Yeah, I'm gonna have to test out MailX for sure.

Because I think I'm, I'm always I'm very happy with simple login and Addy. But I think it's one. It's kind of like email, right? Like Tudor and Proton and mailbox are all good. But it would be nice to have a little bit more competition. Instead of encrypted messenger number five hundred and fifty seven million. Um, and I, I feel that way about, uh, uh, like aliasing services too. It would be nice to have a little bit more.

Cause I mean, there are things like Firefox relay, for example, but they're very limited in what they can do compared to something like simple login or Addy. So, um, I'm really curious to check that out, but I was just going to say, yeah, I, um, up until last year, cause, uh, when, when we moved, we really scaled down a lot of our, our stuff to kind of save money. And, uh, Um, I used to have SPN and it, it's definitely come a long way.

When I first started using it, it had a lot of like, um, disconnects, I guess you could say, like there were a lot of times that things wouldn't load and I would have to like on like disconnect and connect again to get it to like reestablish the connection. Um, they really fixed that stability. I, I liked it. I never really noticed any issues with it other than again, everyone, it would still do that every once in a while, but nowhere near as bad as it used to.

I think the, um, The big issue that I have with it is, again, the fact that it does not work well with third party VPNs, which I don't know if that's maybe something about the architecture and the way that it's worked, the way that it works. Because like, like, again, I put it on my wife's computer because she doesn't usually use a VPN. She doesn't really care for them. But on my computer, it's either basically you have to use SPN.

you have to use the router level VPN, which I don't like to do because there's certain things that I trust and I want to send outside the tunnel, like Tor or Signal, or I just can't use Portmaster. And unfortunately, that's where I'm at right now. So, yeah. I don't know. I like it though. It's got a really clean UI. The SPN is a nice benefit. I was just looking at the Portmaster pricing because there's another point I want to make after this.

But I will say, Portmaster Pro is a bit more than I thought it was. It's already eight euros a month to pay for independently. So IVPN's pricing, if you want Portmaster Pro... which includes access to SPN, which is like, I mean, it's a VPN service that Safing offers. Safing being owned by IVPN now, obviously, with some additional benefits beyond a VPN.

So if that is something you want access to, and then you also want any of these other IVPN features, the plan change actually seems like a great deal because I don't think any of them, I mean, none of the plans came with port master before for sure so it is kind of a step towards something like proton unlimited for example that gives you access to all of these things um but on the other hand what I dislike about some of these services is that uh my DNS malex you can't pay for separately

which I think is kind of unfortunate because like even with simple login right now if you don't want a Proton subscription or you use Proton but you don't need all the additional features of Unlimited and you just want simple login, you can still buy those products independently.

And typically, if you use all of them, bundling ends up being a lot cheaper, but I would love to see some tier of MailX that you could use independently of all the IVPN stuff, especially because you don't get it on the IVPN base plan so that does make it fairly expensive for people as opposed to simple login which is thirty six dollars a year um just for access to simple login but that probably continues to make more sense than paying eighty dollars to IVPN if

that's the only service you need um so it'd be nice if that was independent but Beyond that, the bundles do seem like a good value for people who are using it. And especially, I mean, if you're using IVPN standard already and you're using something like SimpleLogin for thirty six dollars, you basically get a new ALUsing service for only a twenty dollar difference for a year plan instead of the thirty six. So, yeah, bundling it could make sense.

I see a lot of different opinions about bundling stuff in general, like on the form. I don't know if my camera just disconnected. That's weird. Yeah. Did your camera overheat? We still hear you though. I don't know. I'll figure this out. You can go back to talking more stuff. Yeah, no, I was gonna say I know what you mean. Like bundling is it I mean, you really hit the nail on the head.

Like on the one hand, it's it's cool to have a whole bundle like proton unlimited or like this ibpn plus or pro suite. And it's really cool. But only if you're actually going to use all those things. If you're just like, No, I just want male x for whatever reason, or I want my DNS for whatever reason, it, it probably doesn't make sense to pay at dollars a year. Um, but yeah, it's, uh, it would be nice to see them offer that more modular thing.

