The US Bans New Foreign Made Routers?!

The U.S. government has banned all foreign-made consumer routers, SystemD's new age verification feature, and the Meta and Google social media addiction lawsuit. All this and more coming up on This Week in Privacy, number forty-six, so stay tuned.

Welcome back to This Week in Privacy, our weekly series where we discuss the latest updates with what we're working on within the Privacy Guides community, and this week's top stories in data privacy and cybersecurity. I'm Jonah, and with me this week is Nate. How are you doing, Nate? I'm doing very well. Busy week behind the scenes here, but very excited. Good stuff. How have you been? I'm doing fantastic. I'm excited to be back on the show.

Now we'll start off with the biggest news that we've seen in privacy and security over the past week.

Our first story today is reported by The Verge. The US government just banned consumer routers made outside the US. The US claims foreign-made routers pose national security risks. So this gives some context. In December, the Federal Communications Commission banned all future drones made in foreign countries from being imported into the United States unless or until their maker gets an exception.

Now the FCC has done the exact same for consumer networking gear, citing, quote, an unacceptable risk to the national security of the United States and to the safety and security of U.S. persons. So as this article says, we did see this happening with DJI, who opted to just not sell new drones in the United States rather than try to comply with this. And now a similar thing is happening here.

As The Verge points out, the vast majority, if not all, consumer routers are currently manufactured outside the United States, and the vast majority of future consumer routers are now banned. By adding all foreign made consumer routers to its covered list, the FCC is saying it will no longer authorize their radios, which de facto bans new devices from import into the country. So this is a interesting ban, to say the least.

It doesn't seem to be like a lot of other things that are banned, because as this article points out, domestic router manufacturing is pretty much not a thing. I have a couple of questions about this and actually posted this on Mastodon. But my biggest question is kind of like how this relates to they're differentiating between consumer routers and other routers.

I've seen the FCC, their definition of residential routers, which basically says that it's all routers that are intended to be used in a residential setting and can be installed by the end user, which seems to me like it would not affect something like the router that your ISP provides.

So I think that this ban could certainly mean that we're all going to be stuck with these probably far more insecure trash routers that Verizon or Comcast or whoever provides you rather than you being able to replace it with your own. But yeah, it's crazy stuff. Did you see anything in this article that you wanted to point out, Nate? Oh, yes. A couple of things.

Well, specifically, I wanted to point out that according to the article, well, according to the FCC as well, this is about national security, right? And they specifically mentioned the Volt Typhoon, the Salt Typhoon, and the Flax Typhoon, which that one I'm not familiar with. But they cited those cyber attacks, which targeted critical American communications, energy, transportation, and water infrastructure.

But the thing they don't mention that I thought was interesting is that Salt Typhoon happened because of a law enforcement backdoor in our telecommunications infrastructure. And I think the article pointed out here that Volt Typhoon happened because American-made routers, they specifically – yeah, Cisco and Netgear mostly – we're just not kept up to date. So it's like the flimsiest, um, like I'm trying to think of an example.

It's, I guess it's like that classic joke that, you know, Oh, I don't drink water. Do you know how many people that kills every single year? And it's like, that's not really related, but okay, sure. Go off, I guess. Oh, So one thing I thought I read here that maybe you know more about is, is this a ban on the routers or is this a ban?

I think the article said something about it being on like the radio chips, which kind of makes it even worse because I know there are, there's a few in my non-expert opinion, there's a few decent American manufacturers like Netgear, for example. But if the chip itself is the part that's on the covered list, then how are they supposed to produce these?

um without getting a chip did you read anything about that am i misremembering that so i mean typically each individual product is going to need to be approved by the fcc so they do um they would they would approve like the entire product and the only thing that i've seen is that they're not going to approve consumer residential router products. So this is not going to affect business routers. As far as I know, it wouldn't affect the chips if they're used in a non-consumer router.

So like one of my questions is, there's certainly an interesting line in the router space once you get to the higher end between like residential routers from like NetGate or Linksys or whoever, and then like more prosumer routers like Ubiquity. And then you get into like enterprise routers, which as far as I know, are not affected. I don't know where something like in that prosumer middle ground is going to fall.

