License Plate Readers Are Framing Innocent People - podcast episode cover

License Plate Readers Are Framing Innocent People

Jun 12, 20261 hr 48 minEp. 57
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

Automated license readers by Flock have tied a person who was miles away to a violent crime effectively framing them, the state of Massachusetts in the US has passed a privacy bill to stop the sale of precise location data and more! Join us for This Week In Privacy #57.

  • (00:00) - Intro
  • (00:49) - Start of podcast
  • (01:14) - A flock license plate reader linked a San Diego man to a violent crime. He was five miles away.
  • (19:42) - WhatsApp says it caught new spyware attacks linked to NSO Group in violation of court order
  • (27:30) - Massachusetts votes to pass new privacy rights bill that bans sale of precise location data
  • (42:39) - Site updates
  • (51:50) - New apple feature automatically changes your compromised passwords
  • (58:17) - Signal, DuckDuckGo among firms weighing Canada exit over lawful access bill
  • (01:09:18) - Over 400 Arch Linux packages compromised to push rootkit, infostealer
  • (01:17:29) - Forum updates
  • (01:27:42) - Q&A
  • (01:45:55) - Outro
★ Support this podcast ★

Transcript

Intro

Flock is targeting innocent people and WhatsApp is trying to sue NSO group. Apple is announcing new features that allow you to automatically change your compromised passwords and more. All this coming up this week on This Week in Privacy, so stay tuned.

Start of podcast

Welcome back to This Week in Privacy, everyone. This is our weekly series where we talk about what's happening in the Privacy Guides community and this week's top stories that we've seen in the data privacy and cybersecurity space. I'm Jonah and with me today is Jordan. How are you doing, Jordan? I'm doing good. Really excited to jump into some of these stories this week. We've definitely got a great lineup of stories to cover.

A flock license plate reader linked a San Diego man to a violent crime. He was five miles away.

I totally agree. Let's get right into the first one here. This was reported by Times of San Diego. They say a flock license plate reader linked a San Diego man to a violent crime. He was five miles away. Basically, the story starts out, well, I'll read the beginning. It kind of explains it. When Hugo Parra was arrested last year on felony charges, his pleas of innocence fell on deaf ears.

San Diego police had a description of the Alfa Romeo car he was riding in and a witness who identified him during a curbside lineup as the man who brandished a handgun in Golden Hill. They had also checked the city's automatic license plate camera system run by the private company Flock and got a hit, substantiating the claim.

The problem, says attorney Alex Kuhlman, was that Para was five miles away from Golden Hill at the time of the crime, and the so-called hit from license plate reader was captured before any police pursuit began. The flock hit was obviously the wrong car as it could not have been in both places simultaneously, said Kuhlman, who represents Para and the driver, twenty three year old Ariel Beltran.

So basically the story coming from San Diego, is talking about this man who was accused of a crime while the Flock license plate reader system proved that he was nowhere near the scene of the crime at the time. The article says that Paris spent nearly one month behind bars missing Thanksgiving and other family events before the assault charges were dropped. We've talked a lot about lock and license plate readers on the show.

So I think people who watch this regularly kind of know about all of the issues with flock.

But I think we wanted to include this story because it kind of demonstrates how none of these tools are ever going to be used in your favor, even when they clearly prove that uh you've been nowhere near the scene of the crime or anything going on that you might have been accused of any of those results are going to be disregarded by police but if any shred of evidence can be gleaned from them that might place you at the scene of the crime they will be used to

basically accuse you and ruin your life, or at least that part of it. So yeah, that was the only thing I really wanted to highlight.

It's just the demonstration, I think, that all of this mass surveillance is not worth the cost because it's so unreliable in so many ways, whether it depends on AI or whether it's just a system that isn't reliable like this one and can't be trusted, we are placing a lot of faith in these automatic systems like license plate readers and other forms of mass surveillance in our society that don't have a very clear benefit and get things wrong a lot of the time.

Yeah, that's basically what I wanted to cover. I think we've kind of done flock stuff to death maybe at this point, but just an update for you. Jordan, was there anything in this article that you saw that you wanted to highlight? I feel like the most surprising thing in this article for me was like, if you read like further down in the article, there's like stuff about how like the officers literally didn't even check any of this first. They were just like, oh, it's a hit on flock.

And then they went and arrested this guy. And apparently they literally took him to like jail and everything. Like they literally jailed him based only on this information. Like it's... it is kind of ridiculous that maybe I feel like maybe police are relying a bit too much on this technology when, you know, like you said, it's not really that reliable in terms of like actually detecting things and correlating information. But yeah. Yeah. It's a great question.

Like what they consider to be a hit, because if they're just basing it on like, is this car in the flock system? That's not exactly proof of anything, is it? Not really. Yeah. And especially because like, I don't know, the, if that's all they're going on to like actually arrest someone and put someone in jail, like just to, that's the only thing that they need. I feel like that's maybe a bit ridiculous that they're like relying so heavily on it.

They even said like in the article, it even says like, Oh, we checked this guy's car. We like looked through all of his stuff. He had no weapons. Like there was, there was not really a whole lot of evidence that this person was like even immediately obvious evidence that this person was connected to this crime. So that's why it's kind of surprisingly ridiculous.

And I think the San Diego Police Department is going to get sued pretty bad for this because I don't think they really had any evidence to arrest these two people. And apparently they're seeking at one point five million in damages. So I don't know. I mean, yeah, this has life-altering implications for sure when you're convicted of a crime and you're jailed for that long. I think that's one of the most ridiculous things to me.

I think being wrongfully accused of a crime... in general is a terrible thing to happen to anyone. But in the heat of the moment, some of these things can happen with police. But to spend an entire month in jail because of a crime you didn't commit is ridiculous. Spending more than one night while they sort anything out is ridiculous because You really should be innocent until proven guilty, and that is just not what we see in a lot of cases, and especially in this one.

That is quite a significant punishment, I think, spending an entire month or more in jail um that the police just kind of did arbitrarily this wasn't you know the result of any sort of conviction or anything it's it's too long of a waiting period for sure especially again at the hands of these very unreliable tech systems that that we just cannot push all of our judgment and accountability on because again they get things wrong so much of the time so Yeah, I hope his lawsuit goes through and he

makes some money because usually hitting them where the money is might make them change their minds. But at the same time, Even that's a bit challenging with the police because they're taxpayer funded. So what do they care, right? But hopefully there's some accountability and some changes that are made here.

And hopefully other places learn a lesson from this as well, because I think that we're going to be seeing more stories like this throughout the country and around the world as these license plate readers and other systems of mass surveillance like this get implemented more widely. So yeah, it's just super unfortunate stuff.

And it's exactly the kind of thing that people who have been against flock or people who have been against mass surveillance in general for an even longer period of time have been warning against from the very beginning. It's a very predictable outcome, I think, of these systems. And, yeah, now we're seeing the results of that, which is crazy.

Maybe for people that, like, aren't super familiar with what, like, who and what Flock actually is, like, how exactly is this, like, is it like a camera system that has, like, some AI detection, like, algorithm or something, or how exactly does that work? Yeah, so they sell these to... like cities and police departments as a camera system that you can put up pretty much all around your city to track cars basically wherever they go based on their license plates.

So it kind of maps out people's specific locations where they traveled, et cetera, and gives that information to law enforcement or other people to basically trace people anywhere in the city based on where their car is going. The way that flock systems work in general is somewhat different depending on the jurisdiction.

Law enforcement agencies or towns would have the option to, for example, share all of this data with a national database, so like with the FBI, for example, so that they can all be linked together and potentially trace people even outside of that one specific flock system. You can opt out of that, but All of these flock systems still kind of interconnect to the flock company's servers, and that potentially gives a lot of access to third parties to all of this information.

Yeah, it's just a very popular thing. It's not the only solution. There are other automatic license plate readers systems that are being implemented. But Flock is kind of a big one, and it's the one that has been in the news the most recently. We've seen a lot of stories about either these systems being implemented in different cities or pushback from citizens of those cities getting those flock systems removed.

We've seen a lot of examples where a lot of money has been spent on implementing these flock systems only for the public outrage to be so great that they have to go and undo all of those changes, which is of course not great for the taxpayers, but is important to keep in mind, I think, for any city council who is considering implementing such a system.

The pushback against this sort of thing from the general population when people are aware of what's going on here is pretty significant and universal, that it's just not a great idea for this system to be implemented and we kind of need to avoid implementing such things in the future. And I think city councils need to take a lesson there.

It's funny, I think a couple episodes ago we talked about a flock situation like that where One of the city council members had a very emotional reaction to their system being removed from the town. And they were like, well, we might as well just let crime be rampant in the area. And that he took it so personally, probably, I mean, to me, only kind of speculating is an indicator that he was probably getting some sort of kickbacks from Flock or something to get this stuff implemented.