I think my concern is, um, uh, I, my only reservation is I worry about companies trying to do everything at once. Like one thing I really admire about Mulvad is they're basically, I mean, they do have Mulvad browser, but for the most part, they only do a VPN and that's all they do. And they don't really seem interested in doing anything else. And that's great.

I mean, they do have like some public DNS servers you can use, but it's not like this, you know, this... my DNS standalone DNS service with block list combinations and configurable rules. Like more of that is just like, here's our DNS. You can use it if you want, or you can not, we don't care, but there it is. And I, I really respect that kind of like specialization.

Whereas you look at things like proton that rightfully so get a lot of, um, a lot of criticism for the fact that it's like, yeah, that's cool. You have five hundred tools, but like they don't work for crap on Linux. Ninety percent of the time, you know, the the feature parity across operating systems is just trash. Like, you know, there's there's features that people have been asking for since I got into privacy ten years ago that you still haven't rolled out. And so I just I worry.

I hope that they they aren't going to bite off more than they can chew is what I'm getting at. So it is really cool to see them add more and especially like as much as I love IVP and I gotta be honest, like I think between Mulvan and proton, I have kind of been struggling to figure out like what their, their niches and what their selling point. Like, again, I think they have really good security and I don't think they're bad. Like, I don't think we shouldn't list them or anything.

And there's, there's a couple of neat features they have. Like they have this feature on, I think it's Android only where you can set up a trusted network. So like, let's say your home network, you have a VPN on the router, right? You can tell your, your IVPN app that like, Hey, when you connect to this wifi turn off, Because there's no point in having two VPNs. I mean, I know some people want that, but for the average person, it's like, I don't need that kind of speed slowdown.

But then when you disconnect from that network, turn back on. And so it automatically, like you never have to manage your VPN. And I think that's a really, really cool feature. But, um, But yeah, other than like little things like that, I'm like, yeah, what are they really? Because like Mulvad's thing is like hardcore privacy, hardcore anonymity and Proton's obviously got the suite and they promised they work with streaming services and stuff like that.

So I guess what I'm getting at is it is nice to kind of see them starting to like carve out a niche again and start to have like these competitive features again. And I think that's really cool. And yeah, I saw that comment too. Damn, almost two hours stream. Yeah, this is normal, man. Where you been? No, what was crazy was the other week we went for like three and a half or four hours. That was wild. We got a lot of stuff to talk about every week. Exactly. Got a lot to say, man.

And then, yeah, somebody else said ProtonDrive for Linux. Yeah. Yeah, exactly. I wish. Is ProtonDrive supported by Rclone yet? I feel like I saw something about that. Oh, I don't know. That's above my skill level. Oh, yeah, it is. Yeah. So technically, there is a way to use it. But yeah, Proton Drive sadly doesn't have an official API, so they kind of just did the best they can. But Proton can kind of change it any time. I vaguely remember that now. Which is interesting.

Their website says that they believe it works. I don't know what has... Maybe something has changed. Like I said, Proton can kind of change all of that at any time, so... Not a great solution. I would definitely rather Proton Drive just release a Linux client, but Linux support doesn't seem to be a huge priority for Proton in general across any other stuff. I think that's one of the many problems I have with Proton. But what can you do? I agree. Just about IVPN really quick.

I was trying to look through their site and find out more about these plans. And if anyone from IVPN watches this, I literally signed up and then tried to change my plan one time and it says too many requests. Try again later. So I don't know what's going on with your site, but the rate limiting might need a bit of work. rate limiting plans. I've never heard of that. That's interesting. Yeah, I don't know what's going on there. But yeah, overall, I think it's cool. Definitely some concerns.

But yeah.

I think that's all I got for forums. You ready to move on to the q&a? Yeah, we'll have to look through the chat here, see if we miss anything. I saw on the forum thread, we basically just got one question in advance this week. Expert-FortyEightSeventy asked, if we could add XMR chat as an option for stream donations? And the answer is yes, I would love to do that, but I keep forgetting to do that.

