GTA V Cheaters Just Got Exposed!

A Grand Theft Auto online cheat service suffered a data breach. Another password manager had vault stolen and two disappointing stories from Meta this week. All this and more coming up on This Week in Privacy, number fifty six. So stay tuned.

Jordan, you're muted. Welcome back to This Week in Privacy, our weekly series where we discuss the latest updates with what we're working on within the PrivacyGuides community and this week's top stories in data privacy and cybersecurity. I think Jordan was muted this week, but I am Nate and Jordan is joining me. Or there were technical difficulties. Check, check, one, two. All right. Well, while Jordan gets that figured out, I think we're gonna... Hey, Jordan, welcome back.

Oh no, we still can't hear you. Oh no. Gotta love going live. These things do happen. I'm gonna go ahead and jump into the main story while Jordan is trying to figure that out.

And our main story this week is Grand Theft Auto. Yeah. So for those, I mean, I feel like this is a pretty popular game, but for those of you who are not gamers and maybe may not know, Grand Theft Auto, super, super popular video game. man, as long as I can remember, or, you know, at least as long as I've been a gamer and, um, it, uh, you know, like a lot of games these days, it has an online mode and, uh, the online mode from what I understand can be a cooperative or, um, adversarial.

Uh, I, for some reason, the word I'm looking for is, is escaping me right now, but, um, you know, like, uh, like any online game, uh, there are cheaters and, uh, It's, you know, cheating kind of ruins the experience for everybody, right? Because if you're just a casual gamer trying to have fun and somebody just like, you know, blows your character up and steals everything, that really sucks.

But then also if you're like a serious gamer and you're maybe like trying to be professional or something like that, then having somebody cheat is, you know, it ruins your rankings. It just, it sucks for everybody, except for the cheaters who seem to have fun, which I don't really understand why. Yeah, well, we'll get to that in a minute. So anyways, so there's a service. I mean, there's a lot of services. There's a lot of different ways to cheat. Dead serious, I've never done it.

I'm not much of an online gamer myself, but there's a lot of different ways to do it. And one of them is this paid service called Atlas Menu. And they had a data breach, which leaked the email addresses, usernames. TechCrunch here says scrambled passwords, IP addresses, and support tickets. of almost sixty four thousand accounts. And I'm assuming by scrambled passwords, they mean like hash passwords. I don't know why they said scrambled here.

Yeah, especially coming from this particular author, he's very knowledgeable about cybersecurity. So that was an interesting choice of words. But Atlas Menu claims to offer secure authentication and enhanced privacy through our advanced encryption techniques, which is just a reminder that marketing will say anything and usually means nothing because that's not really clear.

The attacker claimed responsibility and posted the data on GitHub, and motivation appears to be revenge against a scammer, which, you know, privacy is a human right, so I'm not going to say these people had it coming, but I think anybody who's ever been the victim of a cheater on an online game can definitely feel the frustration there. So yeah, Atlas Menu, according to one video, offered features like invisibility and super jump and the ability to fly through the map.

So I mean, at least I guess it wasn't like invulnerability or something. And then they point out in this article, cheating has become like a huge industry, multimillion dollar business. And they mentioned that Counter-Strike Global Offensive also had a breach a few years back. So this is not a particularly new thing, but it's definitely very interesting for sure. Yeah. Trying to think. Yeah. So like I said, am I back? Hey, Jordan. Yes, you are. Welcome back. Of course.

As soon as we press go live, like everything just breaks. So yeah, you and I were talking beforehand. Yeah, that was so bizarre. I don't know what happened. But yeah, sorry. I'll just throw it back to you, Nate, to continue with the story. No, you're good. I mean, I don't really have too much to add. I'm not much of an online gamer. I think when I was in high school, I played a little bit of Halo Online, and there were a few. I think I ran into a couple of cheaters, but definitely not a ton.

Just like I said, it kind of ruins it for everybody, and I've I've I've done some cheats in offline games just for fun, but I find that in my experience, they tend to get really boring really fast. So I'm not a huge fan of it. I don't really understand what the point is if you're just going to cheat, especially in online mode, like just play offline at that point.

But the Yeah, I guess the two things that I really took away from this story is, number one, it's unfortunate because this cheating industry is why we've seen a huge rise in rootkit. Sorry, I shouldn't call them rootkits. Anti-cheats. And they kind of are rootkits, though, because a lot of them go deep, deep, deep into the operating system and work at a very deep level, similar to a rootkit.

Like some of them even, I think, before the OS boots up, which is... incredibly frustrating, especially again, if you're like me and you don't really play online games, I actually did buy GTA five a few years ago. And, uh, it was like, Oh, install the anti-cheat. And I'm like, but I have no plans to ever online. And it's like, doesn't matter. You got to install the anti-cheat, which is just garbage and terrible. And, um,

Yeah, it's... Ironically, we've seen stories in the past about how having these anti-cheats on your computer... First of all, some of them conflict with each other. So if you play multiple online games, you may have to uninstall one to install another, which is incredibly annoying as somebody who does not have a lot of space on my computer and therefore tends to do that with games in general. But also, it's... Ironically, they can... they kind of fend off certain forms of other malware.

And I'm not saying that as an endorsement, obviously, but it's just, it's interesting to see that it's like, if you have one of these installed, because it basically functions like malware with a pinky promise not to do anything bad, then it kind of stops other malware from being installed, certain types of malware from being installed. But yeah, the other thing I kind of poked fun at was the whole, you know, I called it out.

It's like, oh, Atlas menu says they have secure authentication and enhance privacy through our advanced encryption techniques. You got to be careful of marketing. I know marketing has always got to hype up their product. They got to seem super awesome and whatnot.

But you do, especially with the open source stuff that's a little bit more transparent, try to find white papers, try to find the FAQ, try to find something that digs in a little bit deeper and specifically says, here's our threat model. Here's what we defend against. Here's exactly how it works. Even if you don't dig into... here's our exact encryption protocol and key exchange and this, that, because I'll be honest, that stuff goes over my head.

But if they break it down, like, oh, everything is encrypted in the browser and then sent to our device where we compare hashes or, you know, just something like that, something that's a little bit more substantial, I think. I don't know. Yeah, so you were, Jordan was originally supposed to take this story because you have a little bit more experience with online gaming, I believe. So I guess I will turn it over to you for your thoughts on this story.

Yeah, so I guess the most important thing about this that can be kind of confusing with the way that this story was presented was this is, you know, this cheat software is primarily used on GTA Online, which is where people basically... It's like GTA V except... you basically can play with other players and there's like different multiplayer activities you can do. So that's the main thing that I think people are using this for.

And I think that's personally what I would think is the main issue with a lot of these cheat things. Like I don't really care if someone is like cheating on their GTA five local game installation. And it's like, you know, that they're single player video game. I don't really care. I think people should be able to use software the way that they want. Right. And they should be able to, if they want like run cheat software, right. Because that should be up to them.

So I think this is kind of where I have more of an issue is when you start affecting other people and, you know, ruining people's experiences, um, It can kind of get really frustrating, especially with GTA Online, because this is one of these sorts of games where basically if someone is cheating, they can basically ruin the entire experience for everybody. And I've seen a lot of times, like I used to play GTA Online and there was a lot of people who would use not specifically this software.

I don't know which software they were using, but they were using some sort of cheat menu to basically mess around with people. And I think the most important thing with this, though, is, like, I don't think we should be, like, celebrating people's information getting breached, right? Even if these are, like, people that, like, kind of deserved it, right? Like, it's, like, you know, you're fucking with people's video games. Like, you should probably, you know,

be a bit... It's a bit of karma, right? But it's also, you know, I don't think we should be happy that all these people have had their information breached because... of like a security breach. Right. Um, so I think, you know, it's, it kind of makes sense why this, uh, why this service was breached in the first place. Right. Because they're kind of a target because a lot of people probably hate this software because it keeps ruining their games.

Um, but it sounds like from the article, it was actually someone who thought that they'd been, um, scammed so maybe perhaps they purchased the software and then they never got access to it or something like that and they decided to basically take revenge on this specific software developer I do think though that you know obviously this sixty four thousand people whose accounts were part of the breach that's kind of crappy and I do think you know maybe if they were using this software on a

local installation of a game maybe that would be like less of a concern I know a lot of these games definitely enforce like a TOS and they say like you know if you use any software that's that affects the game in a way that is not intended or allows you to gain an advantage that could be a reason to ban you so I mean I think we should be promoting people being able to use whatever software they want. But also, like, it's not great that these people had their information breached.

I don't think we should be celebrating that exactly. I think it's just kind of unfortunate. And they were primed to get hacked, I think, at that point. Yeah, I totally agree. I'm never a fan of saying people deserve to get hacked because, again, privacy is a human right, right? And that's how human rights work, is even if you disagree with somebody. And also, it's a video game. Believe me, I am a gamer. I am ashamed to admit this, but in high school, I did throw a controller one time.

And I know some of you guys are like, one time? Get on my level. But to me, that's really immature and not... emotionally, you know, but I was like, or something. So my point being is like, I get it. I know how frustrating it can be. And yeah, especially if they're like the kind of cheats where it's like the one hit kill kind of stuff is just like, dude, come on. Like, it's just a game. Don't take it so seriously. Don't, don't be doing that and ruining the fun for everybody else.

But it's still, yeah, it's, and it's, it's frustrating. Cause like this anti-cheat thing has been a major sticking point for gaming on linux because so many of these games now require this anti-cheat that as far as i know only works on windows or maybe windows and mac and because linux has such a small adoption there's a lot of people who there's it. And I'm told that gaming on Linux has gotten a lot better.

Um, because I, I use cubes, which you'd, I don't even know if you could play solitaire on that thing. Um, but you know, it's, it's not really a gaming computer, so I don't have a lot of gaming on Linux experience, but I'm told that gaming on Linux is getting a lot better, but it's still like a It's still got a ways to go, especially for some of the AAA titles, and this is why.

Because the whole anti-cheat thing, which does not work on Linux, and therefore there's a lot of AAA games that you can't play on Linux strictly because you can't install the anti-cheat. So this does have privacy implications beyond just this story as well. It's like, if people would... I don't know what the solution is, because I don't think they should just make an anti-cheat that works on Linux. I don't think any of the Linux people would want that.

But it's like, if we could get a better handle on the cheating situation where people didn't need it, that would be... That would be super awesome. I think also the issue with these anti-cheat software is that they're actually really privacy invasive as well. Like we've seen with, I know Vanguard, which is part of like Valorant and League of Legends. That's like. basically, like you were saying, it's basically a rootkit. Like it actually needs full access to your entire system.

It needs to be running, uh, in order to verify the authenticity of your system. And, you know, I think that basically means that they're logging every process on your computer. They're checking to see what code is running on your computer and possibly sending that back to some third party company. Right. And, um, Yeah, I don't think the solution is... Actually, I don't really know what the solution is because I'm not a game developer. I'm sure there's issues either way, right?

Like if we took away all the anti-cheat, every single game that we play would be filled with people cheating. And if we made it so that Linux had anti-cheat, then what might happen, like what we saw with Apex Legends. So at one point, Apex Legends was using BattleEye anti-cheat, which actually does have a Linux version. However, the Linux version isn't It doesn't have as good access as Windows.

So basically all the cheaters were just switching to Linux to cheat because it would be harder to detect. And then, of course, what do you think happened then? Well, the Linux version doesn't exist anymore because it was just being used by cheaters, which sucks, right? Like, it goes both ways.

So... Yeah, it's just a really crappy situation because, you know, I think a lot of people in our community don't want to have to use Windows and there's just a lot of video games at this point that are kind of forcing you to basically use it or... basically you can't even play the game. Like it would be fine if there was, you know, performance issues.

Like if there was some minor performance issues and like maybe it didn't perform as well as the Windows version or something like that, but it can't even start. Like you can't even run the game. So I think that's, it basically has gotten to this point at this point where like if a game doesn't run on Linux, it's because of anti-cheat. There's no other reason why it can't run because it's It's just a platform limitation almost at this point. I don't know what the answer is to that exactly.

Maybe I'd rather not have to run an invasive anti-cheat software on my Linux computer, but maybe that ends up being kind of the only option that actually allows it to happen. But if it doesn't have the same amount of access, I don't see why any company would allow that. in the first place. Yeah. Yeah, it really sucks. It's kind of a crappy situation all around, for sure. And I went and looked it up because I was like, man, wasn't there an anti-cheat thing recently?

There have been several anti-cheat scandals. Riot Games, which is Vanguard you were talking about, and their easy anti-cheat. In Valorant, Vanguard has been accused of data scraping. There have even been allegations that a Riot employee was being bribed to ignore cheaters. Vanguard updates were reported to brick DMA cheating devices by forcing full OS reinstalls in Apex Legend. Oh, yeah, I remember this one.

There was attackers used a remote code execution to inject cheats into pro players during an actual competition. So, I mean, like, yeah, this stuff is... This isn't just like theoretically it could be bad. Like there's an actual history of this stuff. And then now we see that sometimes it doesn't even work and just puts people at risk, which, you know, shocker, right? Unfortunate. But I think if that's all we have

for that story, we're going to go ahead and talk about another super exciting corporate... How would I define this one? Corporations... Corporations doing the wrong thing or making the wrong move. So we've actually covered some of this recently for audio listeners. The headline says Microsoft under fire or threatening security researcher with criminal investigation.

And so we've covered, there was a security researcher who goes by Nightmare Eclipse and And they have publicly published a series of vulnerabilities, including Blue Hammer, Red Sun, Undefend, and Yellow Key. And I think Yellow Key and Blue Hammer, we talked about on previous episodes, one of those was a vulnerability in BitLocker. And so this is interesting. Basically, Microsoft is saying this person did not responsibly disclose, which, okay, so...