So I wouldn't be surprised if there's a lot of lobbying going on from Flock and these other ALPR. companies to get these systems implemented in a lot of different cities, unfortunately. But we have seen time and time again that local city councils are very responsive to people who actually show up and care.

So if this is something that there's even a whisper about in your communities, I think it's super important to make your voice heard and voice your distrust of luck and your dissatisfaction with any sort of ALPR system because it's a massive invasion of your privacy being basically tracked wherever you drive, wherever you go in a city, potentially revealing a lot of personal information about yourself. So yeah, the flock system is not great, not great at all.

I guess one thing that kind of crossed my mind talking about this, like more at like the government level is how does this even interact with like, you know, the fourth amendment and like all these laws to like you know have actual privacy does does privacy just not exist in public if if they're just allowed to record every place that they see your car like how does that work exactly yeah i mean i think this stuff specifically points to a larger problem that we have with the laws

in at least in the us currently some countries have solved this but it's not super widespread but i think basically when you're in sort of a public space which would probably include any roads because that's government property they will say you have no expectation of privacy and they can basically track you or take your picture or do whatever sort of privacy invasive things they they want to do um And that's all perfectly legal because, again, you have no expectation of privacy,

according to them, which is, I think, just a super unfortunate situation that we have with the current privacy laws. It's sort of related to this other problem that we have with the Fourth Amendment with the government. relying on third party companies like data brokers, but to gain this information without having to go through official channels like getting a warrant.

But in this case, since the systems are kind of operated by these governments and law enforcement agencies themselves, that sort of like third party loophole isn't being used as far as I know. But I do think that accessing these databases should absolutely require a warrant. I mean, I think that even collecting this information in the first place should require a warrant, but that's kind of tricky with the privacy laws that I stated.

There just aren't a lot of safeguards in place right now to protect people from being surveilled in a mass way like this. And I think that that's a big problem with all of these systems and mass surveillance systems in general. are kind of giving up a lot of privacy for dubious gains.

And it's really just getting rid of like any sort of responsibility on law enforcement's end to perform their own investigations, they can kind of offload this to these computer systems who can trace anyone and kind of get give results based on whatever algorithms are in place, which is not a very targeted approach at all, which I think is really bad.

Yeah, and I think also talking about this like massive database that's, you know, available nationally as well, like we can kind of move into this little, I don't kind of wanted to use this as backup to show that this is like a really bad idea, but cops are, they keep getting arrested for using this technology without people's consent for people that aren't, for people that aren't actually criminals, right?

So this story here from four or four media cops keep getting arrested for using flock to stalk people. Who would have thought that that information could be used for that as well? Yeah. So basically there was a couple of police officers who were using this flock tool to basically track their ex-girlfriend's license plate through the flock automated license plate reader system database. And apparently this officer used it sixty nine times. So, you know, I think.

This is data that is ripe for abuse as well, because all it takes is this data to get leaked or like, you know, for that to be like an API issue where someone's able to access this and they can basically find out where anyone lives, right? Because their cars are going to be driving around. I don't know. I just think it's too much data and it's centralized too much into like these massive databases.

And yeah, it's almost too much power to give people And I feel like it's almost, it's obviously not the same level as facial recognition, right? But it's like still like a similar thing, right? It's like just tracking you based on your number plate instead of your face. So, I mean, it's definitely less invasive than that, but it's like, I feel like it could kind of segue into that eventually if they're like, you know, lobby hard enough or anything.

Yeah, I think that that article is a good example of the dangers of there being no checks or accountability on these systems.

I mean, you take a look at this sort of reporting and you read about what this cop was doing and his... behavior was so egregious uh this the four or four media article says it was so commonplace that uh his colleagues noticed him researching his ex-girlfriend's whereabouts while the officers were sitting in their police cruisers so he was being pretty open about it and i think that a lot of those cases which lead to arrests um are going to be completely ridiculous like that but a lot of cases

I think almost certainly there are a lot more cases where this behavior is happening, but because they're not doing it in such a stupid way, like this guy, they're not being caught. And this kind of thing is just going to happen because there's really nothing in place to stop them besides...

David Price- Maybe being reported by by a colleague or being caught up in some sort of manual audit at some point, but in the moment, all of these systems are just sitting there waiting to be used by anyone who has access to them so. Yeah, exactly. Like you said, I think just having this power in the first place represents a danger. I think that people in general just can't resist using this sort of thing if they if they have access to it.

At least at least some people, which is just another way that people are put in danger by by these systems. Yeah, exactly. I guess we've kind of covered like that quite thoroughly now.

WhatsApp says it caught new spyware attacks linked to NSO Group in violation of court order

I guess we can kind of dive into this next story here from this one here is about WhatsApp. So if you didn't know already, like it's kind of been an ongoing thing that for the last three years, I believe, WhatsApp has been suing NSO group because they keep using their technology to hack people's devices through WhatsApp. So basically this new story is basically an update to that. WhatsApp says it caught new spyware attacks linked to the NSO group in violation of court order.

So basically there was a court order that specifically said that NSO group could not target people on WhatsApp.

And basically it was found, WhatsApp found that there was evidence that they were still doing that um so here i'll just read straight from this article last year as part of a years-long lawsuit launched by whatsapp against nso a court ordered the spyware maker to stop targeting whatsapp and its users whatsapp claimed that the new phishing campaign revealed on monday violated this permanent injunction and as such filed a contempt order against nso um Yeah, so this injunction, I guess,

stems from a twenty nineteen mass hacking campaign by NSO that targeted more than fourteen hundred WhatsApp users following the discovery. WhatsApp notified the victims and sued the spyware maker. And a jury ordered NSO to pay a hundred and sixty seven million in damages, which was later lowered to four million. Oh, my goodness. That is tragic. But, yeah, I think this this story, if you're not familiar with NSO, one of their basically the biggest victims.

I wouldn't say the biggest, but like maybe the most prolific Pegasus spyware. That's like one of their biggest products, I guess. And you know, this is a company that is actually put on a block, like a block list in, in, in the U S and they've even had sanctions and stuff. So, you know, this is like a company that is not particularly good, I would say. So this is kind of not that surprising that there would be still trying to hack WhatsApp users. But I don't know.

Do you have any thoughts on this one, Jonah? Yeah, so all of this kind of stems from... Some rulings that Meta got in their favor. It was back in just May of last year. They were awarded that, what was it, a hundred sixty seven million dollars in damages in the injunction against NSO Group being able to hack WhatsApp, basically.

And then in October, the payment was reduced to four million, like you said, but that injunction against NSO Group basically blocking them from targeting any WhatsApp users was granted insulin effect. So the fact that they are continuing to do so anyways, is just a blatant violation of that court order, which is crazy. So I guess we'll just see. I guess we'll see what comes of this. they are basically seeking to hold NSO Group in contempt of court because they are violating that ruling.

So will it make a difference? I guess I don't know. I kind of doubt it since it seems like NSO Group is going to be flagrantly violating all of this stuff anyways. And I don't know how much exposure to the U.S. jurisdiction that NSO Group even has because they... are putting a lot of pressure on them. This article, did you mention, they are going to continue with their plans to enter the American market.

The US government hasn't removed NSO Group from that block list yet, but apparently they are lobbying to get that done.

Hopefully this represents a gigantic hurdle for NSO Group to enter their operations here because I think, depending on who they're selling this to, I wouldn't be surprised if their end goal is to get these tools in the hands of law enforcement agencies or local law enforcement in a similar way to these flock cameras we were just talking about which would represent a huge danger in in the name of like supposed help with investigations and stuff like that so yeah i mean

it's kind of all i have to say it's a it's a quick story but at least meta is not letting this go which is which is something Definitely a rare, rare meta W, very rare. Um, but like, I think this is also like, they did mention in this article as well that like, uh, this spyware maker NSO group, which is like an Israeli company, um, did get acquired by us investors.

So like, that does raise kind of some questions if possibly, you know, that does mean maybe this technology might end up being implemented in the United States. But I mean, I think it's also too early to tell at this point, especially considering that they're still on the block list and they're still being sanctioned.

So I think it's, yeah, it would definitely be really terrible if this did start rolling out, like this technology, because I feel like NSO Group has been, I mean, I think you could argue maybe that this technology is good when it's used against bad people, but I also think it does end up being used for bad things as well, right? Like when you have this much power to hack people, it is going to be used for something bad.

I'm not really super familiar with who and what they use this technology, NSO Group's technology on, but I don't think that should be used on anyone if possible. I mean, I feel like it also could be targeting like journalists and all that sort of stuff as well. I'm not really sure though. Yeah, I think that's the main thing that we've seen. Journalists, activists, politicians especially. There's been, I mean, we've seen examples of this happening to politicians in Europe and other countries.