But also, I'm not sure if we can show Super Chats on the screen with an XMR chat in the way that you've seen it on other streams. Just because we're not using OBS, unfortunately, so I don't think we can show those banners in StreamYard here. But we could definitely do it, and... I don't know, manually type it. We currently type the banners like the one you see on the screen right now. So yeah, if I remember to set that up, we can definitely test it out. Hold on.

So it, uh, I don't know if it will relay chats, but if you go to their front page, it says how to use XMR chat. It does have instructions for stream yard. It looks like it has to go through Twitch though. Interesting. Oh, cause it'll cause it'll send the message in the Twitch chat and then we could do it like all the other comments we've been doing. So I guess, I guess we could potentially. Yeah. I mean, we'd have to look into that more.

I don't know if that's exactly what they mean, but yeah, that could potentially be an option. Yeah. All right, let's see if I got any other questions here. Cool. Yeah, that's all we had in the forum this week. And I think we've been trying to answer questions as we go, so hopefully there's not too many. So I'm looking through some of the names here on some of the other creators on XMR chat. Not a FBI honeypot. That's a good one. Thanks for letting us know. Cool. Let's see here.

I could get lost in that. I do that sometimes. I just scroll through pages and pages of usernames and stuff. I like seeing what other people come up with. It's very fun. I feel like I have heard of an FBI honeypot. I think they subscribe to our channel. I think I've seen a lot of comments from them on our videos, actually. So that's interesting that you put that out. Oh, then hi if you're watching. I like your username. It was funny. Here, we just got a question from Cannabidder.

Any thoughts on Session shutting down? Um, I mean, I have thoughts on that one. I'm, I'm really sad about it. I've, uh, I think he was actually one of the first people I interviewed, um, back when surveillance sport used to do more interviews on the channel. And, um, I don't know. I, uh, Maybe he was first. I can't remember if he was first or John Todd was first, but I don't know. He's always been a really accessible and a really cool guy, and I'm disappointed.

I'm disappointed for a lot of reasons. I'm disappointed because I think even though Session was never an official recommendation from Privacy Guides, or at least hasn't been for a long time, But I think it still served a useful space for people who didn't want a phone number, for people who wanted the decentralization. And you have to remember, this was before SimpleX. So now SimpleX kind of fills that niche. from a security standpoint, a little bit better.

But, you know, I think that at the time they served a really valuable niche. I'm also just really disappointed because I know they like just moved their entire community to Switzerland as a response to some like pressure from Australian law enforcement.

And I don't know, I like and they just announced they were trying to roll out a perfect forward secrecy, which I think would have I mean, I don't want to speak for anybody here, like speculate too much, but I think could have potentially put them back on privacy guides. Like we talked about that as a headline story. That was actually one of the first podcasts I did with you guys. So I don't know.

I think it, I know every day that goes by, it's less and less likely, but I really hope something good will come out of it because I do think they're really showing a lot of potential. And I do think they potentially serve a useful niche. And I don't know. I hope they don't shut down, but I know it's getting increasingly likely as the days go on. Those are my thoughts.

yeah i think to me it seems definitely pretty unlikely that they would reach their goal funding unfortunately it just goes to show i think how expensive running a proper messaging service is um you know people always say something like signal for example is massively overfunded and like what could they possibly be using all of this money for but um in most cases, like, I mean, this kind of thing barely breaks even at best in the best case scenarios, usually.

A couple problems with it is just how expensive it is to run reliable stuff, but also having, like, Mozilla also has this problem where they say, you know, you have to pay a lot of money to get, like, really good developers behind this stuff because the opportunity cost to work at a place that pays you much less is just so high because very good software developers can command huge salaries like one hundred fifty two hundred thousand or more and you have to you basically have to pay that

to be competitive even if you don't have enough money I think yeah you have the FAQ up I don't know I don't know what my camera is doing. This computer is not my favorite so far. It continues to have problems. Anyways, yeah, looking at that FAQ, like I said, I don't think it's likely that they will get it, unfortunately. And they even say, compared to their competitors, they operate extremely efficiently, but I mean... That's just more proof that it's just really hard to do something like this.