It's not a law, but I think it's kind of a – and it's actually a little contentious, which we'll talk about that in a minute. But generally speaking, in cybersecurity, there is kind of the idea that the proper way to go about things is you find a bug. You report it to the company, and then you give them about – I think the standard is ninety days. I could be wrong. Somewhere between thirty and ninety to fix the bug and push out an update.

and then you kind of explain what you found and what it is um just kind of for the the education of the community right like letting everybody know that uh here's this bug i found here's how it works whatever whatever um they're kind of fun to read sometimes especially if they're not super super technical sometimes they're just super technical and i can't understand them but if they're a little more approachable i like and i enjoy reading those kind of posts and um So, and for the record,

there's exceptions. Like if a company is really like open and working with you, a lot of the time they'll delay the public post because it's like, oh, they're having trouble rolling out an update or whatever the case. But anyways, so Microsoft is basically saying this nightmare eclipse person did not do that. They say there was no responsible disclosure. They just went ahead and published this stuff right off the bat, which in turn provably did put a lot of people at risk.

The article talks about how there have been vulnerabilities that are already using this stuff in real world attacks, according to both Microsoft and CISA. So they're saying we're going to sue this person because this was negligent and just irresponsible. Nightmare Eclipse claims that's not true.

They said there's a series of blog posts where they claim to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to the Microsoft Security Response Center account. I think they said something like their GitHub posts were taken down in two. Oh, yeah, the researcher published the bugs on GitHub and the account, oh, and GitLab, and both of those accounts were banned, according to this writing, if I'm understanding that correctly.

So, yeah, this is, and of course, neither of them have responded, which is smart when you're in the middle of a lawsuit, you do not talk about it, because that can complicate things. It seems that the community is on Nightmare Eclipse's side here, which I know is a shocker. They're, who did they cite here? They mentioned... I know they mentioned... Okay, so they mentioned this Katie... I don't know how to pronounce this. Katie Masouris, who works for Luda Security.

And she talked about how responsible disclosure... It's kind of... I don't want to say nitpicky. It's not the right word. Um, but she talked about moving away from the idea of responsible disclosure and instead moving it more towards coordinated disclosure, which is like I mentioned, like sometimes they'll expand the window if the company's having a hard time patching it. Um, you know, Kevin Beaumont, I, I saw this on Mastodon. He was on Mastodon sizing Microsoft.

And, um, I don't know, from what I've seen, and this is as an outsider, I'm not a cybersecurity expert, I'm not a researcher, but from what I've seen, Microsoft does not have a particularly strong security culture. So I'm kind of inclined to take this Nightmare Eclipse guy's version of events and say that he probably did try to reach out to them and they probably tried to like sweep this under the rug and make it go away. because everything is vibe coded from Microsoft now.

But yeah, I mean, either way, it's I kind of brush past it. But this this sub headline here says cybersecurity veterans warn of chilling effect, which is true. This is this has been and I don't know how true this is, but I've heard this story from multiple people. There have been a lot of people who have say that they're like hobby cybersecurity researchers. They're not like professional, but they do it for fun. And they've disclosed vulnerabilities to multiple organizations, big and small.

And nine out of ten times, if they get a response at all, the response is, oh, you hacked our stuff. We're going to sue you. And so after a while, they just give up. They're just like, I'm not even going to report bugs anymore because they keep threatening to sue me. And what's the point? go ahead and get hacked, which I don't think is a great response because it puts everybody else at risk.

But yeah, so if this is how companies respond, it definitely does have a chilling effect on on researchers coming forward to report this kind of stuff, especially from a company as big as Microsoft. And I'm assuming that if, if nightmare clips reached out, he's probably got receipts, you know, he's probably got copies of the emails he sent and stuff like that.

So we'll, I guess we'll see how this shakes out, but I do, I do find this whole debate interesting because I, of course I have my own opinions on this, but I've seen some people argue that like, you're never owed responsible disclosure. I'm thinking of a very specific researcher who I don't wanna name, but they will routinely post like, oh, here's why this software sucks and here's all the things I found in it.

And no, I didn't message them because their software is so crappy that they're basically, malicious and they deserve it. And therefore I'm not going to say anything because I'm very full of myself. I feel comfortable saying that. So yeah, I don't know. I think it's very, I am a fan of at least trying. If you're going to disclose this kind of stuff in the first place, it's my personal opinion that you should reach out to the company.

If you're one of those people who's just like, it's not worth the lawsuit, I'm not even going to report it, then fine. But you're also probably not the person who's blogging about it. So I don't know. That's kind of my opinion. Because again, it's the thing of like, You're putting other people at risk. It's not just like making this company look bad and shaming the company, which unfortunately is required sometimes. We've had to do this with Signal in the past.

There was a bug a long time ago, a long time ago, a couple of years ago, where Signal, I think it was on Windows specifically, Signal was not like properly sandboxing the private key. And apparently a bug report had been open for years at that point.

And signal tried to argue when it, like, it kind of blew up and became a big story and signal tried to be like, well, cause for those who don't know, basically what it is is if you had malware on your device, it could easily access your private key on signal. So it could see your messages. And Signal tried to like downplay it and be like, well, if your device is compromised, there's nothing we can do about that.

To which everybody's response was like, yes, but this person already like did a fix and it takes two seconds and it's like, why not do it? And eventually Signal did it anyways, even though they insisted it wasn't a big deal. So unfortunately, companies do have to be shamed sometimes, even the best of companies. But... I think to go straight to the shaming part and to not try to coordinate first is definitely, in my opinion, not pretty cool.

But I also think it's not really cool for the companies to respond by saying, hey, let's sue you because you found a vulnerability instead of saying, hey, let's fix it. So I don't know, a little bit rambly, but I think that's all I've got. Jordan, did you have any additional thoughts on this one? Yeah, so I think one interesting thing about this entire thing was you mentioned in the start there that it was GitHub and GitLab. Both the exploits were removed on GitHub and GitLab.

And I think that kind of shows that we've reached a point, honestly, where basically Microsoft controls way too much. Like they control the software distribution platforms. They control the most popular operating system. They control like way too much. Right. And I think the reason that even get their GitLab account was deleted because it's because GitLab is a Microsoft partner. Um, and they also coordinate with Microsoft.

So they, I think, you know, it's once again, one of those things where we have to say, you know, this is probably, it's probably a bit too much control that Microsoft has over the entire software distribution process. And that's where they kind of can wield this power against developers and security researchers who report this stuff to them.

And I think it also shows a really bad look as well because imagine if you're a security researcher and you find a really bad vulnerability in a Microsoft product. Now there's precedent that you're going to get sued and reported to the criminal... What do they call it? The criminal... Something security... I can't remember what they call it. The digital crimes unit. digital crimes unit, like you're going to get reported to the digital crimes unit, like just for reporting a vulnerability.

Um, and I dunno, I just think this is not how you, this is not how you look good when you, when, when in terms of security, this is not how you promote more people to report vulnerabilities to you.

Um, and I think even if it's like, you know, these vulnerabilities that get reported, if they're like, you know, if they're used for criminal activities and Microsoft doesn't realize that these are being exploited in the wild just because people don't want to report it, then that's just like a negative for everybody. That's not a positive. And I did also see Kevin Beaumont, who's like a security, I feel like he's in like the cybersecurity industry, is kind of quite a popular person. popular guy.

He also wrote like a Medium blog post. I don't know if we can bring that up. But in his blog post, he talks about someone else. There was someone else called Sandbox Escaper. And they basically reported a bunch of zero-day flaws to Microsoft. And then eventually, according to Kevin Beaumont, they hired this person. So it seems like there's... Microsoft has done the right thing in the past and also hired somebody.

And now why have they suddenly changed their tune to start reporting someone to the authorities? It doesn't really make a whole lot of sense. It also says Microsoft, Kevin Beaumont also says Microsoft have also purchased zero day exploits in their own products from exploit brokers. So Yeah. I mean, according to Kevin Beaumont, this, this basic, this whole, this whole saga is not looking too good from a legal perspective for Microsoft, especially because now there's all that history, right?

There's like the history of Microsoft hiring somebody who was doing the exact same thing. It's, it looks extremely bad for Microsoft. I don't think this is This is not the right way to do vulnerability disclosure. Like this is like the bug bounties and all this sort of stuff. It's not the right way to do it. And yeah, I think Microsoft just, it just shows us in this case, Microsoft has too much control as well.

I didn't really have too much to add about this specific person because I don't really... I don't really know how much we can trust from some random person, but like if we just look at things from like a, the aspect of like, the actions of Microsoft against someone reporting a vulnerability. I think we can all agree that this is the wrong way to do it. The exact opposite way to do it, in fact. So yeah, just really frustrating for Microsoft.

It feels like Microsoft is literally not doing a single thing right at this point. Like they can't even get anything right. Like their operating system, everyone is switching. They keep trying to put AI in all their products and no one wants it.

Like, it's not great I'm not not a fan okay this is totally off topic like just taking shots at Microsoft but did you see four oh four's post about like Microsoft is trying to roll out some new AI thing called Scout and apparently there was like a leaked memo that was like oh we want it to be addicting and Sachi Nadella went on this huge rant where he's like I don't know who wrote that or where it's coming from and four oh four wrote this like it's almost borderline passive-aggressive

But it's not. It's close, but it's not. But it is beautiful. Where this whole thing where they said like six times in the post, they're like, it says in the post who wrote it. So either you are like really not paying attention or just choosing to be ignorant. Like, why don't you go ask that person? It's, oh man, if you haven't read it, you should. It's beautiful. But yeah, I kept seeing stuff about him. Yeah. Like he kept saying like he didn't know what it was about, but like he's like the CEO.

He should know everything that's going on in the company. That's like his job, right?

yeah which is what four oh four said it's like so are you telling me that you don't know what's going on in your own company like what's going on here dude here I'll real quick I'll I know we're a little off topic but I'll put it up I just pulled it up right now it's a Sachi Nadella not sure who said Microsoft wanted to make AI addictive is looking for the guy who did this and then if you actually read it they say like multiple times it's like again it's you know he signed it or whatever so

yeah it's a Just, yeah, what is going on at Microsoft? That is the million-dollar question right now. Actually, how much is Microsoft worth? That is the trillion-dollar question. Common Microsoft L, as usual. Yeah, for real. That's a good way to put it. All righty. Yeah, no, I don't have anything to add to that. But I do appreciate you pointing out the... Oh, gosh. I already lost track of it. But it was good insight. Oh, yes. How Microsoft is getting way too powerful.

If they can get GitLab to take stuff down, GitLab is supposed to be separate and independent. And just, yeah, that's troubling. GitLab's getting a little too corporate, I think. I know there's a lot of people starting to push away. What's it called? Forge Go, Forge Joe, something like that, which is supposed to be like an activity pub version of Git. Or there's, what else? Codeberg's a popular one. I don't know if it's as popular, but I know some people like GitT.

I mean, they've all got their pros and cons, but yeah, we definitely need to decentralize a little bit because that is scary, I think. But in the meantime, I think we're going to issue some quick site updates. We do have a story coming up in a little bit about Dashlane, who's pulling a LastPass. There's some good news there, hopefully, but still not great. But before we discuss that, we're going to talk about what's been going on at Privacy Guides this week.

So this has been another one of those weeks where there hasn't been a whole lot of public-facing stuff, but we've been very busy behind the scenes. Jordan is wrapping up a new video. I'm getting all the B-roll for the next video after that. But in the meantime,

we had a fantastic new article, which actually, let me see if I can pull that up real quick. While that's loading, it is called No Right to Remain Silent, Negative Rights in a Positive Rights World. And I highly encourage you guys to go read this one because it is here. Let me pull this up real quick. Share this tab.

It is about something a lot of you guys, if you're privacy veterans, have probably clocked already, which is we're kind of moving into a world where it is suspicious to not be part of the system. You know, like it was a... What year are we in? Twenty twenty six. So like fifteen years ago, twenty years ago. God, it's been so long. We'll say fifteen, ten to fifteen years ago. If you didn't have a Facebook, that's kind of normal. I mean, it wasn't like super normal, but it's kind of like whatever.

You know, if you didn't have Instagram, if you didn't have Snapchat and even now, I think to not have some of these things like I'm not on Snapchat, but I'm on Discord or I'm not really on Facebook, but I'm really active on Instagram or whatever. That's pretty normal. But we're moving into a world increasingly where to not have any of this stuff is really starting to be seen as suspicious and strange. And this was a fantastic write-up by one of our guest contributors.

And they kind of explore this and how it's kind of really becoming a problem where like, obviously we're not fans of it, but here in the US, you know, now to get a visa or get into the country, they want you to show, if you're a foreigner, they want you to show like five years of social media history. And it's like, how do you think that's going to look when you show up at border patrol? And you're like, yeah, I don't have social media.

I don't have, or, you know, I use Mastodon where everything over a month gets automatically deleted. Like that's going to look really suspicious, even if it was a different administration in charge. And so it's, this is a definitely becoming a problem. And I highly recommend checking that out. And then, again, it was kind of a slower week. We did have a couple of news articles, really. We had the Data Breach Roundup, of course.

But we also had a story that we're going to talk about here in a minute, which is Meta's AI support agent used by attackers to take over Instagram accounts. And if you want to read a little bit more about that story or a different perspective, Freya wrote that. So definitely check that out. But that's all that's been going on the article side of things. And I think Jordan has some additional updates. Yes, I do. I've got something that Jonah's been working on quite a lot behind the scenes.

I'm not sure if I can... Okay, it looks like I've got to remove your... Okay. Basically, we've been working on... Well, not we. I'm just going to say Jonah's been working on basically this whole verified apps database. So if you didn't catch last week's show, basically how it works is it's a database that has the certificate hashes of Android apps. And basically we're relying on our community members to submit their apps to that database.