We've also seen i believe we mentioned this in a recent episode but ron wyden has been warning uh senators and other congress people here in the us that they are being targeted by spyware on their phones and they need to switch to more secure systems so this stuff is pretty prevalent and a lot of people are impacted even at even at these higher levels uh by intelligence agencies and other people who are using this spyware so it is it is a danger and these spyware companies

are basically developing all of this in the open and selling it, which shouldn't, shouldn't really be, shouldn't be allowed at all, honestly. Yeah, it is, it shouldn't really be happening, but unfortunately it is. I guess also kind of like a follow-up a little bit to the, to the story where we talked about like the Phlox, Phlox license plate readers, there's this new story here from massachusetts if you want to grab that one

Massachusetts votes to pass new privacy rights bill that bans sale of precise location data

yeah so some good news in this case this was reported by tech crunch massachusetts votes to pass a new privacy rights bill that bans sale of precise location data massachusetts lawmakers have voted to pass privacy protections that grant the state's residents new rights over accessing and deleting their data held by big tech giants the bill also bans companies from selling their users precise location data Later on in the article, they say the move makes Massachusetts the latest U.S.

state to push for stronger consumer privacy rights after years of documented abuses by the wider technology advertising and social media industries. While the United States does not have a nationwide privacy law, unlike many of the world's major democracies, U.S. states have filled the void of legislation by bringing their own patchwork of privacy rules that apply to their states. So I think at this point in time in Massachusetts, the lawmakers have passed this bill.

The article says that their Senate has also advanced their own bill doing the same thing, and now those bills are basically going to be combined in the Senate, and then it'll be sent to the governor's office. So there is that whole process where the governor eventually has to approve this, but the article says that it's expected that they will sign it into law.

It's just not clear when that will happen so there is a bit longer but the article says that the bill if it is passing the law is going to apply to companies that handle or process the personal data of more than one hundred thousand consumers which will mainly affect medium-sized startups as well as silicon valley technology titans i think in addition to the big tech companies that will be impacted by this Another major impact this is going to have is on cell carriers because they have been

found to sell sort of this location data to data brokers and other parties as well. And hopefully this puts an end to that, at least in Massachusetts. I think that this is a really important issue because The data broker thing, as I alluded to in that flock story, is kind of a loophole around the Fourth Amendment. Basically, all of these private companies are selling data to data brokers, and then those data brokers in turn are selling all of that data to the government.

And the government can say, basically, since they're getting this information, like a third-party company is voluntarily giving it to them they don't have to you know have a warrant in order them to give the handover that information they're saying that a warrant isn't required to obtain all of the sensitive information about people when normally if they wanted to obtain that information from the companies that process this information directly they would have to

get a warrant in a court order to tell like google for example to hand over the data so the data broker thing is a gigantic loophole in Privacy laws, at least in the US right now, that definitely needs to be patched because there's really no oversight whatsoever when it comes to the government using all of this data that data brokers are collecting.

This data broker data is also used by a lot of different companies for stuff like targeted advertising, which will lead to problems like surveillance pricing, which we've talked about in previous episodes where companies will eventually adjust prices for things based on all the stuff that they know about you. And geolocation data, like where you're traveling, reveals, again, a lot about where you're going.

This is not just from where you're driving in your car, like with Flock, but this would be data from your phone and other technology sources that can reveal even more information about you than, than Flockwood. And all of that data is, is very revealing and very powerful. I mean, we, we know how revealing it is because we've seen the privacy policies of like car companies these days, like spelling out all of this data that they can get basically by, by tracking the computers in your car.

And it's a ridiculous amount of, of information that they are able to have and Yeah, it's really just not something that should be in the hands of all of these companies kind of sharing it all around. So stopping that from happening is a huge win for people in Massachusetts. And hopefully more privacy laws are implemented or national privacy laws implemented that stops all of this even further.

Yeah, I think this is like one of those things where we're seeing like, it feels like almost every year we're seeing like more and more states like adopting these privacy laws. And like, you know, maybe that does mean that there'll be a push towards something national because I feel like that is kind of like the, that would be ideal, right? It would be better if it was a national thing instead of just like state by state, right? Or is it better to have things like this or... Yeah, absolutely.

It would be better to have a national law that's more uniform. That sort of thing is obviously harder to pass, I think. And in the meantime, more states adopting this is is super important. So hopefully this sort of legislation in other states gets passed forward.

But yeah, having a minimum baseline across the entire country would be it would it would be a huge improvement because There's probably companies who aren't going to comply with state laws, especially if they have not a huge exposure to that state. So making it uniformly applied to all states in the United States would be a huge improvement as well. Definitely.

I think one thing that was kind of surprising to me, though, in this specific law that the TechCrunch article talks about is the law would block the sharing or sale of sensitive information without a user's explicit consent. So you're saying, like, I don't know if I'm reading between the lines enough here, but, like, does that mean that if you consent to this, then they can technically go ahead and just sell the sensitive information? Is that kind of what I'm reading right now?

Yeah, I'd be concerned about this a bit because... There aren't a lot of protections, I think, in place about people accepting terms of service. And like, could this be snuck in there into these things that people just kind of agree with or agree to without reading them? I think that's a concern.

That hasn't, in a lot of court cases, really held up, that you can just hold people to these super lengthy terms of services that the companies know most people probably aren't reading in full, but it's certainly going to make any cases against these companies harder, so I wouldn't be surprised if that's a technique that they try to use here.

I think there's also an issue with... A lot of the times when people consent to their data being collected in this manner or being sold in this manner, it's because they don't have maybe the context or the education about data privacy, for example, to understand all of the different ways that this data can be used.

Because typically, if companies are going to ask you to opt into giving a permission on your phone or opt into participating in a program like this, they're going to highlight, like, the benefits and not highlight all of the downsides that are taking place. So then it becomes a question of like, can people provide informed consent in the first place when it comes to stuff like this? And I think in a lot of cases, that isn't really the case.

These tech companies know far more about how to exploit the data that you're giving them than you know about what data you're giving them. So it is a huge imbalance in that whole dynamic that I think is dangerous. So yeah, I guess to answer your question, these laws do leave open a lot of questions. And again, it's sort of a situation where we kind of have to see how it all plays out, basically.

Yeah, it did seem like this law in particular had people like Evan Greer from Fight for the Future and the ACLU also saying that this was a really good move. Even if there might be things that aren't super great about it, there's still a little bit of a loophole there. it's definitely still like cracking down a little bit, right? Like, I think we should try and get the wins where we can.

Like if, if there's a, if there's something that goes through, that's like still offering some protection to people, that's better than something that's, you know, just wholesale allowing it. So that is still better. Right. Um, and I think this also, like, it kind of touches a little bit. If you look on this article, it also touches a little bit on, The author of this article mentions that data brokers have basically relied on app developers selling their users location data.

People will just kind of allow access at all times to their location to apps and stuff like that. And that's also being used to aggregate into these data brokers as well. So I don't know. It would be interesting to see how that also plays. Because if someone... if all this means is that then those app developers just have to say like, oh, do you explicitly consent to us selling your location data? I'm sure most people might actually say no to that, but I don't know.

It definitely does raise questions about that, but at least seems like, this might have some impact at least on larger companies. Is this something as well, like I see a lot of these laws apply only to like larger like organizations, like medium organizations where it's like a hundred thousand plus consumers. Is this like a concern as well? If it's like a bunch of small players that are just doing this as well, like is that kind of also a bypass for this or? Yeah, that's a great question.

I don't really understand why, I guess I'm not really super familiar with the data broker or data exchange landscape when it comes to much smaller providers. I don't know how common that is or what kind of use cases they would be doing if you have less than a hundred thousand consumers worth of data. What are you realistically doing with that and who are you selling it to? I don't really know.

I think a hundred thousand consumers is maybe a little like that bar is a bit higher than i would like it to be i think it should be a bit less but I think there is some danger, especially with small businesses, that they would want to balance this against because it's also very easy for small businesses to be kind of accused of violating all of these laws that they didn't necessarily even know about and then having to defend against that sort of thing.

Even if they're not even doing this in the first place, I think that would be... that could be killer to a lot of small businesses just being involved in unnecessary lawsuits. So I think that that is the reason why we commonly see a lot of these laws have some sort of bar where it's only going to apply to larger organizations, even the GDPR and the EU.

A lot of the provisions only are going to apply if you have, I think, more than like a certain amount of employees, if I remember, which is another way that this is commonly done.

So Yeah, I'm not sure if I totally agree, but if you are not past that, a hundred thousand consumer threshold, you might not be doing mass surveillance in the first place, because when we're talking about mass surveillance, typically it's like this is going to impact everyone in the community or this is going to impact, you know, people nationwide, like millions of people are going to be impacted. So this does limit the impact of smaller situations. But I don't know How dangerous that is.

I do think that the most prevalent cases of this are going to be these big tech companies, like the article says, and putting a stop to that. Regardless of what anyone else is doing with this data, that's still going to have a huge impact on people's privacy. So it's a good first step. I guess what you were saying about it being a good stepping stone, I think that that's totally true.