And I think that a lot of their excuses or a lot of their reasoning for why these are problems are more more believable than than Mozilla's.

I know Mozilla used that justification to like pay their CEO like millions of dollars wastefully because they also were running mozilla into the ground with insane decisions so it definitely wasn't worth it in that case but um yeah in this case like the people who were developing session um just need more money than they were taking in and there's not too much you can do about that i think it was hard um because i think a lot of people I didn't like Session as much when they

switched away from the signal protocol. I think that made it more difficult for people to trust them, especially because Session was relatively new and rolling your own protocol is usually not a great idea, especially if you can't trust them necessarily to do it properly because you don't know what their experience is. So I think that was an issue with Session. And then the lack of certain security features, like perfect forward secrecy, I think was a challenge for people as well.

Kerry said he's bummed because it's fundamentally different than Signal. I agree. Session was a weird app because it is decentralized, but it's not as decentralized as something like SimpleX, which is a decentralization model that makes... a lot more sense to me in my head if I think about like how it should work. Sessions was strange and I don't know if it still is.

I haven't looked into session in the last year or so, but I know for a very long time and this may still be the case, you needed to be in their cryptocurrency ecosystem and you needed to have like a significant holding of of their token in order to run a node at all.

So it wasn't decentralized in The same way that SimpleX or the same way that the Tor network are, where it can be totally volunteer-run, there would be really no way for someone like me, for example, to contribute to the network in any meaningful way, which I think hinders the decentralization aspect a bit.

I've always said and I would continue to say the obvious replacement for Session for most people is probably SimpleX, but I know that gets in hot water lately because they've taken on VC funding, which is not a great trend that we've seen SimpleX and Bitwarden and other open source companies begin to go in lately. So a lot of problems with all of these apps, a lot of upsides and downsides. Sick Scorpio just asked, speaking of Mozilla, are we interested in covering Thundermail Pro?

I believe at least some of our team members did get access to the beta and we are hoping to do something on it. Absolutely. Seems like an interesting service, but don't know too much about it yet. Yeah, I think that conversation just came up today. So it's a conversation we need to have. I would love to. It's not me, by the way.

But yeah, I would love to cover it for sure and see if, I don't know, maybe that person can answer my questions sufficiently to the point where, or maybe they want to host the video. I don't know. But we'll have that conversation for sure. I'd be down to do it. Carrie just said that's the staking unit. And yeah, I'm looking at the website now. There is still a staking requirement. You need twenty five thousand of whatever this sesh coin is.

I don't know how much that is worth, but I think it's not. I think it's somewhat significant, unfortunately. They have a thousand nodes, which is a pretty substantial network, actually. I'm not sure who runs those, but the whole cryptocurrency aspect of it still doesn't make a lot of sense to me. Yeah, a lot of people really criticized that. People had a lot of criticisms. Some of them, I think, were more valid than others.

I think you mentioned their whole, the reason it costs so much to stake is because they were trying to avoid what's called a Sybil attack, which is where, for listeners, it's basically like, that's an argument people make about Tor, right? It's like, well, what if the US government just rents a bunch of VPSs and runs like a million Tor nodes, and now they own so much of the network that they can easily correlate traffic? Right.

And so that's what session was trying to avoid is every time somebody spun up a node, the price increased so that it would become financially unfeasible for a government to do that. And I think you could argue that like they, that was the wrong approach. I think that's totally fine, but I think their logic made sense. So yeah, I mean, then there's other things that people would criticize that I'm like, that's just a dumb thing to care about. So I don't know.

The obvious counterpoint I think is that If you're worried about somebody with the resources of the government running a ton of nodes on the Tor network, that has a significant cost. And they can also just spend that on session tokens. So I think it actually makes it... in my opinion, probably more likely that very well-funded adversaries could perform a Sybil attack on the session network. Whereas with Tor, there's always going to be like, that's very possible.