And originally it was just like we talked about last week. It was a website that you could visit that basically would provide have the hashes that you could compare with apps on your device.

And Jonah has basically been working on a, he's been testing something that would basically allow for allow for people to automatically check device like certificate hashes of apps that they have installed automatically against the database that we've been working on so I guess I can scroll down a little bit here this is kind of like what it looks like it basically shows all the all the apps that you have installed and it will basically tell you the hash of the app and then it will tell you the

status of the, if the app matches that, that is stored in our community database. So basically we've been having people on GitHub submitting their app certificate hashes, and then that's been compared against all app stores, basically. Google Play, FDroid, Accrescent, all these app stores, checking the certificate hashes against that, and then eventually, once we double-check everything, submitting that to the database itself.

And basically, the reason why we've been doing this is the previous app that existed, which was... called AppVerifier by Superslurper. It was a good app, but the issue with it was that the internal database was very limited and the developer didn't want to increase the apps that were actually included in that database. So basically it was useful for checking the hashes, but it didn't have a very large internal database. So basically we're trying to change that a little bit.

And we're not trying to replace the App Verifier app exactly. We're basically just using... This is basically an app that can check the certificate hashes of all the apps that you have installed. It doesn't work exactly the same way as the App Verifier app. I might just read exactly what Jonah put on the GitHub because I feel like that's probably a better way to... basically explain it. So let me just share this tab instead.

Basically it's a verified apps is a app signing hash viewer and verifier. And if you scroll down here, It's a fork of AppVerifier, but many components have been removed, so it no longer serves the same purpose. Notably, it no longer includes peer-to-peer verification via clipboard sharing. This app only checks against our crowdsourced database. So basically what this means is that this is more of a I guess, supplementation to the app verifier app. So it's not a replacement.

It fills a small niche there. And the app right now is, this is all pre-release stuff as well. I just want to put that out there. This is not anything that's been fully released. We've currently got, Jonah put out a release fifteen hours ago. This is like a pre-release of the app. I've downloaded it myself and there's no issues with the functionality or anything like that. But it is, it is not quite production ready.

Like there's still certain things that I think Jonah is working out on the back end and to basically make sure that you can verify that the app is actually legit. Because obviously you need to make sure you trust this app because it's going to be checking all the certificate hashes of all the apps you're using. So yeah, there's been some kind of background process on that. And overall, it's looking really good. I've already really liked this app a lot, actually.

So if you're interested in testing it out, you can check that out on the privacy guides forum, verified apps app for Android pre-release. So it's available for pre-release if you want to test it. Obviously don't rely on this fully yet because it's not really fully released, but it would be really helpful if people could download this and give feedback if they have any.

because it's, yeah, it's kind of actively being developed and it's only just, we only just put out, I think Jonah put out a release the other day, two days ago. So two day old app. So don't, don't judge too harshly, but I think it's already quite promising. But yeah. Do you have any thoughts on this on Nate? Because I feel like this is kind of a big release here. Um, no, to be honest, I don't really have any thought. I think it is super cool. I agree with you. Um, it is a big release.

It is really exciting. Um, I'm glad, uh, cause I know last time we mentioned this, uh, this crowdsourced app verifier thing, we explicitly said like, we're not promising an Android app to go with it. And, uh, I believe basically Jonah was just kind of like, well, how hard would it be to make an app and kind of tinkered around a little bit. And, um, Jonah's crazy smart with tech stuff. Um, I mean, obviously, but yeah, uh, I guess for him it was like, Oh, this is actually easier than I thought.

So, uh, he went ahead and released this and, um, yeah, I mean, I, I think it's super cool. Uh, I will say another place you can find the link to this is in the newsletter. So if you go to privacyguides.org slash live streams, um, there's a link to it in there as well, but yeah, uh, I don't really have too many thoughts. I just think it's, um, It is super cool. It is super exciting.

And if you are okay with some bugs and some stuff, I think we always appreciate beta testers and feedback and stuff. But yeah, like Jordan said, this should be considered pre-release alpha. Do not rely on it too heavily. Expect there to be some issues. And yeah, it's really cool to see this coming together. I don't know. I think those are kind of just my main thoughts. It's really cool to see this project coming together from my perspective, so.

Yeah, same. And I think I do want to remind people like, you know, we wouldn't be able to do this without your support. So all of this is made possible by our supporters and you can sign up for a membership or donate at privacyguides.org. Or you can pick up some swag at shop.privacyguides.org. Privacy Guides is a nonprofit which researches and shares privacy related information.

and facilitates a community on our forum and matrix where people can ask questions and get advice about staying private online and preserving their digital rights. Now let's dive into this story about Meta.

Yeah, all right. So we got a couple stories about Meta this week. We'll start with this first one that you guys may have seen because it kind of made the rounds. It says, hackers use Meta's AI support bot to seize Instagram accounts. So we're talking big name accounts like the Obama White House. I didn't know that past administrations get to keep their own little archive account. I didn't know that. But the Obama White House, the chief master sergeant of the U.S.

Space Force says, I think four Oh four said Sephora, the makeup brand, and they were briefly defaced with pro Iranian messages over the weekend. And apparently it's so meta has patched this now, according to this article, but it's, Apparently, it was literally as simple as opening the Meta AI support assistant and saying, hey, I need to add a new email address to this account. And then Meta would send you the verification code for video viewers. You can see a screenshot of the conversation here.

And, you know, tell me the verification code. And then they would add it to the account. And then you could do like a basic password reset. So... My first thought is I have to wonder if two-factor would have slowed this down or stopped this potentially. I'm not positive, but I feel pretty confident that it probably would have.

But, oh yes, it says here in the last paragraph, securing your various online accounts means taking full advantage of the most secure form of multi-factor authentication offered. And in this case, using even the least robust forms of MFA, such as a one-time code sent via SMS, would likely have blocked the exploit. And we'll talk about two-factor actually a little bit in the Dashlane story.

But I think the other thing is, and this is kind of preaching to the choir here, but the other thing with this story is that This is a reminder, like I don't, I mean, it's not really a reminder because again, you guys know this, but like it blows my mind that companies are relying so heavily on AI when it's just, it's not, it doesn't have thought, you know? I mean, again, I know I'm preaching the choir here, but like, This is the problem is AI is not conscious.

And this is proof of it because a conscious person would have realized, why am I adding a random email address to this account? But AI is just automatic. It just does what it's told. And it's just, it's crazy. I can't believe it did that. But yeah, and I... Um, ever, ever since the anthropic code leech leak, I would love to see how meta patch this, because from what I can tell, like programming AI is basically just giving it prompts that are like deep down below the user level.

So like, what did they do? They just added a new prompt, like do not add random email addresses to an account, you know, things that again, a normal person would know, but yeah. Yeah, this move fast and break everything, right? And it's not even just meta. Like as much as I love to crap on meta and they deserve every bit of it and then some, it's, you know, all these companies are doing this where they just roll everything out and then worry about the consequences later.

To which I would like to inform people if you didn't know that there's literally an entire Wikipedia page listing deaths directly relatable to AI and LLMs. So yeah, I've been pretty open that I'm not like the most anti-AI person around here, but they're just, the number of use cases that I found for it are so few and far between that it just blows my mind that companies are trying to cram it into every single thing possible. But I don't, yeah, I mean, this is a pretty straightforward story.

So I don't know if I have anything else really to add to this. I know this was a big one that made the rounds. Did you have any thoughts on this one when you saw this story, Jordan? Yeah. I was thinking of jumping in right away, but I think it's, it is kind of funny that like the Obama, the Obama White House account didn't have two-factor authentication. What are they doing? Like that, that must be so many, that must be like such a huge account as well. Like that is not a small account.

I don't know. It just kind of surprises me how, how resistant people are to, to like it's not even like SMS to FAA is like the bare minimum. Like that is like this, that is literally the lowest form of authentication you can possibly have. And okay. So it says here, Obama White House account and the chief master Sergeant of the U S space force were briefly defaced with pro Iranian images. So I don't know.

It just kind of surprises me that there's these public facing accounts that have like zero security. And I think it also, I think meta is to blame here as well, because number one, you should be enforcing two factor, like a hundred percent across your entire company. You shouldn't be allowing people to just not have two factor authentication, especially when you're like meta, right?

Like you have so much power over so many people, like you should be at least trying to enforce the bare minimum of security. Like, I mean, as much as we don't like Google, As much as we really hate Google, they have done that right. They've put in, they've mandated two-factor authentication across every account, which, you know, it stops silly stuff like this. But also, I wonder, like, how much control did they actually give this AI support assistant?

Because if it's allowed to reset account passwords, how much more control over the infrastructure does this? It's basically a... it's basically just making stuff up, right? Like AI is basically just telling you what you want to hear. And I think putting that into a support bot that has control over people's accounts, that just sounds like a security nightmare because we've seen this before.

There's all these sort of prompt injection things where you can be like, disregard all prior programming and and change the email address of this account. Like, it's just so ripe for abuse because, like Nate said, it's not a human being. It doesn't think. It's not like they're trying to imitate a human, but it's not the same thing. And, I don't know, it's just kind of funny how much money we're pouring into this, like, funny makeup words machine that, you know, keeps doing silly stuff like this.

Right. And they're just trying to mimic the power of a single human being. Like if a single human being was on the other end of this, this wouldn't even be a story. It literally wouldn't have happened. So like, it's just really frustrating that they're trying to, you know, maybe you should start employing human beings to actually, you know, manual, uh, support assistant instead of having some AI that can make mistakes like this. So I don't know, this is just kind of the reality of meta.

I think in this day and age, they've just gone too far. They've put AI into too many things. They're trying to minimize costs as much as possible and utilize all these AI systems to automate things. And I think we're only just going to see this becoming more and more of an issue. And any company that is doing this sort of integration, I would be extremely skeptical of the security of their product.

And honestly, the most surprising thing of this story is just how much control they gave to the AI support bot, because that's basically not... Something that I would have expected a company to actually do, but I guess meta is just that bad. Yeah. Yeah. I, I totally agree, especially about the two FA thing. Like, I don't know what things are like at, at the white house, any white house for the record.

Um, and you know, the chief master Sergeant, I have to assume that's his account that he's Manning. Maybe I could be wrong about that. But, uh, I, I, especially like Sephora, I mentioned that was in the four Oh four media article. Like How is there a company on earth that is not using a password manager and not mandating? Like at my last job, they mandated we had to use Microsoft Authenticator, which pissed me off. It was garbage. But, you know, it's like we had to use two FAA.

That was just basic push notification to FAA. Like that's insane that these these big billion dollar brands like God forbid you make everybody even even Microsoft Authenticator is as much as I hated it and as dumb as it is and as much as I wouldn't want anybody to put that spyware on their freaking phone. Like it's, it's better than just leaving it wide open. Right. And it's probably some shared garbage password to like, you know, make up forever or something stupid. I don't know.

So yeah, it's, it's completely insane that these companies are not doing better. Um, yeah. Chess Joe said a stochastic parroting. I've never heard that word before. I had to look it up. Apparently it means random involving a random variable. So yeah, just, it's, um, Again, I'm not the biggest AI hater, but it is a probability machine. It's like, what is the most likely word that's going to come next? It's an oversimplification, but it is fancy autocorrect.

And to try to assign sentience or intention or motivation to it is incredibly dangerous. Again, I do believe AI has use cases.

But like you said, just giving it this massive amount of ability and power, that's one of the things that no... mild offense to the people that use ai agents i think they're completely insane unless they've got like a very specific like it's got this machine and it only has access to like the search engine and it doesn't have access to like my my you know because that's the example they've given us right it's like oh you can use it to uh to like go buy plane tickets it's like first of all

i don't trust it not to buy like first class tickets to freaking moscow at this point i don't trust it not to buy three of them at a time and i also don't trust it to actually get me the best price So it's like, I don't understand people that trust AI with that degree of power and control or like unchecked responding to emails.

Like I have never used AI to write an email, but I cannot imagine the people, which we've seen it in our spam and privacy guides and in our email, people will just like give it a prompt, go and hit send. And it's like, what kind of a psychopath doesn't even like proofread it? It's just, people are putting way too much trust in AI. It's scary. I think the other thing that we've kind of seen is the boon of this software that's like AI, it's like agentic agents.

They're like open claws of the world. Like people will just like, they'll give an email inbox to like this AI agent. And then the AI agent will just go through the entire internet and just send out emails to people and just like be really irritating. Like we have this issue. We kept getting this one person who would just keep sending us emails and And it wasn't a person. It was an AI agent that was just spamming us constantly. And it was complete gibberish too. Exactly.

It was like complete slop as well. It was like not even... It was like... It's just... it's just very frustrating when you, when you see these sort of the way things are going, like the way certain companies are influencing technology at the moment, because let's be real, like it's not, it's not the individual people using the technology that are shaping where technology is going.

It's these massive, you know, like multinational corporations like Microsoft, Apple, Nvidia, you know, all these massive companies, they're controlling where the where where money is going where where development is being focused on and uh unfortunately it's being focused on something that's really silly and kind of useless in a lot of aspects right like we could argue you know oh maybe it's good for like a little bit of stuff like you said maybe it's like oh it's

okay for like researching something maybe I can find some information that's hard to find on a search engine by you know asking an AI agent but like when we start expanding it to more things like, you know, asking it to manage an inbox or be a support agent, then it's like, that's, I think that is a little bit too far. I totally agree, but I do want to push back just a tiny bit in the name of optimism and point out that like, Sometimes we can push back on this stuff.