We talked about that a bit when we talked about the Surveillance Accountability Act that Naomi Brockwell drafted. And I even asked Naomi Brockwell about this, like, do you think it's likely to get passed? And she said, no, probably not at all. And the reason is that this stuff is still super important because it gets the conversation going or it gives us... a base to build off of with more comprehensive privacy laws in the future.

I think governments are just slow, whether that's because of bureaucracy or whether that's because it's by design or whatever. They are just slow to take action and prevent this sort of thing. But establishing some precedent helps with speeding things up in the future. And just making people more aware of this with laws I think helps with speeding things up in the future.

A big reason that the Surveillance Accountability Act was so important was because it just gets things out in the news that like, oh, the government is doing this. There's some efforts to stop it. Even if those efforts aren't passed, it's a conversation that we need to have and that lawmakers need to have. And that sort of, just from an educational perspective, is super important to have.

yeah, any sort of privacy law being passed is a huge improvement, but there's certainly still a longer, there's certainly still better paths that this could go and this could be improved pretty greatly, but hopefully this leads to that happening. Yeah, definitely.

I think it's also important, like we've kind of been pushing for this for people to, you know, contact your local representatives, make sure you're doing like that grassroots action and trying to get people to actually take this stuff seriously. Um, because yeah, it is definitely does seem like it is a bit of an uphill battle, I guess. Um, because there is so much, like we've talked about it previously, like with flock and all this like mass surveillance stuff that's being rolled out.

Um, so yeah, definitely is important to do that. Um, do you have anything more you want to add here or do you want to dive straight into some site updates? I think that's kind of it.

Site updates

Yeah, why don't you give us some updates on what you've been working on on the video side of things so far? Yeah, so I guess I'll also give an update on what Nate's been working on too, because we've kind of been also working together on it. But yeah, Nate put together a Jellyfin tutorial, because I don't know if everyone's seen, but Plex is now upgrading the cost of their lifetime Plex pass, which basically gives you unlimited access to all the features of the Plex Media Server.

They're upgrading the cost to seven hundred and fifty dollars US dollars, by the way. And that is kind of expensive. It was like I think it's now two fifty. And before that, it was even less. It was like I swear it would drop down to like fifty before. So it is kind of wild that they've increased it so much. In fact, a little bit greedy.

So we kind of wanted to, you know, cash in a little bit on that and put something out for people that are like very frustrated with plex doing all these silly things i think plex has also kind of done some strange stuff that's kind of diverged a little bit from the people that use their product like like including a bunch of streaming stuff um not really focusing as much on the media service stuff i think people are kind of looking for alternatives.

So that's what we're trying to do is provide like a way for people to switch away to something that doesn't even cost any money. You should donate, but it doesn't cost any money. Jellyfin is like an open source project. There's no strings attached. It's definitely less expensive. of a good experience, but if that is okay for you, like if you can put up with that, then I think it's definitely a good alternative to Plex.

Um, so yeah, Nate has recorded that this week and he shot that over to me the other day. So I've already started like doing some basic edits on it. Um, that should be an interesting video to look out for. And we've also been working on a video about passwords. So that is currently out to members on YouTube. And I think we're just waiting on, we've had like a lot of stuff going on behind the scenes this week.

So we haven't had time to put that on peer tube yet, but that will be also up on peer tube at some point. Um, that that's a video kind of going through, I feel like there's a lot of misconceptions about passwords and, what is a secure password. So that video was written up by Nate with some help from Jonah as well. And we kind of went through a lot of the, I guess, misconceptions that people have and, you know, tried to give people good actionable advice on how to create good passwords.

So that's definitely going to be an interesting video that will go public. I believe that will be going public on Saturday at ten a.m. Central Time. So definitely look out for that going public. But right now it's available to members. Yeah, that's sort of everything that I've been working on. What about you, Jonah? Yeah, I just want to say about the Plex stuff quick. I hope that that does convince a lot of people to switch to Jellyfin.

I think that all the Plex stuff, especially the weird stuff that you mentioned about them adding streaming stuff and stuff like that is really indicative of the VC funding issues that we've seen. Obviously, Plex has taken on a lot of money and now investors are hoping to cash in on that.

And Plex doesn't really have a clear path to doing so probably because you know, what is it it just serves files on your local server in theory, but now they've spent all this time and money on building features that nobody was really asking for. So I honestly think if Jellyfin is a bit too rough around the edges for people, it's probably also worth looking into MB, which an older version of that, which used to be open source, is what Jellyfin forked from.

I've been using both Jellyfin and MB recently.

just because i don't agree with the direction plex is going in at all and i will say that the experience right now on mb is significantly better they they charge some amount of money for either a subscription or a lifetime pass obviously significantly way less than plex but i think that it's a project that plex users who are willing to use these i guess proprietary alternatives because plex they're already using plex which is proprietary it's worth looking into because i think mb is doing what

plex should be doing which is just being focused on serving your own media and not also adding in all of these other things or taking on a bunch of vc funding to add pointless features that nobody asked for so In the meantime, if Jellyfin isn't going to work for you, I do think it's worth looking into. But in the long term, I hope an open source solution like Jellyfin really takes off and gets a lot of attention.

And hopefully these changes will make it so that more people are contributing to Jellyfin because now you kind of need to if you don't want to spend that absolutely insane sum of money that Flex is now demanding. Anyways, yeah, I'll share some other things that we've been working on.

A lot of the time I've spent this week has been redoing our server setup, which is not super exciting, but I'm converting it all into scripts and code that we will publish on our GitHub so there's more visibility into what we're running and more people can make changes to all of that stuff if there's any sort of emergency because right now we just kind of have a lot of systems that we need to get unified so i don't know how many people are interested in that sort of thing but if you are for

some reason probably hopefully by next week we'll have a repo on github that will be public that kind of has all of that stuff in it. So at least on my end, for me personally, that'll be cool because it simplifies a lot of the stuff that I have to do. The other thing I've been working on is more stuff for verified apps database. And the app that we have on Android, I've been improving that, working on getting it submitted to app stores, and also just going through submissions.

So there's a few more apps in there. We have a lot of submissions open right now. People have been really contributing. I would definitely say if you would like to help improve our services, it would be really appreciated to submit the apps that you have on your phone as well so we can kind of expand this database.

We are expanding it right now with apps that we can basically verify from different app stores, but eventually we'll move on to verifying stuff like APK files that you download from websites directly or from GitHub or what have you.

Yeah, I'm just excited about that project because I think it's a pretty useful feature for people on Android, especially if you're downloading apps from the internet or maybe untrusted sources because, for example, you don't have access to Google Play yourself, either because it's not available in your country or because you just don't want to use Google Play services in a Google account. And you have to get your apps elsewhere.

This is a good way to check whether those apps are legitimate, in my opinion, and hopefully other people agree and find it useful. So yeah, basically working on building that.

In other site news, mostly Fria, but also the team in general have been publishing more news stories to privacyguides.org slash news so a lot of the stuff that we've seen that we don't have time to talk about here on this show typically gets published at privacyguides.org slash news so that is a good place to really keep up with a lot more news stories in this space that we're aware of in addition to what we post on the forum and stuff of course from the

community so yeah definitely check out the articles there if That is something that's interesting to you. I would definitely recommend it. All of the stuff that we work on at Privacy Guides, it's made possible by our supporters. So if you like all the stuff that we're doing and want to support the project, you can sign up for a membership or you can donate at privacyguides.org slash donate. You can also pick up some swag at shop.privacyguides.org if you want something there.

Privacy Guides, of course, is a nonprofit project, we research and share privacy related information. And we facilitate that community on our forum and matrix where people can ask questions, get advice, learn about staying private online and preserving your digital rights. So yeah, I think with all those updates out of the way, let's talk about our next story about a new Apple feature, which is automatically going to change your compromised passwords.

New apple feature automatically changes your compromised passwords

if I could pull it up here. This was reported by Bleeping Computer. The headline is, just as I said, there's a new Apple feature here. They say, at WWDC, Apple announced an Apple intelligence-powered feature that can automatically fix weak and compromised passwords. Right now, Safari and the built-in Apple Passwords app can automatically flag weak duplicate or compromised passwords. Now, this is an AI-powered feature.

Apple says that the built-in password app and Safari can now use AI to agentically take action based on your behavior and secure your passwords automatically. This feature will launch with iOS for the passwords app in Safari, which can automatically update eligible accounts to strong passwords. I think that this is a cool development. There's a lot of concerns about AI and how this will be used.

For example, I would certainly hope that this feature in particular is going to be done entirely locally. Apple says in a blog post that the latest models that they have run on device and on servers using private cloud compute. But I would imagine something like this is going to work on device. It doesn't specify very concretely in this article from what I've seen how, how this feature is going to work. But so yeah, that's something to look into. But hopefully it works well, and is reliable.