And we've seen very large families of Tor nodes operated before, but also we know that a ton of volunteers are running this, and there are always going to be a lot of people who are just contributing to it for the sake of doing so, whereas that isn't really possible here. I'm really curious how much a session token actually is or where you can buy it. Right now, it looks like it's worth zero. They've probably pulled the plug on it in light of their impending shutdown, but it looks like...

In the last year, it looks like it peaked at about twenty five cents or twenty one cents. So it was never a particularly expensive token. So, yeah, I guess I mean, even at like. Their lowest point before the announcement, um. was around four cents. But if you need twenty five thousand, you're still talking about a thousand dollar minimum investment. That would be hard for people. I think most independent server operators to justify unless you really liked session. Yeah, that's true.

And for most of the time, if I'm looking at this graph, it was a lot more than four cents. So it would have been it peaked at like twenty one cents, which is I don't know, how much would that be? That'd be like over five thousand dollars that you would have to just stake forever. And it obviously wouldn't have turned out to be good financially either because now it seems like you're just gonna lose that. Nate, you're muted again.

god dang it i just said very unfortunate so yeah uh can i better just ask how big is the privacy guides team uh staff wise um uh it's it's me and nate and jordan right now so it's three um The whole team varies. What are we at, eleven people? But you can always go to the form. I'll just show this really quick. If you go to the form and on the on the left hand sidebar, if you hit the more menu, there's a team members option and then you can see how many people are listed on there.

So. Depending on how you count it, some people are more active than others is the only reason I say that. But certainly a good number of people volunteering. Cool. I think that's probably it for questions as far as I see for now. Anything else, anyone? Last call. Last call. Oh yeah. Look at that. If you go to the website and you click on team members under the about section, it lists everybody. Yes, there are ways to find out. But currently in terms of staff, just us three.

And honestly, mainly video stuff. We do pay for other things, like on a contract basis. So like, Freya gets paid on a per article basis for the news stuff. If other people contribute news briefs, they would get paid as well. And we do one off projects. So we're working on some stuff with individual contributors, if we think it's a valuable use of our resources, but we can only really do so much. just in case anyone's wondering, I don't get paid per article.

So you'll see when I put out like a whole bunch of articles, it's not because I'm trying to make more money. It's because I'm just like, Oh, cool. I have, I have some thoughts on this. Cause I know I kind of go up and down. Like sometimes I don't post anything. And other times I put out like three or four articles a week. And usually it's, it depends on the workload. So I try not to, um, I try to be very mindful of not to give you guys a little peek behind the scene.

Jordan does most of the editing. So if I'm just constantly writing and filming, I will overwhelm Jordan really fast. So sometimes I hit a point where I'm like, okay, I think Jordan has a couple of videos to edit. I'm going to, I'm going to write some articles. Terracotta Pie asked, is there a big need currently to have more people around Tor nodes to strengthen the anonymity of the Tor network? And the answer is always yes, there is.

And that's the biggest benefit of running additional Tor nodes. I believe, I just wanted to pull up on their website to see if they still have this graph easy to find. In terms of like bandwidth. The Tor network typically has well more than enough collective bandwidth than they're actually using, but additional loads will still speed it up by spreading out that load a bit, and the biggest reason is definitely to increase anonymity.

To prevent those Sybil attacks we were talking about, the more operators, the better in pretty much all cases. If you can't... There's a huge need for exit nodes more than anything, but those have... considerable risks involved. So I can't really recommend most people do that because your ISP can see any of your traffic and they'll be seeing a lot of random tour traffic that probably some of it is not going to be desirable for your ISP to see. So it could cause a problem, certainly.

But other types of Tor nodes are helpful, or I think a big help is running more bridges, especially if you want to do this from a residential IP. Unless you're in a country where Tor is completely illegal, then you probably shouldn't be running a bridge, obviously. But in most countries, you can definitely run a relay that's a non-exit relay with no issues at all.