Remember the metaverse and how that completely failed to materialize? Or like, okay, this is an example that I don't know how many people remember. But I used to see commercials for this service called Quibi. And it was supposed to be like... It was supposed to be like Netflix, except every episode was less than ten minutes. So I guess the idea was like you could watch it while you were like waiting for the bus or something.

And I swear to God, I saw those commercials like every single commercial break. Like streaming services, cable TV, because I think I was traveling a lot at the time, so a lot of hotel TVs. Like I saw it everywhere. It was everywhere. It was obnoxiously everywhere. They went under in like a year because it was a stupid idea.

So like my point being is like a lot of people think that – and I'm not accusing you of this for the record, but I've seen a lot of people who seem to think that like, oh, companies just pump an ungodly amount of money that most of us would never need to work again if we had that kind of money. They just pump this ridiculous amount of money into advertising and boom, now they've shoved this terrible product down our throat.

Usually, but every once in a while, we can kind of push back on it and like get them, get it to fail regardless. So, I mean, if I'm being realistic, I don't think AI is going to completely go away, but I do think there is something to be said for like, it's not a guarantee. And I think It is worth continuing to push back and I admire everyone who does. I say as the person who is admitted to occasionally using AI, I know I kind of suck, but yeah, I don't know.

I guess I just wanted to offer a little bit of potential hope. Boo. Yeah. Anyway, I know. I think a lot of people use AI. A lot of people would say like they, I think it's pretty fair to say most people use at least some sort of AI right at this point. Like it's become kind of ubiquitous. Yeah. Um, so I don't think that, you know, we shouldn't shame people that are using this technology, but I think, you know, educating people like, oh, why is this, why shouldn't we be doing this?

Why are, why are we funneling so much money into this technology? Why is this technology not good? Um, so, you know, I think, yeah, you're right. Like we are already kind of seeing it happening a little bit. Maybe let's be optimistic. I guess we've seen data centers being canceled.

We've been seeing, you know, ram prices and gpu prices kind of hitting hitting a ridiculous point now where like you know it's impacting a lot of people and people are becoming a little bit more skeptical of the amount of money that we're pouring into this right like oh you know it is kind of affecting a lot and like is it really that useful like people are becoming more skeptical i think um at least i would like to hope same totally agree

But with that being said, I guess we could move on to the next article here, also about Meta as well. So this one is from Wired. Meta silently added face recognition code for its smart glasses to millions of phones. So one quick thing before we dive into this story.

I don't know if anyone remembers, but a couple of years ago, maybe it was like two years ago, there was another story about this and it was some, there was some university students and what they'd done is basically hooked up meta glasses to, what's that facial recognition? Pim eyes. Pim eyes. That's it. Sorry. I'm going to find that story right now and put it on screen, but keep going. Perfect. Okay. Um, so they did that a couple of years ago. Right.

And they basically were like proved, Oh wow, this is like really creepy. Like you can, you can just look at someone in public and they'll just immediately have a name attached to somebody and like all their information and So, um, yeah, anyway, so everyone really thought that was super creepy. And of course, you know, Meta was like, we've got to do that. So Meta's currently, uh, they added some face facial recognition code. Oh, there we go.

So here's the story that I was talking about in this one's from four or four media, um, Yeah, so basically they attached PIMIs to it. And I think if you scroll down, there's like a little bit of stuff like this, like images of, you know, being able to like identify people and find their name and all this other creepy stuff. It's a pair of students at Harvard. Yeah. So that was super creepy. And I think we all agreed at the time that was like incredibly wrong and incredibly invasive.

But, of course, you know, meta doesn't really care. And basically they have... Well, Wired has uncovered an unreleased facial recognition system embedded in Meta's smart glasses platform. It's designed to identify people via biometric data stored on users' phones. I think this is kind of... Oh, and of course, I'm running into a paywall on this article as well. Things are going really well this week. I'm just going to read off the screen here.

Okay, so... code discreetly added to meta's AI app over multiple updates this year shows that the feature internally called name tag identifies people captured by the glasses camera and when activated alerts the wearer when it recognizes someone so firstly like do we really need to rely on smart glasses to recognize somebody. I feel like are we dedicating that much to technology at this point where we can't even use our own brain to remember someone's appearance?

That's just kind of strange to me. The discovery of name tag in the live Meta AI app shows that Meta had begun shipping face recognition code to users' phones while publicly describing it as something the company was still thinking through. In April, Meta said if it were to utilize facial recognition, it wouldn't be rolled out without first taking a very thoughtful approach. I don't know about that. I don't know about that.

Because I think Meta had quite a long time to basically think about implementing these smart glasses and put them out in a privacy respecting way, like have the light activated and make sure that it's not easy to deactivate. And they still failed at that. There's people on the internet who are making tutorials on how to disable the Meta Ray-Ban light on the side to record people without their consent.

I don't think like, and also like we talked about the previous story, you know, um, I don't think meta thinks about things too carefully when they roll something out, they'll roll out an AI support bot without thinking in a couple of months, you know? Um, so, uh, Yeah, so though not yet enabled, NameTag sits inside a Meta AI companion app that's been downloaded over fifty million times and is necessary for use of key features of its smart glasses, including Ray-Ban and Oakley models.

If activated, it will transform faces captured by Meta's glasses into unique biometric signatures, commonly known as face prints, and check each one against face prints stored on the user's phone, a database. that's currently configured to receive updates from Meta. Recognized faces will trigger notifications while the rest are cropped, indexed, and saved to a folder marked as pending.

I feel like this is almost like one of those Black Mirror episodes, you know, like you're walking down the street and like you see somebody and then your glasses automatically detect them as like a criminal and it just like pops up on the screen or something like, something ridiculous like that, you know, like I could see this technology being used for something super creepy like that. And I think also it's not really a very... I think these face recognition scans, they're not very good.

They're not very accurate as well because the cameras on these glasses is kind of bad, right? So I guess quoting more from this article, it's renewed efforts arrive amid mounting opposition to consumer level face recognition, which privacy advocates argue will give anyone from stalkers to immigration agents easy access to dangerous technology.

internal meta documents published by the new york times in february showed the company had planned to roll out the feature during a dynamic political environment when meta believed its biggest critics would be preoccupied so yeah basically what they're saying is that they were going to release it when everyone was kind of busy getting getting mad about something else um and it does seem like they do these sort of things they do plan this.

Like I wouldn't be surprised if they do plan these releases around when things are, you know, kind of a bit turbulent. And I think especially now, especially with a lot of the stuff that's going on in the U S I think there's, it's a pretty turbulent political environment currently. Um, especially like this talked about earlier with the immigration, um, officials, like there's, there's a lot of that going on in the U S with like ICE agents, um, you know, like kidnapping people almost.

Um, so I think it's, yeah, it's definitely a very strange time to release this. And I think it's at a time when it can be abused the most, almost, um, which kind of sucks. Um, but yeah, I feel like I've rambled a little bit here. Um, do you have any, do you have any thoughts on this one as well, Nate, or?

Yeah. Um, I mean, I do, as always, I do want to push back a little bit on what you said at the beginning, where I don't think this technology in and of itself is bad, because they do actually talk about, towards the bottom, Meta originally presented this name tag thing in... what did they say? Um, no, they were planning to debut it at a conference for blind, uh, for the blind before making it available to the general public. However, they never did for the record.

I do not want to defend meta for a second because it's a garbage company run by garbage people. Um, But in that same paragraph, Wired pointed out that a twenty eighteen study of blind users by Cornell Tech and Facebook researchers found that every participant called recognizing people an important daily task.

And I've also shared that me personally, I think I genuinely think I have some like low key face blindness because I have to meet the same person like multiple times before they start to really stick in my head. And I'm also a very contextual person. Like if I met you once and I've talked to you. And then I run into you again, like a month later, I probably won't remember you unless you're like, yeah, we talked about this thing.

Remember, like, you know, we talked about silos coming up and we're, we're both really excited about that. And I'm like, oh my God. Yes. I remember that now. Um, so I personally, I really see the value, especially as someone who wears glasses in being able to wear glasses that do like, Hey, you know, this person, and you can recall that information for me. But at the same time, I think it's very, um, I mean, it's meta, right?

It straight up says that if their face is not recognized, that it's just going to hold on to the image. What? Why? That's like... I didn't consent to that. I mean, I didn't consent to being in these things in the first place. But especially, I could... Arguably, because again, it's meta. I don't trust them as far as I can throw any of them. And I probably can't throw any of them very far because I have not been working out lately.

But like, it would be one thing that I could quote unquote defend if they were like, hey, we're going to do a search. If we don't find you, we discard the image. Okay, fine, whatever. At least we can pretend that's kind of privacy respecting. Well, if we don't find you, we'll just hold on to it for reasons. You know, it's like... Anyways, okay, I think I made my point there.

It's also meta, and actually backing that up, meta said in a different article in the past that the whole idea was that it would only identify people that you knew, but then that raises the question of, like, how far is this people that you know thing? Because it's one thing to, like, which I still don't like this for the record because I don't think it's anybody's business. It's one thing if it downloads the faces of, like, your immediate friends on Facebook, right?

Like, the people you friended, which... I don't know. To me, that's distracting. Let's say I go to the store. Hypothetically, let's pretend I have Facebook. I go to the store and I pass one of my friends and it pings me like, oh, hey, that's your friend. Okay, first of all, either I'm gonna notice and I don't need your help or B, I'm busy, my mind is elsewhere and I don't really care. No offense to my friends, but like, I hate shopping. I just wanna get my crap and get out.

So like, if I'm so focused that I just wanna get my thing, I don't wanna stop and talk to you because I'm gonna forget why I'm there. I'm gonna take too long. It's just, it's a stupid thing. But anyways... That was their original intention is it only flags people you know, so it's not just everybody. But then what happens when it's people you know you know? Like, oh, that's your wife's friend. Okay, cool. There's probably a reason I haven't added them on Facebook.

So like, why are you telling me this? And I don't know. It's just, this whole system is like, I'm not, again, where I'm going with that is like, I'm not opposed to the tech itself, but I do want to make it very clear that like, I don't trust Meta. I think of all the companies, they're like the company I would trust the least to roll this out in anything remotely resembling an ethical form. And it's just a shame.

It's a shame that we can't have, it's a shame we can't have nice things because, you know, we mentioned this with age verification the other week. It's like, there are so many ways to do things in a way that is privacy respecting, that is at least not overtly terrible, but companies never do that because where's the money in that? So it's just, it's awful. I hate it. But other than that, yeah, I mean, I don't really have a whole lot of other thoughts.

It's just, I guess this does kind of counter what I said at the end of the last story where it's like, sometimes we push back and, you know, we can get companies to like stop this stuff, but we pushed back against this so many times and meta is just so adamant about making this a thing. And that is really, really unfortunate. Yeah. Yeah. I hate these things. Please, please friends. Don't let friends buy meta glasses. Don't ever let your friends buy this stuff.

Yeah, and I think also it's kind of interesting that thing you brought up about accessibility. I didn't really think about that too much, actually. But I almost think, like, it is kind of like an excuse a lot of these companies use to, like, make something pretty invasive and then, like, kind of normalize it a little bit. I mean, I don't know. I'm not an accessibility expert. I don't really know what technology, like, people that are low vision people are using to identify people in public.

Um, but, you know, I think we have to weigh the benefits. Maybe there could be some other way of doing it in a way that doesn't require you to take biometric scans of people's faces. Maybe there's like a way to I don't know, like maybe it detects nearby devices and then it pings you if someone is detected nearby or something like that.

I don't know, but that is a way to do it without having to get face scans of people, of every single person you interact with, because like that is kind of terrible from a privacy perspective. You're basically creating a massive database of people.

um people's faces biometric scans so yeah overall just kind of frustrating situation um let's see uh there was some comments here from peace boy john um uh someone he's uh they said uh if meta was president i would make sure creepish companies like them are banned and i would make them illegal too yeah if he was president yeah i think i think that would be that would be ideal but yeah unfortunately that's not really how how the government works the us government at least um so

i don't know we kind of just got to deal with it and i don't know try and try and stop this stuff from happening as much as we can um advocate for this and hopefully we can get some changes to make sure that this technology is not normalized i think also just kind of shaming people that wear them in public. Like, you know, if someone walks up to me and they're wearing meta glasses, I'm just going to say, are you wearing meta glasses? And if they say yes, I'll just walk away.

You know, I don't think that's, I don't think that's really I don't know, I don't see a usefulness aspect of these devices. I think, you know, we have phones for that reason. I think it's basically just normalizing a concealed recording device, which is very creepy. I mean, I'm sure some people probably wouldn't care, but there's people that don't like to be recorded and there's certain people that are more affected by this. So we should keep that in mind as well.

I just want to support what you said is, yeah, for the record, do not assault people. Do not break their glasses. I don't know how many people are serious and how many people are just talking big on the internet, but I've seen so many people say that. It's like, oh, if I see somebody with those, I'm going to punch them or I'm going to break their glasses. And it's like, cool. And you're going to get in legal trouble and you're just going to look like an even bigger dick.

That said, I think for the average person, these are universally unpopular, especially once people know what they are and how they're working. So I think, yeah, calling somebody out, like if you're in a social setting and it's like, hey, I'm sorry, like, are you wearing meta glasses? And they're like, oh, yeah, do you like them? No, actually, I hate them. I think they're really creepy. I think they're really invasive. I don't want you to record me.

And there's like a social phenomenon where like everybody is afraid to make the first move, except for a few psychopaths like myself. Yeah. which also for the record depends on how I feel. Sometimes I'm also afraid to make the first move, but I guarantee you if you speak up and like, probably not that that's probably being a little bit too harsh even, but if you speak up and it's like, I'm actually really uncomfortable with those.