Because I do think this is a big problem that people have when they when they switch to password managers, it's, they import all of their passwords, and they're usually like all the same passwords, and then they have to go through and update them all. And that is difficult. So a one button way to fix all of your passwords or to fix passwords that are compromised in a data breach would be actually helpful for a lot of people and hopefully would improve their security.

I guess the main thing is I hope this doesn't stop websites from adopting even more secure alternatives like passkeys. I think that that's the ultimate fix probably is to get much more passkey support implemented across websites. We've seen a lot of passkey adoption so far, which has been super great because it kind of guarantees all of the security by design.

So I'm glad to see a lot more sites adopting that than had adopted like security keys, for example, even mainstream consumer sites are adding passkeys now because it's just an easier and more secure way to secure your accounts. So yeah, overall, I don't think this is a terrible idea. I think for people who are using the Apple Passwords app, it's pretty cool, which I would imagine it's a lot of people because it's by default. It's not a password manager that we would probably recommend at all.

We have password manager recommendations on our website, mainly open source ones like Bitwarden and KeePass are the big ones. And I don't know how likely it is that they'll be able to add a feature like this anytime soon. But for a lot of people who are just using the built in password manager, I think that this will improve kind of the baseline security for all of those people. Jordan, did you have anything to say about that change?

Yeah, I think this is kind of indicative of Apple's, like, control over this, like, whole ecosystem, right? Like, it feels like not many other companies would really be able to do this. And, like, maybe if there's... I don't know. It's just that they have such, like, ultimate control.

I think one thing I have seen is a lot of people will have, like, a bunch of passwords in Apple Passwords because it literally will ask you to save your passwords in there automatically and people just do that, right? And... I imagine a lot of times, at least the people that I've seen in my life, they'll have the passwords app and it will just be a list of compromised, compromised, compromised.

So I think if this just updates those passwords automatically in the background, it's not super clear how this works yet. And I think a lot of things when it comes to AI and Apple, I think we need to definitely hold our breath a little bit because They don't seem to be super good at rolling out this sort of stuff. They'll promise something and then it won't really happen. I don't know.

I don't think this, it was kind of frustrating looking at WWDC last week or this week, I guess, because there was such a focus on like AI stuff and, And we didn't really see that many security improvements or anything like that. So this was one of the few things that was able to be positive, I guess. I'm not really sure. I feel like as soon as you start assigning tasks to an AI agent, it starts to become a little bit sus. They were saying on here that it was... an agentic password manager.

Like, I don't really like that idea. I don't like, I don't like the sound of that. Like, I feel like that could possibly end up being, Oh, we changed your password to something that's really bad. Or we submitted your information somewhere. I don't know. I'm not really super convinced by this, but if it does just do what they're saying and it's kind of, they just, you know, plugged on a bunch of AI buzzwords, maybe it's a good thing for those people that are using Apple passwords.

But yeah, Yeah, Apple's definitely been making quite a big fuss about like... oh, Apple intelligence is going to be very private and secure and not sending your data anywhere. So that still remains to be seen. I think most people on our team are definitely more against this technology than for it. But if this technology has to get implemented on people's devices, because of the trends in the industry, I'd rather it gets implemented in a way that isn't sharing it with massive AI corporations.

So yeah, I don't know. Yeah, definitely a lot of questions that need to be answered here, I think. Yeah, definitely.

Signal, DuckDuckGo among firms weighing Canada exit over lawful access bill

I think that's kind of all I have to say, though, if you want to take our next story here. Yeah, sounds good. So this is a story... from Canada. So signal DuckDuckGo among firms weighing Canada exit over lawful access bill.

So I don't know if people have been following, but basically there's been a bill called Bill C-二, which basically would force companies inside Canada to retain metadata for up to a year and allow basically for police to access that information and obviously when we talk about stuff like Signal and DuckDuckGo that technology is not particularly compatible with this right it's uh these are technologies that are that work on the least metadata collection possible right and as soon as you start

like forcing these companies to retain this metadata and to do this sort of stuff it's it sort of breaks the entire like privacy, like aspect of these tools. So quoting from the article, in its current form, Bill C-Twenty-Two would convert the everyday tools Canadians rely on into sprawling, insecure surveillance apparatuses.

signals vice president of strategy and global affairs told the house of commons public safety committee on tuesday if we are ever forced to choose between betraying the people who rely on us and leaving a market we will leave which i think is really good that these like companies are actually making a stand on this um i think we've seen this before especially like in the uk we've seen people saying they're going to leave um Similar things in other countries that are

trying to pass these like metadata retention stuff, which is good. And basically the argument for this is adding these metadata retention things and adding backdoors for the good guys can always be exploited by cyber criminals and expose a bunch of this metadata to people that shouldn't have access to this. And the solution here is don't. No metadata. Don't collect it. It doesn't need to be collected, right?

That's why it's so frustrating when there's these politicians that are trying to get this stuff pushed through. So yeah, another quote here, effectively, the government through this legislation seeks to insert itself into the networks and devices of various providers. So yeah, it's kind of a bit of a problematic bill. I've seen this definitely popping up a lot as being basically a Pretty much, it's basically a mass surveillance bill.

As far as mass surveillance goes, this is basically a mass surveillance bill. Even companies like NordVPN said they would basically remove service from the country this past. This is going to affect the VPN services too. Windscribe, which is a Canadian-based company, that would be interesting to see how that would affect them because they are based in Canada as well. So like, would they have to move countries? Like, would they have to change jurisdiction if this passed?

That is not entirely clear. Well, I did see, I like this quote. It's later on in the article, but Windscript did have a quote here. Apparently they wrote on X, we pay an ungodly amount of taxes to this corrupt government and in return, they want to destroy the entire essence of our service to basically spy on its own citizens. Not happening. We'll move HQ and take our taxes elsewhere. So it seems like they are definitely on board.

They get out of Canada train if such an invasive bill like C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C I think that is one of, that's always been one of those sticking points for people in our community is like, oh, you're based in Canada. Like Canada doesn't have the best track record when it comes to this sort of stuff.

And now I guess we're kind of seeing this hasn't passed yet, but you know, there's definitely a possibility that it will. And it's good to see that companies, especially even ones that are based in Canada are like literally saying, we're going to just get up and leave. That should be the response to this, this sort of law passing. Um, yeah, there was some more people just saying like, there was also the, uh, there's also tail scale, which is also based in Canada.

Um, they were also saying that they would have to think about, you know, maybe moving jurisdictions as well. Um, I think when, when you start having all these companies coming out saying that they would literally have to, they would rather move jurisdictions than stay in your country, that, that is kind of a clear sign that what you're trying to propose is very much not a good thing.

yeah i mean all of these backdoor proposals are just fundamentally flawed there's because there's no way to implement these securely and i think you quoted this earlier but um exactly like it says in the article these companies have like not only do they should they like not do this for security reasons but they have an obligation to all of their consumers that They're going to protect this data from a cybersecurity perspective.

All of these companies have an obligation to protect people from data breaches, and this basically prevents them from doing that. It's not very clear to me why governments don't really understand this when it comes to certain tech companies, but it seems obvious that this is going to impact companies far beyond just tech companies or VPN companies or whatever.

If there has to be a backdoor into encryption like HTTPS, for example, that's going to impact the security of your bank account transactions. Yeah. not just like from the government, but from hackers. We have said this before and I'll say it again. All of these back doors are going to be exploited because there's no way to implement them in a way that only one person like the government can access and nobody else can.

So people will eventually, maybe not immediately, but there will always be some sort of exploit or way that people can use these back doors outside the government to get access to all this data.

Even if in like a perfect fantasy world that these governments seem to believe in for some reason, if we imagine that there's a backdoor that only they can access, I think the flock story that we talked about earlier also demonstrates that the government can't be trusted with this data because we'll see government agents, law enforcement officers, et cetera, use their access to these systems to track people unlawfully and completely abuse the type of backdoor that a law like

this would implement. So it's just an incredibly dangerous situation that Bill C-二 is creating for Canadians right now. And it's something that anybody in Canada needs to really take a step to take steps to prevent from happening. You need to make your voice heard once again.

because this sort of thing again public outreach and kind of these grassroots efforts to block bills and other stuff from happening it can be effective but people really do need to get out there and make their voices heard and this is a particularly dangerous form of of these of this kind of back door that should not be be put in the law so yeah canada watch out one really important thing like you were talking about with the grassroots like organizing of people this

has already been uh knocked back i believe like there was already a previous bill that was tried they tried to pass that was like similar to this i believe it was bill c-two i believe um the strong borders act which also included a bunch of like mass surveillance stuff and that was also knocked back because of public outcry so like it does actually work in this case, it a hundred percent does work.