And if you run a bridge, that's very helpful, not just for anonymity, but for strengthening the anti-censorship properties of the Tor network. Because if you run a bridge, your IP address is not published in the Tor directory, It's harder for countries that are adversarial to Tor to block, and that allows a lot more people to access the Tor network than would otherwise be able to.

And there are various ways that that traffic is obfuscated as well, which makes it more difficult to determine whether you're running a Tor relay in the first place. I think general purpose relays are usually more helpful, but if you can't do that, running a bridge or running a snowflake bridge is probably the easiest way to do it. But there are other types of bridges as well.

You can run a dedicated snowflake bridge on a server or your computer, but you can also do it as easily as installing an extension in your web browser without having to install any server related stuff. And then it just runs whenever your web browser is open. If you don't want to do literally any server stuff at all, you can download the Snowflake extension and still contribute to the Tor network that way. So there's a lot of ways to contribute.

And I think the Tor network would always appreciate more people doing that. I just wanted to offer my experience because I ran a Tor node a while ago. It's been a minute since I've done it. Number one, yes, I'm with you.

I think it would be awesome if we could get more US exit nodes strictly because It's not so much of an issue nowadays, but I know for a long time, Tor was practically unusable to me because every website I went to would default to usually German because my exit node was in Germany, and I could never get an exit node in an English-speaking country, and it was so frustrating. I realize, as I say, that I haven't had that issue in a while, so maybe they fixed that, but...

Yeah, exit nodes, there are certain ISPs. I don't think the Tor project keeps a list anymore, but there are certain like VPS providers who are friendly to exit nodes. You can reach out to them and ask. And I would say that to your ISP too, because I was very surprised. For a while, my wife and I had Google Fiber and I reached out to them and I was like, hey, I want to run a Tor node, like not an exit node. I just want to run like a middle relay.

And to my surprise, they were like, yeah, go for it. And I was like, really, Google, are you sure? And like, but I ran an exit node or not an exit node. I ran a middle node out of my apartment for, God, probably close to a year and never had any issues at all. But check with your ISP because some of them do not allow that, even if it's a middle node.

I think by default, your middle node, once you've been online for a while and they consider you trustworthy, you will be upgraded to a guard node, which is basically like an entry node. I think there's a way to opt out of that if you don't want to do it. But I think by default, those are the ones that tend to be less risky because everything's encrypted. So as long as your ISP is cool with it, that's fine.

But yeah, exit nodes, what I've been told is it's kind of a double-edged sword because on the one hand, if it's coming out of a data center, like if you host a VPS, then there's a lot of websites that'll probably block it just by default. But on the other hand, like Jonah was saying, it can potentially be risky to run it out of your own home. I have a friend in law enforcement. He's told me it's usually not an issue that I'm not a lawyer for the record. Let me finish.

He's told me that in his experience, it's not usually an issue. What will happen is the cops will like get a flag that, you know, from the ISP. They'll go to investigate and the person's like, oh, I run an exit node. Here's my server sitting in the corner. I can show you. I'll pull whatever logs I have, but I probably don't have anything. And the cops just roll their eyes and go, well, that's frustrating.

um but again we're not lawyers we don't know what will happen so yeah i would talk to a real lawyer i would try to get some expert opinion on that before gambling that's why i've never done it myself so um yeah I will say real quick, one last thought on that. What I tried to do in my last town that nobody ever got back to me, this was also right when lockdown started, which is probably why nobody got back to me. I should probably try again in this new town.

Try if you can to get in touch with schools or libraries, public institutions, because in a perfect world, that would be the best place to run it. If you can get your local university and be like, hey, this is a really great project for your students because it will teach them how to be sysadmins. It'll give them hands-on experience with Linux and All that kind of stuff. It'll help strengthen the system. And they could run an exit node out of the university's IT department.

And they have the legal team. They're equipped to deal with it. Public libraries, I think. It's hard to get a hold of somebody because these are really busy, usually underpaid people. But I forget where I got that piece of advice from. But if you can get a hold of somebody at a public institution like that, that would probably be the best. Because then... It's less likely to be blocked compared to a data center, but it's also less liability on you. But yeah, it's tricky.