But usually like even on the enterprise side of things, if you're looking at the the actual chips involved there, they're similar, if not the same to what's in a lot of routers, just because there aren't like a ton of options for chips. So as far as I know, individual components shouldn't be impacted, which makes this all the more interesting because I don't know what they're exactly trying to defend against here.

I would imagine the bigger issue that they would say that they have is more to do with the router firmware and how it's deployed. But as you pointed out and as the article said, the most recent big attacks on routers have been against major American ones and enterprise ones that are typically more powerful, enterprise firewalls. So something from the likes of Cisco or FortiGate or whoever are the most recent major attacks lately.

Whereas consumer-grade routers, certainly have security issues like don't get me wrong but i don't think they warrant um something a total ban like this kind of similar to the drone thing uh what their goals are aren't exactly clear to me but uh it seems like they really want these manufacturers to just cut some kind of deal to get approved rather than just being approved because they made a product that people need.

So yeah, it's kind of like all of the tariff stuff lately and the other trade bans that have been going on in the US. I think it's going to be a big challenge for American consumers right now. Manufacturing capacity for these routers certainly cannot shift to the US at a moment's notice. I mean, it would take years for this to even be a possibility. So in the meantime, it seems not great. And I guess we'll see how these router companies respond.

I haven't actually looked this week to see if any of them have made a statement. I would be interested to know how many are going to take DJI's approach to just exit the US market versus how many people are going to try to comply with this. But pretty much the entire router industry is going to be impacted by this. So it's crazy stuff. Yeah, nothing has come across my feed. I haven't specifically gone looking in terms of if anybody's made a statement.

um another thought that occurs to me uh i'm assuming okay i i have a really stupid question here i mean there are enterprise level wi-fi routers right most of my work is done with like hardwire switch i've never i haven't done a whole lot of routers or like wi-fi so yeah definitely um i mean there's like ubiquity for example you see that installed in small and medium businesses uh A lot of the time, these enterprise things are split up into multiple components.

They'll have an access point and a router, and those will be separate things, which is the case for most of Ubiquiti's products. It's also the case for something like Aruba or Cisco. They both make access points. There's other... There's other manufacturers like MicroTik. I can't remember other big enterprise ones, but there's certainly a lot of them, which in theory should not be impacted, but I guess it depends on how widely the FCC decides to define all of these products.

And then, okay, so the other stupid question here is there's kind of a big price gap, isn't there, between a consumer-level router and an enterprise one? How big of a price gap are we talking?

yeah so that's where it really depends on the product i think most of these um enterprise routers are going to be or like the entire system it's always going to be more expensive because you have to buy the router and the access points separately um so there's that whole aspect but of course on the router side of things you can set up like a old computer or something and use some open source software like open sensor pf sense so you have that option and then the access points um

generally cheaper you probably only need one to cover a house realistically so it's possible especially with um some fraud some products like either from ubiquity or microtik i know that they make access points that are probably readily accessible um some of the more enterprise stuff like uh from aruba or uh maybe cisco or or other companies they're gonna require like a whole subscription service for management and all of this stuff.

So once you get into the real enterprise side of things like that would be extremely hard to do from your house, but it really depends on the manufacturer. But there are some lower end ones where you could see that being possible. But I don't know if the FCC is going to extend that to pretty much anything that normal residential consumers will buy or whether it'll just be like things that are marketed towards consumers.

One of the questions that I had on Mastodon was whether we're going to see an uptick in small business or home business routers um that say like not for residential use on them because i know we've seen um in other areas that the government regulates like uh all sorts of crazy drugs and peptides for example i was just thinking about research drugs that are not approved by the fda they're not for human consumption but of course they get sold um to random people anyways,

and you can find plenty of threads on Reddit and other sites that indicate they might not be following all of the labels on these products. So I don't know if that would be the case here, but I would be interested to see if that's the case.

Yeah, I don't want to get too political, but that is a thought with what you were saying about, I think regardless of whether you're pro the current administration or not, this whole idea of like bringing manufacturing back to the U S again, whether you think that's a good idea or not, it, it can't happen overnight. And so this like out of the blue, like, okay, all these routers are banned. It's like, dude, it's going to take us five years at best, probably even more than that.