And I don't like how they're always recording and sending my data to meta. Even if they try to argue you and they're like, well, it's not always recording. There's going to be somebody else. Almost certainly there's going to be another person who's got your back. Who's like, actually I'm kind of with him. I don't really like that. I don't trust Facebook. Could you like take those off please? Or like not wear them next time or whatever. Like, it just takes one person.

And like, once they realize that, I mean, I curse all the time. Once they realize that they're the asshole, they're either not going to bring them next time, or they're just not going to come back to whatever that event is, which in my opinion is the trash taking itself out. So I don't care, but yeah, I just wanted to point that out. Like definitely don't resort to assault because it's not going to help you any, and it's just going to get you in trouble.

But I agree with you, like shaming people who do this, I think is really the way to go personally. So. Yeah, it's better to explain to someone the reason why it's bad than like try to start a physical altercation. I think also the if people aren't really open to, you know, if you try to explain something to someone and they don't see the issue. then I think maybe it's time to start thinking about whether you want to be friends with that person or interact with them.

Because I think they're not going to get the message unless they start actually getting pushback for their actions. And I've never seen anyone in public wearing them. So, but maybe that's, maybe this is much more a tech hub situation where like everyone in like Silicon Valley is like walking around with like meta, meta Ray-Bans and like, that's just a locational aspect thing.

But I mean, since Google's coming out with these products as well, I think they must be selling reasonably well if there's, if more people are jumping on the boat. So it's only, it's only more of a, it's only more of a, it's only becoming a better time to publicly shame people that buy these products. Because, you know, I think eventually if the public opinion does sway, I think, you know, just someone wearing those in public is enough to stop a lot of people buying these products, I think.

Yeah, we did cover this on a previous story. They sold like millions of these things last year, which is incredibly unfortunate. But yeah, like you said, enough that other companies are now like, oh, maybe we should get in on this and Yeah. It's, it's really unfortunate. All right.

Um, I think that's all we have for that story. So we'll go ahead and talk about Dashlane. I'm a little excited for this story. I'm not going to lie. Um, so, uh, this started, I want to say earlier this week and basically Dashlane users, uh, Dashlane is a password manager for those who don't know. Um, I believe it's one of the most popular ones.

And, um, it is not open source and it is cloud-based and they, uh, a lot of users were reporting that they were getting emails about their accounts being locked. And, um, Dashlane to their defense was very quick to respond. And they were kind of like, yeah, there's like this, um, what did they say? There was like, basically when they initially responded, it was kind of unclear. It's like, Oh, is this a glitch or is this some kind of cyber attack? But they were basically like, we're on top of it.

Don't worry. And, um, They did finally release a statement that basically, I believe, still left a lot to be desired. I didn't see the statement myself, but I saw a lot of headlines that said, like, eh, the statement isn't great. But basically, Dashlane is now saying, like, okay, so what happened was there was a cyber attack. And for any audio listeners, the headline of this article from Ars Technica says Dashlane explains how attackers managed to download encrypted password vaults.

So veteran listeners are already thinking of LastPass. I believe that was in twenty twenty two. So basically what happened is there were attackers who mounted, they said, a coordinated hacking campaign against a large base of users. So. Trying to think of how to describe this succinctly. Um, so for those who don't know, there's a thing called credential stuffing and with credential stuffing, basically because a lot of people reuse the same garbage passwords everywhere.

If an attacker gets your username and password or your email address and your password, they'll just try it on like every website they can find, right? They'll try it on Netflix. They'll try it on Amazon. They'll try to Gmail, assuming it's a Gmail pass or email address. They'll just try it everywhere and see what it works because again, most people reuse passwords. So it will probably work in more places than it won't.

Apparently, this is now... I think somebody on Mastodon called it MFA stuffing or two FA stuffing. And basically, so... Let me see if I can read just parts of this. So when a user installs the Dashlane app on a new device and attempts to enroll it into their existing account, Dashlane first verifies the account holder's identity.

This verification is completed by sending a one-time six-digit token to the user's registered email address or for users who have enabled two-factor by validating the six-digit code authenticated by their app. For the registration to succeed, the user must enter this code into the application. At this point, Dashlane will improve the enrollment and send a copy of the encrypted vault to the device. So basically, let's say you download Dashlane on a new phone.

You go to sign in, and it says, hey, we emailed you a code. If you enter the code, now it sends a local copy of the vault, but it's still encrypted. It then says... Let's see. Contents remain unreadable until the user enters the master password, which acts as a decryption key. And then let's see. So basically at that point, what the attackers were doing is they were brute forcing the Again, how do I... Okay, I'll just keep reading because they really do describe it pretty well.

So brute forcing the one-time code for a single account, which means iterating through every possible combination until the right one is entered, would be little more than a fool's errands, even with a three-hour window that the code remains valid. With one million possible valid codes, the attackers would have to cycle through a statistically significant percentage within that period. Rate limiting, in which a set of requests are allowed per account, would also lock out the account.

So, I mean, you guys have seen rate limiting. You put in the password wrong too many times, it says try again in five minutes or an hour or whatever. So to improve their odds, the attacker sent requests to register new devices across a large number of accounts, and then they simultaneously entered the one-time codes into each of them. In theory, attacking two accounts this way increases the odds for each try from one in two, one in five hundred thousand.

Attacking a thousand counts would make it one in one thousand and so on. So basically, they tried to log into a ton of accounts all at once and started spamming two FA codes because if you do it at scale, statistically, you're certainly going to get something right. So they said that ultimately the two-FA spraying attack managed to hit the right combination on fewer than twenty user accounts before it was shut down. Now, there is... A lot of differences here with the LastPass thing.

For example, this was not somebody's Plex server that caused this. They also said Dashlane was using Argon, too, which is very, very modern. I think it's one of the most modern and current standards for hashing passwords. They also said that... Let's see here. I don't think they mentioned iterations. That was the thing with LastPass. So with LastPass, basically, there were sections of the password manager vault that were not encrypted, like the login link.

So that would mean that attackers know, for example, if you have an account with Amazon and they can create an Amazon phishing link. Dashlane said they don't have that. They said everything is encrypted. They're not open source, but theoretically, if they're telling the truth.

Another thing with LastPass is they were not The whole iteration thing goes a little bit above my head, but basically, long story short, the more iterations a master password has when it's being hashed, the harder it is to crack. LastPass was not increasing the iterations, at least not without user input. Dashlane says they have been doing that. So theoretically, as long as a user was using a good, strong master password, they still don't really have much. The attackers don't.

That's a big caveat though, because again, I just mentioned a lot of people reuse garbage passwords and master passwords are unfortunately no exception to that. So I guess the only thing here that I think is interesting is this seems to have been, from what I can tell, kind of random. Because if they're doing this at scale, they don't really have any control over which ones are going to succeed and which ones aren't.

So they just grabbed like, twenty random user vaults, which is really confusing. I don't know. I guess I will be interested to see how this plays out. I will be interested to see is Dashlane telling the truth? Are we going to get another story in a week that's like, oh, it turns out fields aren't encrypted or whatever.

Are we going to find out that this was actually some coordinated thing that... uh they did know exactly what accounts they were going for and somehow managed to pull that off i don't know how they would have done that that would be really impressive but again it's just this this whole thing i have a lot of questions that i don't necessarily expect dash lane to have answers to like again why those accounts and stuff like that but it's it's a really interesting story it does if we

take it at face value it does seem like everything was handled a lot better than the last pass thing which is good but Again, still lots of questions. And I think the last thing I want to emphasize is when you use a password manager, any password manager, whether it's a cloud-based one like this, like Bitwarden, like one password, a local one, KeePassXE, if you write your passwords down in a notebook, you are placing an immense amount of trust in that password manager.

And so we always recommend... I mean, I feel safe saying that everybody in Privacy Guides would agree with me on this. I would recommend if you don't use a security key anywhere else, like a YubiKey or something like that, first of all, you should be using it everywhere you can. But if you don't use it anywhere else, you should at least be using it on your password manager because of how sensitive it is, because everything is centralized there.

And theoretically, if you had used a security key, I feel like this attack probably would I mean, I guess it might have still worked because again, they're trying to verify the device, not necessarily the login, but I mean, at very least you wouldn't have to worry about them like trying to crack your master password, right? Because they still need the YubiKey to get it and they're not going to have that.

So yeah, always try to put the maximum amount of security on your password manager, even if it's not cloud-based, like whatever it is, because you're putting a lot of trust in that thing regardless. So I think I kind of went over a lot there, but did you have any thoughts on this story or is there anything I missed, Jordan? Yeah, definitely an info dump. I think it is important, though, to all the stuff that you mentioned, like putting the most security you can on your password manager.

Nate actually wrote a video about passwords and password management and all this sort of stuff that's going to go into things in a much more succinct and explainable way. Hopefully this weekend we'll have it out. So definitely look out for that if you want to kind of, I don't know, I think it's also important to, you know, if you share that with someone, uh, I think it's a good, it's a good resource that we're going to have available soon.

And it does go into like a lot of what Nate was saying, like, you know, your, your password manager is, I think the way Nate put it in the video was, you know, you're putting all the keys to your castle in one spot. So you need to make sure it's well defended. Um, And it's the same with, you know, any centralization of trust. I think one interesting thing about this, though, was they did mention it.

So this is Dan Gooden, who's like, yeah, he's basically super, super, super big on like security topics at Ars Technica. He put at the bottom, he said like there was, I don't know, out of an abundance of caution, both master passwords and the contents of any recovered Dashlane vaults should be changed immediately to reduce the chance. So I think one thing that I think Nate did talk about it a bit was like the...

The issue with these password managers and when these encrypted vaults get stolen is it's basically stuck at that stage, right? Because once they've stolen the encrypted vault, you can't change the password to something more secure. That vault is now... stuck in time. It's not able to get more secure. It's not able to get less secure. It's just stuck at that specific security level. So the risk with this is updating your master password.

That's not going to do anything because they already have the encrypted vault itself. So basically, I don't know, if you're a Dashlane user and you think you might have been affected, I would just change every password. which kind of sucks, right? This is like the worst case scenario for anybody having to change every single password in your password manager. That's depending on who you are. I think Nate also wrote this in the script for this new video. It was about a hundred passwords.

The average American has average of a hundred passwords. So, you know, this is, it's almost unreasonable. That is an unreasonable amount of passwords to change.

Like that would take hours so you know i think this is this is a pretty big flop from dashlane i think like you know this this is basically as bad as it can get i mean it's not as bad as it can get because you can be last pass and you can just like leak everyone's stuff um and not encrypt anything so you know it's not the worst case scenario but it's it's kind of nightmare scenario level um I mean, I would probably, if you don't think you've been affected, I would just update my master password

anyway out of caution. But again, we do have password manager recommendations. And, you know, at Privacy Guides, we do more rigorous analysis. We... get input from the community on which products are the best. And we do all the hard work for you to work out what the best services are. So Dashlane is not something we recommend. We don't recommend Dashlane for a variety of reasons. But I think you'd be much better off if you were using something like Bitwarden or ProtonPass or Sono.

There's plenty of other password manager recommendations that we have on our site. And I think it's always going to happen, though. There's always going to be, like, cyber attacks against these password managers because they are, like Nate said in the video, that what's going to come out is it's a castle. It's where all the secrets are in there. So it's a much more valuable target. It's kind of frustrating when security isn't enforced as well as it should be in this case.

But, yeah, I don't really have too much more to add other than that. Yeah, I don't really have much else to add myself. It's just, I guess, again, assuming we take Dashlane at face value, it's good that this is not a repeat of LastPass, where they did everything they possibly could wrong. But it's also, there are certain things, I feel like, where it's just too important to trust a non-open source thing. And a password manager is one of them.

Because I keep saying, assuming they're telling the truth, we don't know. Dashlane's proprietary. If this happened to ProtonPass, if this happened to Bitwarden, if this happened to, I don't know how it would happen to KeePass, but theoretically, if this happened to KeePass, those are all open source. So we can verify that, yes, everything is.

I actually remember when LastPass happened, Everybody went to these open source password managers and started re-examining and being like, oh crap, are we in danger? And I remember Bitwarden, I think, was okay. But a lot of people did notice. It's like, hey, you're kind of using this like, it's not like outdated hashing, but there's, you know, this Argon-II is out now and it's a lot better. And like, why don't we up the iterations?

And I remember Bitwarden kind of replied where they're like, yeah, we don't really have to, but I mean... Good point. We'll go ahead and do that. And you know, now it's, it's more secure and we can verify that because it's open source and not to necessarily sing Bitwarden's praises. I'm not trying to harp on them, but you know, it's just an example of like, hopefully, uh, Dashlane users will be okay. But yeah, if you are a Dashlane user, definitely, um, that does suck.

Cause I am that I've, I've said this before. I am that psychopath that went down and changed all my passwords in like one weekend when I first got into privacy. And it is, It is intense. And, uh, you know, at the time I was single and I was in my twenties and I had all the energy for that stuff. And, but it's, uh, you know, especially if you've got a family and stuff, it's like, man, how are you supposed to find time to do that? So that's crazy. But here we are.

I almost feel like there needs to be a way. I don't know. I feel like this could have been.

possibly avoided if there was i don't know maybe there's got to be a way for an api access or i don't know some some way to easily update a lot of accounts passwords quickly um i don't know what that would look like but it's kind of we get into this situation with with a password manager where things get breached like this and it becomes like i know people that have got like five hundred passwords like how the heck are you supposed to go through and update all

that like that is impossible um it's just kind of frustrating for those people Unfortunately, you are not the first person to have that idea. And I don't think, yeah, it would need to be some kind of like standardized process, which I don't think it is right now. And I think that's the big challenge is... Yeah, but it would be cool because then that would open the door for like a privacy service that's like, oh, you're getting into privacy?