There's no easy solutions for an exit node. No. Talking with law enforcement or the feds, another thing that I've heard is that traffic from Tor, for one reason or another, is not super big on their radar anymore. They're seeing a lot more traffic through. I talked about this a long time ago. I don't know. It was probably like... half a year ago on one of these episodes, but they're seeing a lot more suspicious traffic coming out of residential proxies.

So it's probably far more dangerous than running a then running a Tor node to just buy some random Android box on Amazon and install that on your network. That's how most of that stuff happens, and they end up knocking down some grandma's door because they bought some cheap Android box on Amazon that's relaying some random traffic through there.

There's a lot of If you search up pretty much any of these residential proxy companies, there's a few of them, and they all claim that their IPs are above board, but pretty much every single company that is offering access to residential IPs or ways to get around VPN blocks are all getting those IPs and connections through very unethical means, whether that's dedicated Android boxes or malware browser extensions that get installed on people's computers or what have you.

And that tends to be a bigger concern nowadays. So just something to think about. I think we did talk about that a few months ago. I forget what the context was, but I remember you talking about that. I guess maybe last question. Do you have any experience with IDOPEE? You know, I just wanted to look. We used to list it on our site, and then we removed it. I don't remember if we added it back, so I wanted to look at Privacy Guides and see if it's still on there.

While he's checking that, I personally, I think I tried to tinker around with it one time, and... I found it very difficult to understand and use. And it's also like, it's the same problem with like Tor, right? Is a lot of people download the Tor browser and their first thing is like, okay, now what? Like, you know, there's no Google for Onion sites, right? So a lot of people have a hard time finding Onion services. So it was kind of the same thing for me.

It's like, okay, now that I've downloaded it, now what? I guess the only difference is, And maybe this is a point in IDP's favor. I didn't really know if I even set it up right. Because, you know, with the Tor browser, you download it, you open it, it says you're connected and you start surfing. And even if you never go to an Onion site, you know that you're using the Tor network. With IDP, I never really had that indicator. So I was like, I don't even know if I'm using it or not.

And I think maybe it was user error for the record, because this was way back in my early days when I was first starting my privacy journey. Yeah. I was screwing up a lot of things cause I was kind of just throwing everything at the wall and seeing what would stick for me. Um, but yeah, I, I personally found it at the time to be a little bit user unfriendly and I don't know.

I've just, I've always, I've never really bought into the, um, the claims that tour is like super compromised and can't be trusted. So like, is I to P better? Maybe, I don't know. That's above my head. I'm not really qualified to say, but personally I don't have any issue with tour that stops me from using it. So that's my experience.

yeah i think what holds i to be back um significantly is the lack of a user like a general purpose accessible option um tor is very useful for non-technical people people i mean a lot of people probably imagine that like tor isn't used that much except like in the privacy community but that that is not true like in a lot of countries where there is extensive censorship tor sees a lot of use by a wide variety of people, whether that's I mean, not even necessarily through the Tor

browser on your computer a lot of the time, like the people who are more concerned about privacy and anonymity are, but like using it on your phone or using Tor VPN on your phone or whatever. Those are very valuable tools to journalists and to activists and other just people in these censored countries.

And that really increases the... usability of Tor a lot, which first of all means that there's more hidden services on Tor in the first place, but also Tor has the option to have exit nodes, whereas ITP doesn't have that built in by default. It's possible to run an I-to-P service that acts as an exit note, and some companies will do that, but it's very rare for that to happen.

There's only a handful of public exit notes on I-to-P that I know of, and so using it for that purpose, for just browsing the web, is pretty limited. And I think that's a big reason that I-to-P isn't very commonly used. We do have it on our site again. I do remember the discussion about this, and then I can talk a bit about my experience. But we... When we looked into this, there are some benefits just from a technical perspective compared to Tor.

ITP does a lot of interesting stuff that theoretically does improve the privacy, security, anonymity beyond what Tor is doing. So for accessing ITP sites, it's certainly better than accessing clear net sites like through an exit node, but it's probably better than accessing Tor hidden services as well, but not to a super significant degree. And since the use case just isn't there as much, it's... I don't know, not a lot of benefits to using it over Tor, I would agree.