So this article itself is saying, you know, at the end of it, it's saying like, they're going to make a amendments to the spill to make it so that it's not going to break encryption, which I think is a little bit ridiculous. So what, what does that exactly mean? You know, they're saying that they wouldn't shorten the retaining of metadata. They would still keep it for a year.

so you know I think this is a little bit ridiculous it's it shouldn't be it shouldn't be passed definitely get get in contact with your representatives if you're in Canada and try and make sure that you let them know that this is a really bad idea and you know the government has not really it sounds like they might be talking a lot to law enforcement which you know of course they want more data to to be able to you know do police work but kind of flies in the face of you

know individual freedom for people in the country and like access to these tools so um yeah it's just a kind of an unfortunate situation but if you're in canada definitely try and get in contact with your representatives there's a good uh article from citizen lab in canada that kind of analyzes this law in more detail and explains why This stuff is fundamentally flawed. That's a quote from them, and it's true.

If you open up this Global News article from our newsletter where we have all the sources, this analysis is linked at the bottom of the article. So I would definitely check that out as well, especially if you're in Canada and you need to find more reasons to tell lawmakers about why this sort of... bill is absolutely unacceptable and can't work and will really endanger everyone in Canada, their privacy, their security, their... Yeah, I mean, their security online in general.

So give that a look if you're in Canada. And again, you got to take action because this kind of stuff is super, super dangerous if it gets passed. Anything else to add, Jordan? I think I kind of... Yeah, I think that's everything I've got to add. We can dive into the next story here, I guess.

Over 400 Arch Linux packages compromised to push rootkit, infostealer

All right. This one is reported by Bleeping Computer again. Headline is, over four hundred Arch Linux packages compromised to push a rootkit in InfoStealer. More than four hundred packages in the Arch user repository are distributing a Linux rootkit in InfoStealer malware targeting credentials and access tokens.

A report from the open source intelligence community Independent Federated Intelligence Network notes that a new maintainer is spoofing a trusted publisher on the AUR platform to push infected packages. Later on in the article, they say that the Linux binary that's being distributed through all of these package build files has InfoStealer functionality, which targets the following types of sensitive information.

GitHub credentials, SSH artifacts, HashiCorp, Vault tokens, browser, cookie databases, Slack data, Discord data, Microsoft Teams data, Telegram data. They say AUR maintainers are working to identify and remove all malicious commits, but obviously this has a pretty widespread impact on the entire Arch ecosystem. In a message to the community, in Arch Linux Package Maintainer, urge users to report any malicious package they find.

As a general rule, it's recommended to only trust projects with frequent updates and an active community around them. I think overall, in my opinion, this is kind of indicative of the danger that the Arch user repository has if you're using it. There are quite a few warnings on the site and throughout their wiki that you shouldn't just kind of blindly trust the AUR with packages and what's being installed because they are user-contributed and really anything could be in them.

And if there isn't any oversight because it's a... not a super popular package, for example, this kind of stuff can break through. But at the same time, I think the Arch community and many Arch users do kind of blindly install a lot of these packages. And there's even a lot of programs that you can install that kind of treat the AUR as just a normal package manager. And you can install things without really taking a look at them.

And I think a lot of people... think it's easy for a lot of people to kind of fall in this trap of just treating the aur as a package manager instead of um instead of really looking through the scripts that they're installing because it's just a matter of time i think it's it's the reason that a lot of people will agree to using apps without reading the terms of service or reading the privacy policy it's just overly complicated setup for a lot of people that they're just not going to do

in favor of an easy solution but in the case of arch it will will cause problems like this that i think will impact a lot of people so one of the reasons i'm not really a fan of arch is kind of what i'm trying to say a lot of other distros have Real package managers and maintainers, any Linux distro is kind of going to be susceptible to this sort of problem, but we definitely see it to a lesser extent on distros that have a more trustworthy and more locked down

system like the Debian package manager, for example, has maintainers who are who are more trusted than just like anybody being able to upload a package to the Debian, for example. So yeah, kind of I think that's kind of my thoughts on this. Was there anything you wanted to highlight, Jordan? Yeah, I think I just agree in general with like your analysis there. Like this is like the Arch user repository is literally just packages that people uploaded.

Like anyone, like literally anyone, when we say like actually anyone, it's anyone can do that, right? So like it definitely increases the chances of something like this happening. And then, you know, having all these packages that people have installed that have got like maybe thousands of downloads and, you know, some maintainer, in quotation marks, comes and takes over this package build, they can insert malware. You are putting a lot of trust in that.

And I think if you are using the Arch user repository because you need to for some reason, I would definitely check every single time you update packages through the Arch user repository, make sure you actually check to make sure that the package build file is not compromised, which is not always super easy, but I think at least having some vigilance is better.

And like Jonah said, it's better to use platforms like different distros that have more restriction on who can actually apply for package maintainers and do this sort of stuff. You don't actually need to use the Arch user repository on Arch Linux either.

So you could just not but i mean i can kind of understand those sometimes as packages that you really need um yeah i think that because it does have an official package manager but i think that just the scope of it on on arch is much smaller than on like debian or fedora for example and so a lot of people do end up relying on the user repository as well um for even like some larger applications that you would expect to just be included in an official package manager.

It's also worth noting that this is hardly the first time this has happened with the Arch user repository. We talked about this on the show back in July of last year, I believe, where malicious packages that were impersonating different web browsers on the Arch user repository were infected with a different sort of malware. Yeah, it's the I mean, these kind of, I guess you could call them supply chain attacks in general.

Or just this sort of malware distribution thing on these user contributed repositories of packages is a it's a it's a big concern. And it's probably one of the bigger issues that's facing Linux on desktop users at the moment. So definitely something to be aware of. And Yeah, hopefully that gets cleaned up and hopefully not too many people are impacted.

I didn't see an analysis of like... which packages were included I believe there's a list somewhere but I don't know like how popular the packages used were like how many people this could potentially impact so yeah if you're an Arch user I would definitely look at the list of effective packages they also um They've provided a report linked to in this article, which has some indicators of compromise. So you could use that to look at your system as well and see if you were impacted.

But definitely something to worry about if you've used the Arch user repository lately. So yeah, Arch users, I would say, should look into this for sure. Definitely. I mean, if that's everything we have to add on that story, I guess we can dive into some forum updates. In a minute, we'll start taking viewer questions.

So if you've been holding on to any questions about any of the stories we've talked about so far, you can go ahead and start leaving them on our forum thread or in the comment section on the live stream. It's been kind of quiet this week, so maybe we may not have any. But if you do have something, do leave it soon so we can see it. For now, though, let's check in on our community forum as

Forum updates

always. There's a lot of activity there, but there was one interesting thread I saw this week, which was basically a discussion on using Tor instead of Molvad Browser with Molvad VPN. So basically the discussion on that specific thread was like, if you're just browsing clear net sites, does Tor really add that much more protection, especially if the VPN is paid for anonymously? Do you want to kind of dive into this one a little bit, Jonah?

yeah so and i believe we cover a lot of this on like the page about mullved browser for example and also just our vpn overview and how it differs from tor i think for a lot of people you know using mullved browser with mullved vpn is probably a perfectly safe setup to use. Whenever you're using a VPN, you do have to trust that VPN provider, of course, which can be a problem or cannot be a problem depending on your specific situation and threat model.

I think a lot of people do use VPNs and trust them and using mobile browser in conjunction with that VPN is going to provide Good fingerprinting protection, if that's the sort of thing you're concerned about with the websites you visit, especially, I think, as Mulved Browser continues to become more and more popular and you're using Mulved VPN, you do have a decent crowd to fit in with where at least you have some protections in place, which is good.

Tor, on the other hand, there's pros and cons to it, but the biggest advantage is that you don't have that trust model you there because there's clear separations with the three hops you have you know your guard node at the beginning which is going to know your identity but not what you're accessing and then you have the exit node which will see what you're accessing but not who you are and the middle node which separates those two and keeps the data separate so they don't know who the other

node in the chain is. So from that perspective, it does provide a lot more protection of your anonymity, for example, than a VPN would provide. On the other hand, Tor notably is much slower than using a VPN. I think that's a big problem that Tor has.

Another problem that Tor has, which is maybe a bit less talked about, is Unlike generally VPN providers, since anybody can contribute in exit node and that exit node is kind of responsible for your connections to websites and your DNS lookups and things like that, there have been cases where Tor exit nodes uh either hijack your connections or redirect you to malicious sources this is especially the case if you're pretty much downloading anything over http instead of

https there's kind of general uh i guess malware running on these exit nodes which will hijack that just because they can be contributed by any users. So we've seen attacks, for example, against people who are downloading cryptocurrency related applications where these exit notes will serve malicious copies of those downloads for you to for you to download and get hacked as a result. That's probably less likely on a VPN, especially a trustworthy VPN, in our opinion, like Movad.

HTTPS, of course, prevents that, so that's something you should always look at when you're using Tor Browser. If you are using HTTPS everywhere and you're blocking HTTP connections, then that is much less of a concern. You don't have to really be worried about it because in that case, your connection really is end-to-end encrypted.