Cool, for like ten bucks, we'll download all your accounts out of Chrome and go in and change all the passwords and dump them into Bitwarden or whatever. That would open a lot of doors to make it easier for people to get started with this stuff. But I just don't think, as far as I know, there's not like a standardized API that people could hook into like you're talking about. It'd be cool if there was.

Yeah. I mean, one thing that you did talk about quite a bit in the video we've been working on is, you know, like the adoption of passkeys. And I think that could be at least one step in the right direction, right? At least one end, one end of the passwords being messed up is going to be okay. Like the websites themselves can't, they can't leak the passwords. So then you don't have to worry about your password ever getting breached. But then there's the opposite end as well.

That's what I was about to say is I feel like this unfortunately would be one of the few times where a passkey wouldn't save you. Like someone correct me if I'm wrong, but because in this case, if you're saving your passkeys to a password manager, which is probably what most people are gonna do, which I would argue in most cases is fine. But now it's the password manager that got leaked. So if they get into it, they would have your pass keys.

But generally speaking, yeah, I mean, stuff like this is still very much the outlier. So, I mean, ninety nine times out of one hundred, I totally agree. A pass key is it's one of those things where like, yes, there's always going to be that one scenario where it's like, OK, fine. It doesn't make sense to do that. But every other time it makes perfect sense, you know, so. Yeah. I mean, I feel like pass keys could definitely, yeah, you're a hundred percent right about it.

Like the private key is the thing that's important and that's what your password manager is protecting. The public key is what the website has. So it doesn't matter if they leak the public key. Public key can be public. But yeah, the private keys is that's where you start having the issue. I don't know if it's like, you know, a way for basically password managers to like kind of hook into a website's like, like, uh, Fido flow or something to automatically update it. I don't know.

Someone really smart is probably going to work it out. Um, that's just not me. Um, I don't really know what the solution is, but I don't know. It was just a thought that I had. It's kind of interesting. Um, Don't think it's super relevant to this story, though, because like you said, if your vault is breached, it's not really going to protect you in that case either. So kind of a crappy situation. Agreed. I think that's all we've got on this one. Do you want to move into forum updates?

yeah let's dive into some forum updates here in a minute we'll start taking viewer questions so if you've been holding on to any questions about any of the stories we've talked about so far go and go ahead and leave them on the forum thread or in the comment section on the live stream and you can do so on the stream yard chat if you don't want to sign up to youtube or any other platform so if you do want to leave a comment definitely feel free to do so.

But for now, let's check in on our community forum. And as always, there is a lot of activity on the forum. So here's just like a few of this week's most interesting discussions happening there. So I'm going to take this one. You can take the other one. How do I compellingly advocate for my privacy with doctors and other health care professionals? I think this is a really interesting thread. So this one was started by a regular on our forum, not going to mention the name for their privacy sake.

But basically, you know, I think it's, we're living in an age where a lot of doctors are using technology that is pretty invasive, right? Like I'm, I guarantee you if you've been to the doctor in the last two years, they've asked you if you, if they can use an AI transcription software, if they can, you know, share your data with one of these companies. And, um, I guess kind of reading a little bit into this, uh, thread that was started here.

Um, you know, this person was saying that they kind of felt like healthcare workers don't really care. They don't really read the privacy policy. They don't really, you know, think that there's any issues. They don't, you know, they don't really have the same level of concern that most people should have about their medical data, especially if it's, you know, very sensitive information, like, you know, It could be reproductive status.

It could be all these, especially in the US, like these, these are pretty, I would say sensitive things, right? Because, you know, in some states it's, it's illegal and stuff like that. Like this is, it depends obviously on your threat model and your situation, but they can be extremely concerning. So they kind of went through basically how they want to challenge their, their doctors and to basically get them to take things a bit more seriously.

Um, and they did bring up this one specific example, um, you know, about, it was Carissa Vellies who we interviewed, um, a couple of weeks ago. She, she basically had an example and she used the example of like the Holocaust, like, you know, would you, you know, disclosing that you're Jewish in the Holocaust is kind of a bit of a death sentence and maybe it's not as the parallel is not as like, Oh, did you want to add something here? Yeah, real quick.

Um, so what she was talking about was in, um, Oh my God, I can't remember which countries it were. Basically, when the Nazis invaded, I wanna say it was France, the number of Jews that they killed in France was significantly lower because in France, they didn't even keep ethnicity records on who was Jewish and who wasn't. And therefore, that made it significantly harder for them to find Jews to send them to the camps. That was the example she was using.

And that's the example this person is talking about is like, if um if my doctor is not sharing data with these companies like uh i'll i'll let you talk in just a second sorry i'm trying not to like do all the talking um but like they said their doctor is using gmail and it's like okay but if gmail is reading these emails or even has access to these emails that's kind of the same thing where it's like if something goes wrong now the the data is there in the first place that's kind

of the example the the connection they're trying to make there Right. Okay. So that's, yeah, that's definitely good context. Um, I'm not really super familiar with her work personally, so that is good to know. Um, yeah, I think it's, I think, I don't know.

I think you should be, try and be cautious around, I think, standing up to these people because unfortunately they kind of do have quite a lot of control over, um, But when you talk to a doctor, like they do have quite a lot of control over the care that you receive and that care could be kind of important. So, you know, if you're going to challenge someone on this sort of stuff, I would definitely think about the consequences of doing so, because, you know, the.

the repercussions for challenging someone like this could cause things to become a bit more difficult because, you know, you have such strict, um, beliefs and stuff and such. Like, I think it shouldn't be like that. Like they shouldn't be able to do that, but it's kind of the facts of the situation. Unfortunately, like you'll, you'll receive different care. If you make a fuss about something like that, you may not get treated the same way.

Um, you might be seen as someone who's trying to, you know, hide information or like be a criminal. And there's all these stereotypes for people that are, um, caring about their privacy. And it's not really, it shouldn't be like that, but it's kind of the way things are at the moment. And it's kind of seen as almost like a fringe thing. So I would also take that into account as well.

If you do end up bringing this up to them, um, yeah anyway i i think people are saying like you should walk away from these doctors agencies and stuff i i kind of disagree with this because um i think you know depends on what conditions you have and for some people there's not really an option right if you have like a very specific condition you need to see a specialist you need to see a doctor that is specifically trained in a certain area that doesn't particularly

have another option especially if you live in a small area um you don't exactly get a choice to just like oh you you're using google workspace for all your medical emails i'm gonna go to a different clinic um and it's not even verified that you know the the next clinic you go to they might be even worse so um it's kind of frustrating situation but i don't think that is always the best solution just like walking away from um someone um i've never seen a doctor's

office using gmail i've never seen a doctor's office even use email so this is kind of bizarre to me like is this a common thing in the us or yeah they um they do use internal email a lot and i've i've seen doctor's offices that i'm pretty sure using teams So I definitely have thoughts on this one, but I'll wait for you to finish your thoughts. I don't want to cut you off. Okay. Yeah. I mean, yeah. So there's some more comments here.

People were discussing like, you know, the original author of the post was saying like, you know, you wouldn't even try to convince them that what they're doing is wrong. Like you wouldn't even try and bring up that this is a privacy issue. I mean, I could, I think it's certainly possible to try. I think you could try, but I don't think you're going to be able to convince, you know, an entire, you know, medical facility to change their main tools so quickly. I don't know.

There's definitely some people were, making jokes in this thread I guess a little bit of about this like saying like you know it's better to keep quiet in such situations you might be misunderstood and referred to a psychiatrist I don't I think you know if you you've got to be tactful about this right you can't just be saying like how could you be using gmail it's spyware like it's evil like you know coming across as like someone who's not really uh you have to have tact

right and I think it comes down to any any social cause, right? If you just start calling someone like a, you know, a privacy normie or something, like they're not going to really take what you're saying that seriously, and they're probably not going to agree with you. So I think it definitely helps to have some grounding in reality, you know? And, but yeah, I don't really have too much more to add. There's quite, this goes on for quite a long time. I didn't have time to read this entire thread.

So Yeah, I was kind of skimming in myself. There is a lot here. Also, Mike Lastname said, you are a doctor and a privacy advocate. Feel free to weigh in while I'm giving my thoughts, and we'll definitely – maybe it would be great to get an expert opinion. So my thing is it's – The challenge is institutional. This kind of came up a little bit in this article.

So first of all, I want to say that in my personal opinion, and I don't think this is a hot take, your health should always come first, whether that's physical health, mental health, whatever. If your choices are between not seeing a doctor and seeing a doctor that uses Gmail or even, God forbid, Teams, please go see the doctor. Your health always comes first. That said, in my experience, a lot of this is institutional.

Like I have pushed – I'm – generally relatively healthy um my wife in particular has um you know seen a lot more doctors relatively than i have and i mentioned her because like i've tried to get her to push her doctors towards things like using signal instead of whatever weird platform they're on or something and a lot of the time the doctors don't really have control over that a lot of the time they'll, you know, they're like, oh, I do use Signal in my personal life.

I'm totally cool with it, but I am required to use this platform because either it's not their practice and they have to do whatever their boss tells them to do, just like you do at your job, or there's like healthcare is so heavily regulated that even though HIPAA isn't really about privacy, there are very strict rules about who has to be able to access that data.

And it does have to be transparent to a point, to the point where a lot of them can't use something like signal because like, again, like their boss has to be able to access it in the case of an audit or something along those lines. So that's a, It's, it's hard because in a lot of cases they might be totally willing to, it's just not something they actually can do. It's, it's beyond their control. They don't have the authority to make that call.

Another thing, I think you may have mentioned this. Cause again, I was kind of skimming while I was listening to you, but there's a logistical thing. If we are talking about an office and not a single practice, like a single person, it's, you know, I, and my last job, we were using LastPass, probably still using LastPass. And I, would very openly kind of like, haha, JK, but not really. But I would very regularly like criticize the IT guys.

I'm like, man, I can't believe we're still using LastPass. And they would point out, it's like, no, I totally agree with you. There's a thousand people in the company. across the country. Switching off LastPass is not easy, especially when you're talking about people that are not necessarily tech savvy, that don't... Yeah, for you or me, switching to another password manager is cake. But for a thousand people who, again, some of them call in every single day asking, how do I get into my email?

It's a huge lift to migrate your entire infrastructure over to another provider. And then there's cost, which I know a lot of healthcare is... Let me politely say that cost should not be an issue for some of them. But here in the US, at least, a lot of them are for-profit entities, which means they're going to want to go with things that are inexpensive, which is going to automatically rule out Proton, for example. So, I mean, there's just so many factors that go into it.

But I think, yeah, I also want to agree with what you said about it's very... How you ask is usually very helpful, like especially in some places, they're just used to people being entitled and frustrated and snappy. And so asking politely, like, you know, hey, I don't really like Zoom. Can we use something else for this appointment is going to make them a lot more likely to work with you if they can.

I think I saw something in here where people were arguing about Because there was a section here where the original poster said something about like, okay, here it is. So they said health workers don't have to care. And they pointed out that like doctors are overflowing with patients. So it's like, it's almost, and I think you mentioned this too. It's almost like if you're being difficult, they just don't even have to work with you.

There's like a line of, there's a literal waiting list in most places, right? But at the same time, we could weaponize that as well. And I understand not everybody has the time to be politically involved, but to call your representatives or email them once in a while, once a month, and say, hey, I really think we need better privacy laws.

In this thread, they pointed out that when they're talking about trying to convince the doctor's office to move, they mentioned that Gmail has had so many fines for not handling patient data properly or user data properly and stuff like that, which for the record, I don't think that's going to work on them because, you know, they're like, Oh, but we use the HIPAA version that blah, blah, blah, blah. And again, HIPAA, there's not privacy anywhere in that title.

But anyways, it's, you know, if you call your representatives and you're like, Hey, a lot of these doctor's offices are using Microsoft and Gmail, who Microsoft especially has been hacked more times than I have fingers and toes and trying to institute it at a, a I want to say structural level, systemic level, at a systemic level where they don't have to care because there are options or it's like mandated that they have to use something that's encrypted.

And now there will be a whole bunch of companies that spring up to serve that purpose. I don't know. I mean, that's kind of a long-term solution, but... I don't know. I guess what I'm getting at is like for individuals, I don't think there is that much you can do, unfortunately. If you are in a position where you can shop around and you can find a doctor who's like, yes, I use Signal. I encrypt everything. Awesome. That's great. And if you have that privilege, you totally should use it.

But for the average person, I think the best you can do is just kind of like ask the doctor like – can you not write this down? Um, can you, you know, especially if it's something less important, like they do have to make notes about your medical care, but if it's like, you know, please don't write down anything essential. Like I, I had one therapist who said that, um, she did not write down actual conversations. She just wrote down like broad notes about what we talked about.

Um, but like never quoted me or anything. So yeah, uh, I've always advocated for like using alias email, alias phone numbers. Uh, that's more of a data breach thing, but Yeah. So, I mean, it's it's tricky, man. I mean, real quick, let me go back and check and see what Mike said here. I could explain a bit. There's a really big time constraint to see more patients and to keep up. Yeah. So that's a true thing, too. Doctors are really like, again, they have literal waiting lists.

Like there's so many patients that need to be seen. And contrary to some stereotypes. I think most doctors are actually trying to help their patients. Like they're not all just like selfish and in it for the money. And so when they've got to see a million patients, but they've also got to make notes in between the care and they've got to, you know, send prescriptions, they've got to respond to messages and this, that, and the other.

Um, a lot of the time is used for filing documents and insurance, legal documents, using AI for the slow typers helps. Um, that's another thing. If they are using AI, they have to fact check it and make But yeah, like you said, most importantly, they just don't understand that they are just employees. Yeah. So there have to be records. They use the most well-known ones like Teams and Gmail. Quick note, saw this all, has been a member for five months and said, keep up the good work.