I tried setting up some stuff with it like a year ago now, but we just never really saw any significant traffic, and it is, like Dave was saying, a lot harder to use. When you set it up manually in a browser, like with a SOX five proxy, you lose out on a lot of the benefits that the Tor project provides in Tor browser as well, because Tor is not only network, but it's also a huge anti-fingerprinting project.

All of the modifications that they're making to Firefox improve your anonymity a lot, and you're not really getting that on ITP. I suppose you could probably use Malved Browser with a proxy, but I don't know how many people do that on ITP at the moment, and... You kind of need a crowd of people to blend in with, like Tor Browser has. So unless a lot of people are doing that on ITP, Malva Browser is not going to be a huge advantage. But I'm curious about that now.

I should test out Malva Browser on ITP sometime. But yeah, hopefully some of that made sense. It's an interesting project, but it's just not a lot of use cases for it that I can think of. I think looking at the website here, privacy guides, unlike Tor, all IDP traffic is internal, which means regular internet websites are not directly accessible. So that's probably what held me back, because I connected to it. And I'm like, OK, cool. Now what? I have nowhere to go.

I don't know any of these websites. So yeah, I don't know. I agree with you. If it's only accessible for other stuff, I feel like that dramatically reduces. Because I try to use Tor where I can. Um, and that's the nice thing about tour is, you know, I can still go to, to the proton, um, most news websites, summer hit or miss, um, depending on the exit note that I'm on.

But like, I can still mostly use the internet in a normal fashion compared to this, where it's like, imagine if you could only go to hidden services and it's just like, oh, cool. That's not really going to be useful for my day-to-day browsing personally. Another thing I will say about ITP, though, is that, well, we just talked about a lot of reasons that it's not super helpful for web browsing traffic.

A huge advantage that ITP does have over Tor is that you can really send any sort of traffic over it, and so it's far more flexible in that regard. You will see it used for file sharing, for example, whereas running BitTorrent on Tor Tor is highly recommended against and also isn't as usable, whereas on I-to-P, the network can support that type of operation much better.

So if you have to share documents or other files through means like that, I-to-P could certainly have benefits that Tor doesn't have there. Yeah, I-to-be is definitely something you could use if you know the other people using it and you want to connect to each other through that and you want to build your own network that goes through this anonymizing thing. But just for accessing public services, there aren't a lot of public things on there that would make it useful.

So I just want to give them that. There are some benefits to it over Tor for sure. All right. Is that it for the week? I think that pretty much just about wraps it up, doesn't it? I think so. Nice and chatty in the comments this week. I love it. I love it. It really motivates us when you guys are interactive. And we're trying to be more interactive with you guys as well throughout the episode. So thank you so much for everybody who left a comment.

Yeah, absolutely. All the updates from This Week in Privacy will be shared on the blog every week. So if you are not signed up for the newsletter, you can do that. Again, I would like to remind people we send out the newsletter when we start streaming. So it also acts as a good reminder. You can also use your favorite RSS reader if you want. For people who prefer audio, we offer a podcast available on all podcast platforms and again on RSS.

And I mentioned earlier, this video will be synced to PeerTube. Privacy Guides is an impartial nonprofit organization that is focused on building a strong privacy advocacy community and delivering the best digital privacy and consumer technology rights advice on the internet. If you want to support our mission, then you can make a donation on our website, privacyguides.org slash donate. You could also click the red heart icon located in the top right corner of any page on the website.

You can contribute using standard fiat currency via debit or credit card, or you can donate anonymously using Monero or your favorite cryptocurrency. Becoming a paid member unlocks exclusive perks like early access to video content and priority during the This Week in Privacy livestream Q&A.

You'll also get a cool badge on your profile in the Privacy Guides forum and occasionally some early access content or special content with our next video coming up and the warm, fuzzy feeling of supporting independent media. So thank you all so much for watching and we will see you next week.