There is still the case where like exit notes can get some metadata about your connections, which may or may not be an issue typically that impact is very small, but it is something to keep in mind if you're accessing clear net sites so. Yeah, I think that kind of covers what I have to say. Does that make sense? Yeah, that makes sense. No, I think you covered that great. I think, yeah, there's definitely benefits, right?

But I think this brought up a really interesting discussion, which you didn't touch on yet, which is multi-party relays. Because like you were saying, there is the risk of a Tor exit node being compromised and you know, being able to maliciously redirect connections, right?

When we talk about like a multi-party relay, like I think the one that most people think of is like iCloud private relay, where there's two trusted parties, but both of those trusted parties don't like... uh share the information right like there's an ingress proxy an egress proxy and then it goes to the website um so instead you're not trusting like a random operator of a server right um which is definitely an interesting i i don't think it offers the same privacy

protection like as tor right but it's definitely like a little bit of a interesting middle ground which offers decent performance and also offers some additional privacy compared to a traditional vpn yeah i the only two that i'm aware of is icloud private relay that you mentioned and also obscura vpn and obscura staff members and their ceo are on our forum so there's some threads if people have questions about it you can ask there but that one works with mullved an obscure

vpn might be a very good option to use in conjunction with mobile browser because your exit node is going to be and so you're going to be blending in with even regular Molved users as well as obscure users on Molved browser. So it is an improvement in the trust model for sure.

It lacks the middle relay that Tor has, which kind of separates your identity from the ingress node and the exit node, which basically comes down to you deciding whether you trust the ingress node and the exit node collaborate with each other. In the case of iCloud, you have to trust that Apple and either Cloudflare or Fastly or whatever, they have multiple providers on the other side. You have to trust that they're not going to be sharing data and kind of linking your traffic together.

In Obscura's case, you have to trust that Obscura and their servers aren't going to collaborate with MOLVAD and share data with each other to kind of correlate that. I think these are reasonable assumptions to make, even if Obscura, which is a much smaller, newer company, for example, wanted to get this data, which I really don't think that they do.

But the other side of that would also have to agree to collaborate, so that would also assume that Malvad also wants to conspire to get your data, and I think that's very unlikely. I think it's definitely a good a good option. But again, compared to torts, it's still a trust based model, even if it's relatively safe to put your trust in it, whereas tours model is kind of untrustworthy by design, and you have that technical separation that makes it harder to tie all of that together.

So Yeah, I think the multi-party relay stuff is interesting. I believe Free has written an article about multi-party relays, and it's something that we are, I think, generally still looking into, but there's a lot of threads on the forum about that sort of thing that I would definitely recommend people take a look at if they are concerned about any of this stuff.

Because, yeah, I think at the end of the day, I do consider... mall-led browser and a VPN to be a very good option for a lot of people. And there are inconveniences of Tor browser that I think are resolved by mall-led browser for a lot of people, which is good. Yeah, and also I don't feel like you can use both. You don't have to use only Tor or only Molvad. You can actually use both of them.

And I think we also, you've talked about this quite a bit, Jonah, but having a VPN going while you're connecting to Tor is actually, there are some benefits of doing that as well. So that's not a concern either, as long as it's set up correctly, right? Yeah, yeah, that should be the case. OK, yeah. So I don't know. This thread was kind of interesting to me. There was a lot of discussion about the differences here between these two software projects.

But yeah, I think definitely check it out if you're kind of also a bit confused, because Nick kind of jumped in a couple of times and clarified some things there and made sure people were kind of understanding the benefits of Tor.

yeah it was uh an interesting thread there um that's kind of everything that i saw on the forum that i didn't really see any any other big threads unless there's something you want to highlight um yeah that's a good question i don't think i've seen too much on the forum this week i've been kind of checking it uh what's the word, sporadically, because I've been spending too much time trying to redo all of our server stuff this week, which is fine.

But yeah, taking a look here, I don't know if there are any that really stick out to me.

Q&A

I think this is a good time to remind people we definitely can take questions if anyone has any, do kind of a Q&A. If not, then we won't do that. But if you have any questions or want to know about anything either we talked about or privacy related, this is the time to share it in the chat. Yeah, I'm not seeing any comments on our forum thread this week. It was a bit later this week just because we've had, yeah, there was some hectic stuff going on. But, yeah, hopefully that worked out okay.

And I didn't see any comments in the chat. We had a couple of people saying, like, hi. So, hi. If you're still watching. Not any questions here, really, that I'm seeing. Another story. I think this came out in the last week. You'll have to remind me. I didn't catch all of the show last week. But Brave just launched Origin Browser. I think that was only... like on Saturday, if I remember correctly.

So that's something that happened in the last week, which is something to check out because we talked about Origin Browser, Brave Origin before on the show, and it's a pretty cool development from them, I think. Yeah, it's definitely, yeah, it'll be interesting to see if maybe that's something that gets recommended on privacy guides. But I think it's definitely something we're still looking into. I know some team members have already said that they've like bought it and they're trying it out.

So if we get more like comments, I guess, from the community, maybe that's something that could get added in the future. But it is definitely an interesting thing, right? Like having a paid browser, right? in the recommendations. I don't know if that would ever... I guess there's technically no restriction on that, I guess. I guess to their credit, it is free on Linux, which we do... I mean, we would recommend people switch to Linux anyways. So there is that option for you.

I think we'll probably add it as just a note in the Brave section.

I don't really know if it has a lot of advantages over normal Brave for most people, at least from a privacy perspective, but if you like a more minimal browser or if you're the kind of person who likes ungoogled chromium for example this might be worth checking out because it's a much more minimal version of brave and unlike a lot of those chromium forks and in other browsers it's being maintained and kept up to date in a very reliable way whereas a lot of like

on google chromium builds don't don't even have like automatic updates for example which is super important to have in something with the attack surface as large as a web browser so yeah if you want a really minimal browser i think it's i think it's worth checking out definitely and it does seem like they have taken the time like they've taken the time to do the payment system in a way that's not like connecting it back to your identity or anything as well.

So like they definitely have thought it out pretty well. I think that's basically always been the concern in the community that I've noticed is like people complaining about Brave having so much bloatware attached and all these features that are like unnecessary and like it's increasing the attack surface. I think that is not particularly... That's not really a huge issue, I don't think, but maybe there's people that really, really despise it popping up every so often when they add new stuff.

So that is a solution for you, I guess. And yeah, I don't know. It's definitely going to be interesting to see if they end up adding any Brave Origin specific features, but it's probably not. Looking like that will be the case. We did get a question here from Canabida. Hello, Canabida, a regular on the stream. And a lot of people talk about Zen browser. Are you familiar with that? Any opinion from privacy perspective? I'm going to throw this to you, Jonah, because I feel like you know.

Yeah, I've said it a few times before on the stream, but I have been using Zen browser for a while and I quite like it because it provides a lot of features that other browsers aren't providing.

I will say, speaking of Brave, I've talked to some people at Brave recently and they say that they're working on bringing a lot of these Zen browser, Arc browser sort of features over to Brave, which I'm pretty excited about because I do run into issues In Zen browser, sometimes of websites being less performant or not working exactly the same as they do in chromium, which is a bit annoying. So I have ended up using both brave and Zen browser a lot of the time, but some changes are coming.

Some of them are already available in like brave nightly builds, for example, with like better sidebars and workspaces and Website containers, which I'm really excited about. That's the main feature I really like in Firefox, and bringing that over to Brave is just a good option for people to have. But yeah, overall, personally, I do like Zen Browser a lot, and I think that they... have been keeping up pretty well with updates and they have a good privacy policy.

It's something that I think not a lot of other people either on the team or in the Privacy Guides community in general have taken too much of a look at.

So it's not something that I've that I've really gone in depth on or that other people have to my knowledge so I can't really say for sure like just from a privacy security perspective where Zen browser lands so I would hesitate to like say you know everyone should switch to Zen browser or anything but yeah personally I use it and I have used it for a while and I like it and I just think it's worth supporting because I like all of these Firefox forks that are doing things correctly and

professionally and implementing regular features, but are also being developed by people other than Mozilla, which I've spoken quite a bit about in the past. I think that they are just kind of mismanaging the organization and the whole Firefox project, and I think it's really unfortunate. And so supporting these other projects, I think, is very cool. So, yeah, that's what I have to say about it.

yeah it's definitely i think zen browser is like definitely taking a lot of inspiration from arc browser which was really popular at one point and then they kind of dumped that project and said oh we're moving on to making this ai browser now um which i've been testing out like the last week and it is it doesn't really live up to the same like uh it doesn't live up to like the same standards and like it doesn't have the same features as arc does it's kind of like a stripped down version

I don't know. It's quite unclear what is going on with the browser company as well. I think they got purchased by Atlassian as well, and it's like the whole project is kind of a little bit up in the air, whether this will be something that even the new browser that they're working on will even stick around. They keep making quite large changes to that as well. But yeah, I've definitely really enjoyed Zen Browser. I used it quite a bit as well.