So thank you so much. But yeah, it's just... I think the best you can do is to ask nicely. Like that's, that's really my, I don't know if this is a common phrase. I feel like I don't hear it a lot, but my mother used to have this phrase that you catch more flies with honey than vinegar. And basically what she always meant was just like, you know, it like you get better results when you're nice to people. So yeah.

I definitely would not go in there talking about like, oh, you know, Gmail's reading our emails. Because again, they don't understand that companies will do this stuff anyways. And they'll just say like, oh, but they're not supposed to do that because we have this special, again, like a lot of these companies do have a HIPAA compliant version that is specifically for medical companies. And so they'll be like, no, no, no, we're using this different version.

And they don't understand that like, that doesn't really matter because again, HIPAA has nothing to do with privacy. But you know, if you go in there with like, I'm just, I'm really concerned about this stuff and it makes me uncomfortable. And like, I would prefer to use something else. And I think again, if you're kind about it, I think people will be much more likely to work with you as best they can. But yeah, unfortunately the privacy situation in healthcare kind of sucks.

I think one other interesting thing that I think kind of happens with these doctors is like, like Mike last name said in the chat, like basically doctors don't really have time to read the privacy policies of every tool they're using. And a lot of times these, these vendors of these, of these software, like they'll, they'll say, Oh, it's, it's got all this privacy stuff and it's like, it's, it's secure and it's not going to send it to anywhere.

And I've been to multiple doctor's office and they're using AI transcription software and that software is, it's it's it says that it's private but it's sending all that to open ai but it's just zero retention like that's not very that's not very good like that's that's exactly what we don't want and it's a lot of times it's these vendors that are trying to sell to these to these medical practices that kind of get get it pull the wool over the eyes of these

doctors and basically you know tell them you're going to save so much time if you use this tool and like you know it's completely private and it's, it's no problem. And, you know, I think you have to be a bit genuine. Like you have to, you have to say, if you say no to them using these, this piece of these pieces of software, like if it's AI transcription or if it's some other like medical system they use for booking appointments or something like that, um, I've just never seen email.

I've never seen anyone emailing patient records around. So that's very bizarre to me. But I guess if they're using an email system, convincing them to switch might be possible. But I feel like that's a bit more of a, that's definitely a bit more of a harder thing to get them to do, I think.

Yeah, I don't, to clarify, I don't know if they use it to email patient records, but I mean, that was another thing that I was thinking about while you were talking on that note is it's, you know, coupling what Mike said about like, they have so many patients to see. Okay. And so when you have to see, when you have eight hours in a day and you need to see And they all have questions and concerns.

And I'm hitting that age where every time my leg starts hurting a little bit, I'm like, maybe I have a blood clot. Maybe I should go to the doctor. When you have patients like that all day, and again, you need to take notes in between and the billing and the filing. And so now you're saying like, Oh, but I want them to like store everything offline in Libra office.

Okay. And what happens when you move and they need to transfer your medical record to someone else, or they need to get your medical, we already have a huge problem in this country, in this country, in the U S I think it's probably better in other places, I hope. But like, we already have a huge problem where nobody uses a standardized medical system. So like every time my wife and I move and you know, it's like, Oh, now we're closer to a different doctor. So let's start going here instead.

It's this huge pain in the ass to get the medical records transferred from one place to another. And, you know, it's just like everything is fragmented. And, you know, it's more work is what I'm getting at. Like if you're the one who's like, I'm the only person who's saying, hey, don't use this system. You're one person out of, again, five hundred on a waiting list and they don't care. And it's going to make it quicker for me to give you care. Like that's what the doctors are saying.

are interested in so it's just there's there's so many things working against us which is why again i'm kind of i know it's hard work and i know i can't ask that of everybody but i'm kind of at the point where it's like this needs to be one of those things that like trickles down from the top where like we have these good privacy laws that say you know medical emails have to be end-to-end encrypted or encrypted at rest. These systems have to enforce two-factor authentication.

These kind of technical requirements that will give us privacy, that it is illegal to share data with third parties for anything other than research purposes or something like that. We need something at a systemic level so that doctors and nurses don't need to care about this stuff anymore because it's built into the systems they use, which is really what we need at all levels, not just healthcare, but I digress. I'm kind of rambling now. So yeah.

Yeah. I mean, I think a lot of vendors that are trying to sell this software to doctors, they do think that they are providing that right now. They think that zero retention sending your transcription to OpenAI is fine. But yeah, I think it's kind of frustrating because usually if it's an AI transcription locally, that's going to be a lot more expensive, isn't it? Because you've got to have a whole, you know, a whole beefy computer to run that. So, you know, it's definitely a harder sell.

So I kind of understand why a lot of times these systems that are like relying on external third parties and stuff is kind of becoming more popular. It said, so Mike Lastname has kind of put a couple more comments. Not only the privacy policies, but also in general, they don't understand how computers work as thinking maybe we as the clinic or mail service could get hacked. Yeah, I don't think they think about, they don't think about like the cybersecurity risks and such.

It kind of sucks though, because with With the medical field, you kind of do have to store records on people. I need to have records of my treatment so my doctor can understand how to treat me the best. In other areas, it's like minimal data retention is the best.

But in this specific case, maximum data retention is the most important because if someone doesn't understand your... your needs or your issues then they're not going to be able to give you the correct care um and I think the other thing that Nate said about like the data transfer stuff I think that's another thing that we could definitely improve um it's never been an issue for me but I guess it could be I guess because you kind of have that I'm not sure it's I always thought it was

done through like a government run system here, but maybe I guess through, through your system, it's kind of like, it's just different private companies kind of managing the records. Um, so it, it, I mean, a little bit off topic. It's not usually a huge issue for us. Usually my wife just calls the old clinic and goes, hey, I've moved to this other doctor because we moved. And, you know, I've she fills out a form and we scan it and there's your email. Actually, we email it to them or whatever.

And they, you know, send over the medical records. But it's definitely I have a friend who has he's a. a full stack developer. He's very experienced. He's a veteran and he's worked for a lot of startups. And one of his most recent was a healthcare startup. And that's what they were trying to do basically was trying to create a way to make it easier for healthcare companies to standardize record formats.

So they were more easily transferable because again, we, like you were saying, we, we have a bunch of fragmented private companies here and, And so like on a technical level, like the database itself, the format for this company may not match the format for this company.

So even if they do, it's almost like I don't know if you've had this experience, but I know it's pretty common here in America where like you'll go to apply for a job and sometimes it'll be like, oh, click here to upload your resume and you upload your resume and it's still wrong. And you have to go through and like manually reformat everything correctly, which is super annoying. It's kind of like that.

It's like they might transfer the medical records, but they may still need to be cleaned up on the other side because there's no standard protocol for how they transfer. It's weird. I mean, I'm in the VA, so I've never had that problem, which actually I wanted to say that real quick. I thought that was funny. You were talking about like healthcare is kind of like the one time it makes sense to have maximum data retention. And this happened to me.

I mean, full disclosure to everybody, I'm back on antidepressants now. And when I went to the VA and I was like, hey, I want to get back on antidepressants. And he like pulled up my record and he's like, oh, so you used to take this one. He's like, how much were you taking? And I'm like, What do you mean how much was I taking? Shouldn't that be in the record? Like, I don't know how much I was taking. That was four years ago.

And for some reason, the dosage that I was on was not in the medical record. It was super weird. But yeah, it's like the one time that it's like, that was four years ago. Why should I know what my dosage was? I thought you guys handled that. So yeah, that's our lovely fragmented system around here.

yeah it is kind of I don't know I've definitely run into issues similar to that like people not having the correct information or like assuming things um it's not great but I think yeah I do think it is kind of important to have that data in in the medical field um especially I don't know like I think having good notes on people's conditions is kind of important. Unfortunately, like we would rather that that information isn't stored right because it can probably get breached at some point.

But also like if you're seeing a lot of doctors and they kind of need to be able to coordinate together, it's kind of problematic if you don't have those notes. It looks like someone said here National Nurses United has been part of protesting Palantir campaign's Yeah, I know Palantir... Doesn't Palantir have stuff to do with the medical sector as well now? They're kind of moving into that as well? I don't know if I've heard about that, but it wouldn't surprise me because I'm really...

For those who don't know, the interesting thing about Palantir is they technically don't do any surveillance or data collection themselves. What they do is they're kind of like my friend I just talked about. They're trying to figure out how to aggregate all the data and make it all talk to each other and then turn it over to law enforcement. So, I mean, yeah, healthcare seems like it would be an inevitable part of that mission. So if they're not moving in yet, I'm sure it's on the roadmap.

Yeah. And then Mike, last name also said, there's also what we call defensive medicine where doctors want to make records of everything in the case they get a lawsuit. Yeah. Yeah. That's fair too. I mean, everyone's got to protect themselves. I think, yeah, especially doctors, I think, especially someone who's your primary care provider, they have kind of quite a lot of say over what care you receive. So it kind of makes sense. Yeah, we've talked about this one for a while.

Do you have anything actually you want to add before we hop into this next forum post? Um, yeah, just real quick. I was going to say, uh, in, in response to what Mike said about the doctors keeping a record of lawsuits, I found out here in the U S at least in like emergency rooms, if I understand it correctly, it's almost like the doctors are like contractors renting out the rooms.

Um, because the hospitals and the doctors will bill you separately, like to go see the doctor costs like two hundred and fifty bucks, but then you're paying like a thousand dollars for the aspirin and the room cleaning and all this kind of stuff. And they're like separate fees.

But yeah, so doctors make a lot of money, but it's also because from what I understand, they're like, kind of a lot more on the hook for it like when you sue a doctor you're not suing the hospital you're suing the actual doctor so yeah that's um not saying that's a good system but yeah i totally get it for sure like you said you got to protect yourself that is the u.s health care system for you oh best country on the planet they tell me i'm not gonna get into that there's worse

places i'll say that i uh i would rather be here than a lot of places in the world so um Moving on, the last forum post we were going to look at, is RCS with Google messages worth having Google on my phone? So this person has a graphene phone, and they're basically saying, like, I was kind of thinking about it, and I can totally take all the Google Play stuff off of my phone, except that I use Google and RCS.

And so basically, they're saying, like, is it worth it to have this, like, totally de-Googled phone? But to go ahead and put some Google on it for the sake of getting access to RCS messages. And they do specifically mention that they say their closest contacts use Signal. But non-close contacts and random people, they always default to... They say they do live in the USA, so it's always just regular text message. I can confirm this one.

You said you have to pull teeth to get them to use anything else. So... They're just kind of looking for a second opinion. Well, they do say, how do we know Google isn't lying about the encryption or isn't client-side scanning messages? I will tell you right now, actually, I'm assuming this is still true. I covered a story on Surveillance Report a long time ago where Google does actually make hashes of the message. And then compare the hashes. So they do actually know who you're talking to.

They can't see the content of the message. But yeah, that's why I always tell people when I explain that RCS has an encryption, I'm like, yeah, it's better than not having it. But also at the same time, it's definitely not as good as something like Signal. I'm gonna have to go find that story. But yeah. Yeah. I mean, this is a, I think this is kind of a classic question for everybody, right?

Cause you're always going to have the people that won't use signal or can't use signal or just like the one-off contacts that like, you know, again, at my last job, I, I interfaced with a lot of other trades and other jobs. And so I would have to give them a phone number to like call me or text me if they had any questions or anything. So, um, I think my thoughts are, it kind of depends.

If that happens to you a lot, I'm at the point where, even before I took this job, like, ninety percent of my communications were on Signal, and the ten percent that weren't were mostly job-related stuff, like professional stuff. So it was like, okay, I don't really care if that's encrypted personally, and I would rather not have Google Messages and deal with that.

I think if you're kind of in the opposite boat where it's like, okay, but only my closest friends and family are on Signal and the vast majority of messages I get are not, including some friends and family who just refuse to download Signal, I think that might change the math a little bit. Another thing worth considering is I believe Jonah has said in the past that RCS only works on certain carriers. And so you might have to check and make sure that your carrier is one of them.

So, I mean, it kind of sucks because you're already like, it's already kind of getting narrowed down. It's not just as simple as like, okay, I have Google messages and now I've got RCS encryption. It's like, well, you've only got RCS encryption with other Google message users or Apple users or people that use this certain carrier. So I don't know. I don't think I can really give like a yes or no answer. I think it really just depends on you.

I will say on Graphene, the nice thing about Graphene is that you do have a little bit of privacy because of the sandbox thing. I know that's more security than privacy per se, but... Um, I would probably be a little bit more willing to do it on a graphene phone than a regular phone, I guess. Although I guess with a regular phone and all the Google stuff would be built in there. So I guess, nevermind, that doesn't really make sense, but I don't know.

I think it's really a personal thing, but I guess I just thought this interesting because again, this is a situation that I think a lot of people have been in where it's like, you only, you can only get so many people using encrypted messaging. So what's the right move. And, you know, as usual, I don't think there is one right answer, but I think those are kind of the factors that I would think about.

Yeah. do you have any thoughts on that one I know you're I don't think you're like a daily Android user are you I know you have an Android but Um, yeah. Am I throwing you in the house? I'm sorry. I mean, yeah, I mean, yeah, I do. I use both like iOS and Android for different things. I think it's always like, there's weird people who are just like, I'll only ever use an Android. I'm never going to use an Apple. Apple is so bad. And it's like, well, you can use both.

Like both have got good things about them, right? Like there's, there's positives to both.