That's probably like delusionally optimistic to get the manufacturing done back over here. And then to get the supply chain instruct in place and the infrastructure, it's like, it's not, it's, Yeah, it's it's crazy. So I'm hoping and again, not to be too political, but we have seen I feel like we've seen the current administration do things like this where like they'll ban something or they'll institute tariffs and then they'll kind of start to like make exceptions. And OK, except for this guy.

And but here's a workaround. And and I think it's because once they do it, they realize like, oh, wait a minute, that can't happen that fast. So I'm hoping we'll see something similar here, to be honest. Yeah, I don't see any other way around it. I think they're going to have to personally. The worst case scenario, I think, for this whole thing from a privacy perspective is that the available options that will be left on the market, I think it's going to be much easier to track because...

The specific definition of residential consumer routers that they're using here do say it's routers that are intended to be installed by the end user. So presumably something that your ISP installed would not be affected. So like I said before, I think a lot of ISPs will be installing their own routers. And those are pretty well known to track a ton of information. It's one of the main reasons, aside from the poor performance and other things.

There's a lot of reasons that people will replace their ISP-provided router, but tracking and privacy concerns are certainly one of them. And this could also, I think, get more people to switch to cellular connections or use their cell phones more because you don't need a router at all. But of course, the whole cell network system is more problematic for surveillance and privacy as well compared to these hardline internet connections.

Yeah, I think we'll have to see how this resolves, but there's a lot of potential privacy concerns here. Jordan asked in the chat whether there's any U.S. manufactured routers. Not as far as I know is the answer to that. I think that there are There are certainly some routers. Yeah, they're like U.S. designed. So there are American companies that are making routers, but the manufacturing in the U.S., it's non-existent.

And even like companies in end products that are making wireless chips on the other side. Like we've seen Apple get into this with their latest products where they're now... creating their own modems. But all of that is obviously not manufactured in the US. It's just designed here. And I think that a part of the concern that they would have is whether the back doors could be inserted into these ships during the manufacturing process that the designers wouldn't know about.

So I don't know how this is going to impact American companies. But yeah, it'll be interesting to see. Possibly stupid question. Are manufacturing and assembly the same thing? in this context? Um, cause my thought process is, um, in Texas, I think it's so funny. I see a lot of Toyota trucks driving around with a sticker. It has like the Texas flag on it. And it says, uh, built here lives here because Toyota has an assembly plant in Houston.

And every time I see that, I'm like, yeah, but Toyota, like this is not an American company, but they assemble the trucks here in, in Texas. So good enough. Right. And that's kind of my thought is like, Would that be a loophole maybe? Like, OK, just take all the components, ship them over here, and we'll spin up a factory in Houston or wherever, Indiana, and just assemble them here. And now it's not manufactured.

I wonder, I don't know, that just kind of popped into my head while you were answering Jordan's question. Yeah, that is a great question. I don't know how they would apply this to individual router components. That's a great question. It's hard to say what loopholes will be available. I was just curious if you knew anything about that. Like, no, those are... Okay. Yeah. I know, like, for example, I know this ban does extend to routers that are designed in the US.

So like right now, those American companies are impacted. But whether they can do like this, I've definitely seen that before to like get the made in the USA stickers on different products. It's definitely a thing that happens. And I don't know if that'll be enough of a loophole to get these routers in or not. But I guess we'll see what companies come up with. Yeah, that's what I was about to say. I guess we'll find out.

Yeah, I think the biggest thing with this story is just if there are security concerns, we could certainly look at all of the security concerns and issues that we've seen with routers. We've definitely reported on some or talked about them on this show before various routers being attacked with malware or updates that you should install.

But this kind of blaming that on it being because they're foreign routers routers doesn't make a lot of sense to me this is definitely a case of like because all routers are foreign um it's it's sort of a correlation situation not a causation right like that's not the reason it just happens to be all routers that have security issues are foreign because all routers are foreign, right?

Yeah, and something else that popped into my head that I forgot until just now, not to put on too much of a tinfoil hat, but it's weird to me that they're like, oh, this is a national security risk, so we have to ban consumer routers. But... Wouldn't we want to keep... And China has a proven history of stealing U.S. intellectual property. That's known. That's a proven thing. So why wouldn't we ban the business routers instead? It's very confusing. It's not lining up with... Absolutely.

I mean, the business routers definitely have a more sensitive position in the networks. So there should be more concern there. I do think...