But I think more browsers should just have this feature built in by default. Like it should just have vertical tabs implemented in the same way that Arc does it. Because I don't know, it's just a no brainer. It just works so much better. Like I feel like no one's implementing it quite the same. And apart from Zen, basically. Zen and Arc are basically your two only options if you need the same setup, right?

I know Firefox and Brave both have vertical tabs, but it's like a gimped version of what you can find in Zen browser and in Arc browser. But it would be interesting to see Brave if they actually do commit to this and they add those extra features that Zen browser has. I think the main thing that I miss from Arc browser is the ability to have profiles on the bottom and you could just easily switch between browser profiles and it segments your data and extensions and stuff. I don't know.

As far as I know, there's no browser that does that. So I guess, yeah, it is kind of a tricky situation if you care about those. Zembrowser almost does that, I will say. But they don't segment extensions. Yeah, it uses the container tabs, which is, I'm OK with that. That's OK. But I don't know. I do feel like having separate profiles, it did enable a bit more customization, which I don't know. It's kind of unfortunate they stopped working on that project, because I do like Zen Browser.

It is basically the replacement for Arc at the moment. I believe Brave is doing their version of containers with a multi-profile approach similar to Arch. Don't quote me on that. I haven't looked into Brave's implementation and what they're testing right now too much. But if that's true, and I hope that's the direction they go in, that will be pretty exciting.

um i didn't actually know arc was uh acquired by atlassian that's that's funny i haven't looked into arc in quite a while but yeah it's i i don't really understand the direction that that whole company is going but any arc users who really liked arc i would definitely say i mean if you were going to trust arc which is like a proprietary service by like a big company uh zen is zen is going to be better than arc from a privacy and security perspective even if there is some reason

that zen isn't as great as like the browsers we recommend um it's still you know worth checking out for arc users at the very least because it'll be I think it'll generally be an improvement outside of a couple a couple features like the ones that you mentioned yeah definitely I definitely would recommend at least giving it a shot Another news story on the forum that I remembered seeing this week, I just saw Proton release their ProtonDrive command line interface for Linux.

So finally, some support for ProtonDrive on Linux, officially. Still, the command line version doesn't do as much as their typical desktop clients, but it's a huge step forward. I hope some people on Linux find it helpful. I hope that this also is able to be used by Rclone, for example, or other Linux projects that have sort of implemented a ProtonDrive interface. interface already, but built around unstable APIs that Proton hasn't really published.

They're just kind of doing it on their own, but Proton could maybe break it at any time. Maybe this will provide a more stable approach to connecting to Proton Drive from a Linux machine that other projects can make use of as well. Linux support is always, I think, laking behind with anything Proton does, unfortunately, but at least they finally got around to doing something for ProtonDrive.

I think it'll make ProtonDrive a bit more usable for people who otherwise have a lot of Proton storage they can't really make use of right now. Yeah, it definitely sucks for people that are on Linux that have been like kind of, I feel like it's definitely been somewhat neglected. I think it's definitely gotten better. Like if you've tried the ProtonVPN Linux client, it's actually really good now. It used to be like a web wrapper thing, but they made it better. So I don't know.

It's good to see them actually at least pull through on some of their promises. I know they've been kind of saying this was the first step towards getting a ProtonDrive client on Linux. But I think what's going to happen is the open source community is just going to be like, fine, I'll do it myself. And then they'll just like, you know, make, make these projects, make like a, an open source implementation of like ProtonDrive or something like that before Proton actually releases something.

So yeah, I would like, you know, have it work with rsync or rclone, sorry. And yeah, I don't know. It's definitely, it's definitely positive. Hopefully that's, a thing that we get to see, you know, in the next year, I hope a Linux client for proton drive. It's good to see that at least trying to support it. Cause it did feel like for a long time, they were kind of radio silent on it. And then, you know, people were like, oh, you're working on it. Right.

And then proton was like, oh, we're not, we haven't started. So that was definitely a bit of a shock for some people.

um another thing i want to highlight kind of from kind of inside updates but uh posted on a forum one of our team members uh just wrote a guide for people in the netherlands to set up uh something called address secrecy which is a privacy protection you can you can get there i'm not personally super well versed in things in the Netherlands, so I'm not the right person to ask details about this.

But if you are in the Netherlands and you want to check out this post on our forum in the community Wiki section that comes from one of our team members, I would definitely say check it out. Again, if you're in the Netherlands and if you have questions about it, you can ask them about it and they will know far more than either of us will.

But I just want to highlight that that was posted because it is a pretty comprehensive guide to all of that stuff in the Netherlands with links to how you can set that up and who it's for. So just another cool thing that got posted. Excellent. Yeah, I did see that you did post the... It does look like the Passwords video is on PeerTube now. So, sorry. Yeah, for members. For members, yeah. So, that is out now. If you go on the forum, you can find the link to watch that.

Yeah. So, definitely check that out. It'll be going live publicly at ten a.m. Central Time in the U.S. So... Yeah, should be a good one. Got another question from Turnip Fanatic. Does Zen Browser have the same fingerprint in Firefox? No, it's definitely different from Firefox. So that is something to keep in mind.

I don't know personally how... good the or if they do any sort of fingerprinting protection like to distinguish you from other zen browser users or if you will look kind of similar to other zen browser users but generally in firefox without like hardening protections you're not going to get much fingerprinting protections in the first place you can block some tracker scripts with just an ad blocker of course but no kind of technical means um unless you're going to be switching to something

like mullved browser so yeah i definitely wouldn't use zen browser if you need fingerprinting protections but i also wouldn't use really any browser besides mullved browser or firefox if fingerprinting is of large concern to you because even even like regular firefox for example is not going to provide very strong protections brave provides some protections but they're done in a different way that i would consider a bit less robust than what Mulvad and Tor are doing,

but some people disagree with that, so it's kind of up to you what you think. But yeah, Firefox browser, Zen browser, I wouldn't trust either of those with super strong fingerprinting protection, so that's something to keep in mind. I do think Firefox did at some point, they did actually, they do have, I think it looks like November last year, they did add.

So if you use a strict mode, it actually does have like an enhanced tracking protection thing, which does have some anti-fingerprinting protection. So, I mean, if you're going to use Zen Browser, I'd just say crank all the settings, like put everything on maximum possible thing.

Because because yeah, Zen browser is going to inherit all of those settings that Firefox has, of course, so you can enable like enhanced tracking production and stuff like that, which will improve things to some extent for sure. Yeah, but I think you're right. It's definitely nowhere near the same level of protection as like Moldad browser or Tor, right? It's like less protections that are going to have less of an impact on the browsing experience, but also offer some additional privacy stuff.

And as far as I'm aware, like Jonah said, like Brave is kind of ahead on that as well. So at least, you know, if you decide to use Zen browser, you'll get some of those benefits from some of those settings in Firefox itself. So yeah. definitely enable those if you do decide to use it. That would definitely help somewhat. Yeah. I think in the absence of any other questions, we can probably start to wrap things up. I don't see anything on the forum or in chat.

We also do have a members-only Signal community. We're happy to take questions there as well.

We haven't gotten any questions there today, of course, but I need to be better about... notifying that group that these streams have started so maybe next week i'll let them know uh ahead of time that they can join the forum and ask questions there but that is an option for sending in stuff uh because we'll check like signal during the show and in that group and see if anything is coming in addition to the chats in in forum posts here so you have a lot of ways to

interact with us on the stream if you if you want to say anything um otherwise are you fine to wrap things up jordan or is there anything else you want to talk about here yeah i think we can wrap things up now um yeah we've kind of covered everything that's on the agenda this week

Outro

Sweet. Well, thanks, Jordan. Yeah, I'll end this here then. If I can find my notes. All of the updates on this week in privacy, we share them on the blog every week. We email them out on the newsletter. So you can sign up for that newsletter or you can subscribe to the blog with your favorite RSS reader. If you want to stay tuned and read all of the sources. of the stuff that we talked about in this episode.

For people who prefer the audio version of this, we also offer a podcast which is available on pretty much all podcast platforms and through RSS if we haven't submitted it to your podcast app of choice for some reason. These videos are also synced to PureTube after the fact, so if you want to catch this away from YouTube, you can always follow our channel there as well.

Again, Privacy Guides is an impartial nonprofit organization that's focused on building a strong privacy advocacy community and delivering the best digital privacy and consumer technology rights advice on the internet. If you want to support our mission, you can make a donation on our website at privacyguides.org slash donate. To make a donation, you can click the red heart icon located in the top right corner of the page.

You can contribute using standard currency via debit or credit card, or you can opt to donate anonymously using Monero or with your favorite cryptocurrency. Becoming a paid member of Privacy Guides will unlock exclusive perks like early access to video content and priority during our Q&A if we get a lot of questions. You'll also get a cool badge on your forum profile on our forum and the warm, fuzzy feeling of supporting independent media.

So with that out of the way, thank you all for watching and we will see you next week. Bye, everybody.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android