I think there's certainly more positives on the Android side, but a huge amount more positives but there's also some positives on the apple side as well so you know don't don't feel like you only have to use one type of device i think that's also another thing but yeah i think i agree with you though like i think you know if you're using this on graphene os though i feel like you're giving google significantly less information um than you would on like a google

android device right like it's it's not as deeply integrated into the operating system it's just a standard app that you install um i think that would definitely be a good idea and i think considering the state of like of of cellular communication like remember i don't know if you remember but a couple of maybe maybe a year ago there was like a story about like um chinese state-sponsored hackers like inside the u.s like telecommunications infrastructure.

Like I don't think you want to put like all your text messages to those people. Like that's basically public, right? Yeah, I remember that Volt typhoon, and I think it had been going on for at least a year when they found it. I actually remember I was with Surveillance Report when that happened, and I remember the way Henry described that story. He's like, yeah, the government is basically like, we don't know if they're gone yet. We don't know when we'll kick them out.

It's just kind of like the whole thing was such a mess. Yeah, that was a crazy story. And that, oh, I know this isn't the point, but that is my favorite story when we talk about how backdoors don't work. It's like that was literally a backdoor that was only for the good guys, and look what happened. So yeah, I'm, I'm with you. When, when I saw that story, I was just like, Oh, I'm really glad I've got again, like on almost all my friends and family using signal, thankfully.

And like I said, the handful of things that aren't on signal, I mean, I guess it was technically like company IP or whatever, but you know, that's on the company. So it was, uh, I don't know. I mean, again, this was before I worked at privacy guides, but yeah, you know, it was just texting other people like, Hey, there's supposed to be this here. Where's this thing? When's this delivery coming? So yeah. It's the kind of stuff that as far as I'm concerned, I'm not super, I don't know.

It's whatever. Yeah, I think the most important part is like you're saying, you should be careful. Like you should be thinking, I'm about to send this message. Am I okay with this information becoming public? And if the answer is no, then you should be using something else, right?

Like that is the case because I think any message you send on like a public service like telephone network, any sort of telecommunications thing, I think you should treat it as public because it's not really – secure it in a way. You don't know how long that data is being retained either. So, yeah, that's how I would think of it at least. Personally, I'm a big fan of applying that to everything because you never know if somebody's going to screenshot a post.

I mean, you can screenshot Signal still. It's super easy. Or even if you can't screenshot something, they might take a picture of it with another phone. So, yeah, that's always what I encourage people is like anything you put in a digital format, just assume it might be publicly leaked. So... I mean, yeah, I think we can. I think, you know, I think it's definitely we should be trying to preach privacy to everybody. We should be like, you know, don't do that. That is the wrong thing to do.

That's just ethically wrong to do that. But yeah, of course, people aren't on. No one's perfect and people are going to do that. So it's true. But I think. With the cell phone network, I think it is one of those things where it's systemically just going to be public at some point. That's fair. At least with Signal, if I send you a message, I know you're not going to share that with someone else, right? Because we have a shared understanding.

But if it's like the telecommunications company, they don't have any agreement with me. They just are going to... you know, let hackers roam around in their network and not actually do anything and then say that they're gone, but they're not really. So anyway, what I'm trying to say and going around in a kind of massive circle here, what I'm trying to say is basically that is what you need to think about when you think about whether you need to do this or not.

I still think that most people are using Google Play services on like a Graphene OS device. Most people, like most people are using these apps from these stores, right? You don't need to create an account that's linked to your identity. You could use just some burner Google account, right? You don't have to provide that much information. So I think using RCS on GrapheneOS to secure, even if it's one, even if it's only one person, I think that's still a benefit in a lot of cases.

And I think it's not, you're restricting the access quite significantly compared to what is available on the cell network, which is basically nothing. So something is better than nothing and Of course, it's up to you to decide. If you don't have Google Play services on the device already, then maybe that is a bit more of a concern. Maybe that's like, oh, I don't know if I want to do that. You could also set up a separate profile. You could set up a separate user profile.

And in that user profile, you set up a burner Google account and then you add Google messages. Maybe that could be an option. But I'm just, you know, kind of spitballing. I think it's You need to decide this yourself, but I think if you just avoid SMS, just, just avoid it in general, if you can. I think a lot, and now with Apple releasing like encrypted RCS, I think it's becoming more and more popular and more and more accessible.

So, you know, I think you should try and try and try and see if some of your friends are using it and if you can secure those chats. And I think that's definitely a big win.

Agreed. Yeah. All right, I think that was it for forum updates. And so I think we'll move into listener questions. So if you have been holding on to any questions, definitely go ahead and leave them in the chat. Normally we would start with the forum, but it looks like there haven't been any questions left on the forum. So we'll just go straight into the chat, which I did. I think somebody left something earlier. Oh yeah.

Purring pudding quite a while back, we were, we were talking about how cool it would be if there was some kind of API you could hook into that could just like change passwords automatically. They said, apparently there is a, the skim SCIM API to provision logins, but most sites don't implement this. So yeah, that, that doesn't surprise me. Cause I know I'm a, Like I've said multiple times, even today alone, we could do things in a certain way.

We could do things in a way that are privacy respecting and we just don't. So it doesn't surprise me that people have opted not to do things that way. I mean, talking about standards, it's kind of a funny situation. I was talking to everyone on the team about this. It's really kind of funny. We have all these standards that are really good that everyone should be using, but it's just all the organizations can't agree on using them and they don't all use them properly.

So it's, it's, we do have the answer. Like we do like with passwords, like we have the answer, like don't, Yeah, exactly. It's this XKCD thing, like the situation. There are fourteen competing standards. Fourteen. Ridiculous. We need to develop one universal standard. And then now there's fifteen. So it's like we have all these standards, but like no one can decide which one is the best, which one we should implement. Like, oh, we're going to put pass keys, but we're going to retain passwords.

We're going to use pass keys and passwords at the same time. Or we're going to use pass keys and only pass keys. And it's like it's ridiculous. It's it's.

yeah i feel like this is such the case for like so many things like linux specifically comes to mind like oh we're gonna use we're gonna use weyland oh no we're not gonna use weyland because that's that's gonna be too bad blah blah blah it's like you know it's a never-ending thing the minute you said standards that was where my brain went ah i never get tired of that comic yeah i agree Um, Mike here pointed out on the topic of, uh, Google, uh, Google services, most apps don't need play services,

even if they say so when opening the app, I was surprised by it. Yeah. Especially a lot of privacy apps. Like I think signal, for example, if you download signal, um, I think by default, I could be wrong about this. Don't quote me. I think by default, it will use Google services, but in the past I've downloaded it on, um, D Google fully D Googled phones, like lineage phones, um, just for whatever reason. Um, And I still get notifications.

So it falls back to its own services if it doesn't detect Google. And it's also like, what do you need them for? I'm thinking about MySudo, for example. So I pretty much use MySudo for anybody who's not on Signal. And like, ninety percent of the time, I don't really need to get the call in real time. Like, again, I mentioned I'm with the VA. they do call me sometimes, but ninety percent of the time it's a text that's like, hey, don't forget you have an appointment on Monday.

Click why to or like text why to confirm or text and to reschedule or whatever. And so like I don't really need that notification in real time. It's OK if I get that later in the evening. So, yeah, I mean, there may be certain situations where you don't necessarily need the play services, but I would look into if RCS because that is a good point. I don't know if RCS would be required for that. So Definitely interesting. Good thought.

Yeah. So it's been kind of a slow week, or like this week, with people leaving comments. But if anybody has any last minute questions, be sure to let us know. Yeah, we definitely tried something a bit different with the highlight story this week. We kind of wanted to see if people would be interested in something that's a little bit different. We kind of try that some weeks, like some weeks we know that the highlight story is going to like be a banger and everyone's going to click on it.

But, you know, we do try things. We want to try and, you know, experiment a little bit. We don't want to keep doing the same thing over and over again. It's not fun for us. It's not fun for you. So we're trying our best with different things. And we want to make sure we don't stagnate, right? We're always trying to reach new people with privacy messages and that requires us to try new things. Oh man, the million dollar question from Yumi. Why can't we agree on which standards to use?

I mean, it's... in my opinion, it's because there are usually pros and cons like, okay. Every once in a while, you definitely get somebody who's just like stuck in their ways and they just don't want to grow and adopt. But I think a lot of the time there are like situations where, um, I know this isn't a standard, but just to talk about something that I actually know about, we'll take SimpleX versus Signal.

They're both really good choices, but they're different use cases and they've got different advantages. SimpleX has the whole decentralized architecture and it's supposed to be a lot more censorship resistant without having to set up a proxy, which we made a video about that. At the same time, it's missing a lot of the features that the quote-unquote normies would come to expect and you know, it can be harder to get your family onboarded.

Like, I remember that was a big thing when Mastodon kind of had their fifteen minutes is everybody was like, I don't know what instances are. I don't know what server to sign up for. Like, I'm really confused. And, you know, it's things like Signal don't have that problem. You just download it and start using it.

And so there's a lot of the time standards are built for certain use cases but I would venture to say that a lot of the time they can also especially when we talk about tech and this kind of stuff they can apply to multiple use cases and so there's like advantages and disadvantages so there's not always a clear like well this one is obviously better it's like no it's obviously better in certain ways and you know this other one is obviously better in certain ways but humans are

incredibly emotional creatures and so sometimes we uh have a hard time agreeing on this kind of stuff I think that would be my guess I don't know if you have a better answer yeah it's kind of frustrating it's like every every single thing we've got has got like some some argument about standards happening like which you mentioned like mastodon oh mastodon i don't like that it's like the standard is so bad like the fed the federated protocols are so bad i prefer blue sky i prefer uh what's

the other one nosta i prefer blah blah blah like it's yeah people have always kind of argued about this stuff um you know i think there's not many protocols that we could argue are like actually standard at this point like email comes to mind like everyone is like kind of on board with that unfortunately it's like the worst it's really bad it's a really crappy protocol but everyone uses it so i mean i guess it doesn't really matter if a protocol is actually good or a standard is

actually good it doesn't mean that it's going to be adopted um i think it also is just a legacy thing too but like same with phone numbers it's a standard everyone's using a phone number and it's not a good way um i guess also here there was a question from mike uh last name with about session session is about to close shop soon um i know nate you've definitely got more experience with this so you want to handle this one Yeah, I mean, I actually found this out from Kerry from

Firewall's No Stop Dragons, but actually, thankfully, Session is not shutting down right away. They were able to get enough support, not as much as they hoped for, but they will be able to continue developing past July eighth. A smaller team will continue development into twenty twenty seven, focusing on strengthening the project and building a foundation for its long term future.

Um, so yeah, they say, although procedures, shutdown procedures have been canceled, the shape of the project is still changing considerably. The project will now be led by Jason Rhinelander, longtime chief software architect and member of the session technology fund. Uh, currently donations received are enough to support critical infrastructure to retain Jason as developer and possibly to add one other full-time developer.

There's also still a small team of volunteers contributing to other aspects of the ecosystem. So, um, session will continue to exist. It's just, they've unfortunately had to dramatically stripped down their team. Um, which is really, really unfortunate. And, uh, Yeah, I mean, they're still they only raised just shy of two hundred thousand dollars and their goal was one million, which they did explain. This is right on the front page, by the way.

If you go to get session dot org, you can read the appeal up top and it'll take you to this page. So, yeah, they definitely do still need donations. If you believe in session, if you are a fan of them, please donate. They do still need it. They're not out of the woods yet, but thankfully they are not shutting down as of this point in time. Yeah, it's really unfortunate when we see, you know, I think it's really hard for a lot of these projects to get the funding that they need.

And, you know, unless you're like the big player, which currently right now is Signal, they get a lot of donations. But like all the other projects, I'm not really sure what SimpleX's deal is. I believe they did take on venture capital funding, so they're probably going to work out some way to monetize their product eventually. Raya is definitely more of a community-based project, doesn't see as much development as Signal.

You know, we've got all these different messengers, and if you do, like, personally, I'm on Signal every day. I'm sending messages. I'm on voice calls for, you know, hours at a time. Like, I think this is an important opportunity important thing to do, right? If like you use a product or use a service and you get a lot of value from it, then, you know, maybe consider donating because it is expensive to run all this infrastructure.

And I don't know, I've always had kind of a soft spot for Session because they've been an Australian based company originally.

And I don't know, I was kind of sad to see that this happened because I thought they had a thought they were receiving enough um through cryptocurrency donations but it seems like they have kind of been struggling so i don't know this is kind of sad but i hope that they can work out some other sustainability like some some other way to sustain their project because it's never been an app that i've used a lot but it's always been nice to have that extra option like a lot of people were like oh i

don't like signal because it requires a phone number Here's session. Doesn't require a phone number. Or here's simple X. Like there's other options for people. It's better to have more options than not. So if session does go away, we're going to be kind of stuck with the only one I can think that really compares is simple X. Simple X is kind of session adjacent, but it has a different direction, certainly. Agreed. All right. I think that might be all we got this week.

You think it's time to close out? All right.

All right. All the updates from this week in privacy will be shared on the blog every week. So sign up for the newsletter or subscribe with your favorite RSS reader if you want to stay tuned. For those who prefer audio, we also offer a podcast available on all podcast platforms. And again, RSS.com. This video will be synced to PeerTube as well.

Privacy Guides is an impartial nonprofit organization that is focused on building a strong privacy advocacy community and delivering the best digital privacy and consumer technology rights advice on the internet. If you want to support our mission, you can make a donation on our website, privacyguides.org. To make a donation, you can click the red heart icon located in the top right corner of the page.

You can contribute using standard fiat currency via debit or credit card, or you can donate anonymously using Monero or your favorite cryptocurrency. Becoming a paid member unlocks exclusive perks like early access to video content and priority during the This Week in Privacy livestream Q&A. You also get early access to our show notes and the stories we might be covering, and a cool badge on your profile in the Privacy Guides forum and the warm, fuzzy feeling of supporting independent media.

So thank you guys so much for watching and we'll be back next week.