I'll play devil's advocate and... share why I think banning like consumer routers or taking them more seriously makes sense because I have Ben Tu talks and other things where people talk about not routers, but like those fake Android TV boxes that have a bunch of pirated content that you can get on Amazon or whatever, and sort of products like that, or browser extensions that you can install that give you a free VPN or something.

And all of these things are typically used to create basically a botnet of all of these residential routers or like proxy services where you can get a residential IP. And I think just the sheer scale of like how many internet connections are residential ones versus like a business one is typically going to have one fairly large business connection, but there are less of those.

I think that from a botnet perspective, you could be concerned about consumer routers being used to attack like just in a DDoS scenario more than like a data exfiltration scenario that you might want to protect against on the business side of things. But again, like I said, I don't think that just because they're foreign means that that is going to happen. So the ban doesn't make a lot of sense to me from that perspective. But it is certainly a concern that you could have. That makes sense.

I think last note on this story, Jordan said the US doesn't really have semiconductor fabrication capabilities. Well, we have a Samsung factory that last time I checked was supposed to start pumping out chips in twenty twenty three. I haven't checked recently, but as of late last year, they still are not making chips. I know Tesla just announced their factory, and I think there's another one that.

I heard about this supposed to be built in New York, I think, but I like, I heard about the initial funding a few years ago and that's all I've heard. So yeah, we definitely don't have. TSMC has been building one in Arizona for a while as well, but none of these have launched as far as I know. It's not super easy to do. Nate, I think you're muted or you're. Sorry about that. Ah, okay.

Yeah, just to drive home the point, the one in Texas is supposed to take twenty years to build, and that's if it's on schedule. That's not including that it is now running behind, and it will probably just compound, and we'll fully habitate Mars by the time that thing's done. But you know what I mean? It's like, yeah, they – What we were saying earlier, you can't just spin this stuff up overnight.

It doesn't matter your political leanings and whether you think manufacturing should be here or not. We can't do this overnight. It's just not possible. And it's not even a matter of getting the equipment to do it. You can't just build a building and fill this up with semiconductor equipment to start making these chips.

In Taiwan right now, there's just such a massive centralization of knowledge of how to make these chips and how to use all of these machines and how to design this stuff that you can't you can't just replicate this. Like we see Intel, for example, has some of the most advanced manufacturing equipment in the world as well, just like TSMC, but they've had a lot of struggles.

I don't know what Intel is up to these days, but I know for a while they had a lot of struggles with improving their processes even more, just because it's extremely challenging to do. I was going to say something about AI, but then I realized I was thinking of Nvidia. Yeah, I have no idea what Intel's up to these days. Okay. Before we jump into the next story, I do want to highlight earlier today, we had a new member join. And if you're watching, I apologize.

I'm not even going to try to pronounce that name because it's in a foreign language. It looks maybe, I want to guess Korean, but I'm not super familiar. It's something from that part of the world, but thank you so much for becoming a member. So now on YouTube, you will have early access to videos and we will talk about membership a little bit more later in the show.

But first, we're going to talk about everyone's favorite topic, age verification. SystemD is not controversial enough, so they decided to go all in and build in an age verification feature. So for those who don't know, SystemD is a Linux... I'm going to let Joan explain what it is better a little bit later, because I truly don't know how to explain it. I know it's deep, deep in the system. I'll put it that way. And it's used by a lot of major Linux distros. I know Ubuntu uses it.

And therefore, all the Ubuntu derivatives like min, pop, Oh, man, there's another one I'm forgetting off the top of my head. But another really, really popular, Debian, I think, uses it. I think that was the one I was thinking of. Technically, Ubuntu is based on Debian, but either way. So systemd is this really high privilege, low in the system kind of thing. And they have added a field to the JSON user records that is simply birthdate. And it is what it says on the tin.

Now, when you make a new user, you can choose to enter their birthday. So the good news is this is totally optional. This is not a mandatory field. If you've ever made a user in Linux, in most Linux distros, you'll get all kinds of options like real name, email address, location, and, you know... if you're like me, you don't really need that kind of stuff. So you can kind of skip through it all. But, uh, so this is the same thing.

This is just an extra field that is four digit year, two digit month, two digit day, and you can skip it or, or enter it in if you want to. And they've specifically said, this is not a policy engine. This is not an API. We just define the field so that it's standardized if people want to store the date, but it's entirely optional. Um, Yeah, I mean, I feel like those are kind of all the facts of the case. Jonah, what do you think about this?

I think it's cool that it's optional, but I also kind of see the argument that they shouldn't have added it in the first place. What are your thoughts on that? Systemd is a very interesting project. So I'll go back to your original question first before I get into that. Systemd, at its core, is an init system in Linux, which is basically the process that starts all of the other software on your computer. So if you think about booting up your computer, it gets ever more complex as you go.

So typically on Linux, you would have like grub the bootloader which is extremely lightweight and all that does is you boot up it goes into that and then it starts the linux kernel which is much more complex than grub but you need something to start it and then the kernel starts your init system which in this case would be systemd but it could be any process and then the init system starts everything else and it's responsible for knowing what software you want to start and doing it all

in order so that something doesn't get started first that depends on something else and then fails because it was started too early and all of that stuff. So the init system has to always be running and it's just kind of the parent of all of the other software that you run on your computer, if that makes sense. But system D is also a whole project with a lot more ambitions than just being an init system.

And they make a lot of different software that basically tries to replace a lot of basic operating system components with systemd-developed ones. So beyond the init system, we see software like systemd-resolvd, which replaces the DNS resolver on your system. And other and other stuff like that that isn't necessarily related to just service management and starting processes.

So they really want to be like the core software for all of your system, which is why I think they are pretty divisive project in the Linux space. But Yeah, I don't know what component this age verification is actually being installed in. I didn't see this, but maybe I should. It probably says in this article. I don't know if it's specified. It just said the JSON user records when you make a new user.

XDG desktop project portal is adding age verification portal that needs a date source for the user's age in the user DB. Does that help any? It's an interesting change to make. You can definitely see their reasoning behind it, because I think if age verification is going to come to Linux, for example, it would be quite annoying if there were one million different implementations of it that the rest of the system has to integrate with.

But I'm not sure if this makes a ton of sense for it to be here instead of in your desktop environment. And also, I don't necessarily think that age verification is kind of a lost cause. And I think it's unfortunate to see it being adopted so readily in Linux because... I think in certain projects, I wish that the open source community would take a bit more of a stand. But everything has just become very corporate, especially in the Linux space, and there's a lot of compliance in advance.

So it's very tricky to kind of keep with solid ethics and this has been an issue for a very long time i could go back to um one of i personally the most annoying things that i can think of in this space which is um back in i want to say firefox adding drm as like a first party thing in their browser rather than like relegating that to a third party extension, because that was kind of the end of Firefox having any sort of say in the web browser space and how all of these web standards were made.

I think once they gave into that, that was the slippery slope that made them lose a lot of ground in the standards committee to Chromium because they basically showed, hey, we will implement anything that Google asked for. And I think that this is a case certainly of the main developers behind Linux saying, hey, we are going to implement whatever the corporate side of Linux asks for, regardless of what the rest of the community wants, which is unfortunate.

so yeah i'm not a fan of this change there's a lot of arguments for and against this i it i don't know like what the point of this is really because if you can just set your age to whatever you want yourself i don't know why this would be trusted by other software um But I guess we'll see how this is used, which is the main thing it'll come down to.

I think it is like, even if there isn't a huge issue with how this specific thing is implemented right now, we are just kind of laying the foundation for more anti-user systems and more problematic systems to be implemented on Linux in the future, which is not a path that I think we should be going down. So that's my main concern with this whole story pretty much. Yeah, I agree with you. I think, you know, I mean, we always talk about how like companies and services have to follow laws, right?

And somebody I spoke to recently in an interview you guys will be seeing pretty soon mentioned that. It's like this whole idea of like cyberspace as this nebulous, like doesn't matter. It's like, no, the person writing the code, your feet are touching the ground somewhere and therefore there's jurisdiction or your server is located somewhere in a physical space somewhere.

And so I understand they have to follow the law, but I do agree that it was really disappointing to see them just roll over with no fight, no nothing. And I think to kind of go back to, you answered it a little bit here, but this person asked us, Leonard asked, or Leonardo asked, do you think air verification is a lost battle? I wouldn't say lost. I mean, there's definitely that part of me that's like, If I thought it was a lost cause, I wouldn't be here, right?

Like I would just go get another job and give up privacy. But I do think... I think it's partially lost in the sense that I think this is coming, whether we like it or not. This is just my personal opinion. I think it's coming, whether we like it or not, because I think there's just too many people that don't understand the downsides of it.

And I think it's really important in light of that for us to have a seat at the table and have this conversation, which system deed clearly did not where we say, let's at least try to control it in a way where it's less damaging. So I think, In that sense, I almost like this because you can put any age in there, right? They're not going to verify it. They're not going to ask you to upload an ID. And, you know, then there's the question.

I almost worry if like if everybody starts doing that, like, OK, fine, here's an age field. Go ahead and lie. We don't care. Then the government's just going to be like, fine, now you have to verify IDs. And it's like, crap, now it's worse. Yeah, that's exactly my point about it being a slippery slope. Because if it can always be set arbitrarily forever, I don't understand what the point of this would be in the first place, right?

To me, the intent of this feature is clearly to eventually have some sort of much more verifiable way to set this field that won't be as user-controlled. And I think that that is... dangerous to have because if they weren't planning on doing that, then they could just do what sites always do, which is like ask people to enter their birth date or like confirm that they're over a certain age or whatever without this being built into the system.

I think that that works fine until you want a much more verified way to confirm people's ages, which, as we talked about on the show a lot, is is very problematic from a privacy and censorship standpoint and that's really the only reason to build this feature that's and that's my main concern here i've seen a lot of um a lot of mixed reactions to this like in our community and elsewhere on the internet where people were kind of saying like what you were um saying at the beginning of

your thought which is like hey this isn't really doing anything right now you can set it to whatever you want and i would just be It doesn't make sense to me that that will always be the case. I think that the fact that they're doing that is concerning.

And this is kind of similar to me to the current discussions that are going on In the Android world right now with developer verification, I think we are seeing a lot of app developers and a lot of custom Android operating systems and other third party open source app stores beginning to comply in advance with that sort of thing or make statements saying like, hey, we are going to participate in the developer verification system.

And I think that that is unfortunate, because you could look at the Keep Android Open campaign for a lot of explanations on why you shouldn't be doing that. You should be taking a hardline stance and saying, hey, we're not going to comply with this system, even if that means some restrictions on where apps can be installed. that is the best move to make our voices heard and to potentially make a difference. So it's just a similar thing here.

Exactly like you said, I think that we got to take a stand and we can't lose our voice when it comes to this. And SystemD is... kind of giving that up, which is a real shame.

Yeah, and I think, just to kind of add to what you said, I think, ironically... I think if we took more of that attitude of, like, let's have a seat at the table and try to steer this, I think, ironically, it would become a self-fulfilling prophecy in a good way, a good kind of irony, where, like, because we're participating, we might have more attention to be able to draw attention to these issues and point out, like, this is why age verification doesn't work.

These are all the problems with age verification, the knock-on effects that are going to make things worse. And we might end up actually being able to do something about it. But, yeah, I think... I think definitely just I know we've called this out in the past with other stories, but just this attitude of like of, you know, oh, well, this doesn't affect me. So I don't care because I know how to get around it. Congratulations. It's coming for Linux. It's coming for the things that we use.

We can't have that attitude forever because eventually we're going to run out of places that are not touched by this. Or at very least, they're only going to apply to like a handful of people that are really tech savvy and know how to write their own code. And now we have privacy for one percent of people instead of, you know, right now where it's what, ten percent. I don't know. I'm just making up numbers.

But my point being is like, I think standing up and trying to do something gives us more power and it builds momentum to the point where maybe I will be wrong, which for the record, these are the kind of things I'm happy to be wrong about where it's like, hey, we were able to roll back age verification because we took such an active role that we were able to spread awareness and attention. So, yeah. And real quick, just to roll here, point it out. Like, yeah, it's not age verification.

It's identity verification. I'm trying to get more in the habit of saying that, but I don't always. So thank you for pointing that out because you are right. It's not just kids because how is it going to know if you're a kid without verifying everyone? So yeah, thank you for noting that. Yeah. It's an interesting story. I don't know if I have too much to add.

I... I can certainly imagine some reasons that something like this could be useful in the grand scheme of things, regardless of age verification plans right now. But certainly the timing of this with all of the age verification stuff going on this year is extremely suspicious. So that doesn't give me high hopes for how this feature will be used. For sure.

um i think we can move on from this story before we dive into the meta and google social media addiction ruling um i want to give some quick updates about what we've been working on at privacy guys this week um on the website side of things uh the big stuff has been a lot of news articles so there are a ton of stories that we aren't able to discuss here on this show but freya and others have been writing them in our news brief section which you can visit at privacyguides.org slash news.

So some of the articles include the cadnet botnet hijacking ASUS routers. Good example of the kind of botnet issues I was talking about earlier in the router space. FBI seeking info from gamers who installed malware from Steam. Big tech creating an accord against online scams and fraud. A severe meta cybersecurity incident caused by an AI agent. Graphene OS saying that they won't implement age verification. which is fantastic, exactly what we do want to see, unlike SystemD here.

A French aircraft carrier being located in real time via a fitness app, which we've definitely seen in the military before. Android-XVII getting a post-quantum cryptography upgrade and Vizio TVs.

now requiring a walmart account um crazy stuff really annoying the smart tv industry uh so if any of you think any of those topics are interesting or want to learn more about them we have those articles again at privacyguides.org news all of those articles are also automatically published to our form when we publish them and there are some discussions that go on there or you can ask questions and follow up and we can Talk about it there. I think that's kind of the main stuff.

I know that there have been more discussions in our forum and on the community side of things, but we're going to get into some of the biggest ones later on in the show, so I will leave that there. But I know Nate has some stuff to share about our YouTube channel and some videos we've published lately, so I will pass it over to you, Nate. Yeah, so just a really quick one here. Last, God, was it last week? It's been a week already.

Jonah and I were invited to Austin, Texas, EFF Austin, which I am a board member of. We threw an unofficial South by Southwest party that we called EFF Austin Interactive because- I will just say, technically two weeks ago, Interactive. Two weeks ago, okay. We did that live show, if people remember. Yes. That was cool. Sorry, my sense of time is all checked up. It's been a busy couple weeks ever since I got back. It's crazy.

But yeah, South by Southwest Interactive has been retired, so therefore we decided to be sneaky and use the name. And Jonah and I got to film some of the talks, and we thought they were really insightful, so we've been publishing them on our channel.

We have Hugh Forrest, who was actually one of the co-founders of South by Southwest Interactive, who gave, I thought, a really good talk about South by Southwest's and how it ruined the world um good talk so check that out uh dr sharon strover who is a professor at ut austin talked about public opinions of surveillance technology which is i thought was very hopeful um you might be surprised to check that out and then uh john lebkowski who is also an EFF Austin board member

and very early pioneer of the internet. Um, he's been around since the early days and I swear to God, I feel like he has a story about every, like if you name somebody in the digital space, um, like Phil Zimmerman or, you know, um, Pretty much anybody. I feel like he knows them. Cory Doctorow, like he knows them. He's met them. He's got a story. But anyways, he gave a very short talk that I would loosely describe as like the state of the internet and a call to action.

I think it's less than five minutes. That was definitely the shortest one. So if any of those sound interesting, head over to our YouTube channel or it is also over on PeerTube and check those out because they were really good. Yeah, I will just say I might be a little biased, but I did love Dr. Sharon Strover's talk a lot, just mainly because, well, a lot of reasons, actually. But she included a segment about Minneapolis and what's going on here that I thought was interesting as well.

So totally, totally check that out because all of these mass surveillance systems in cities right now, we've talked so much about flock in other systems here on this show. And it's a really good, really good take on all of that. Yeah, for sure. And not to beat a dead horse, but I would say it's as fact-based as you can get. I mean, it is a lot of surveys and self-reporting, but it's not just like, oh, we read some news articles or we looked at Twitter.

It's like they went out and tried to get the best numbers they possibly could. So it's really good stuff. All of this stuff, the articles, the videos, the upcoming videos that I've been teasing at, all of this is made possible by our supporters. So if you are not a supporter and you would like to be, you can sign up for a membership or donate at privacyguides.org. We also have a merch shop, shop.privacyguides.org.

And I think we've added some new designs ever since we launched our activism section. So be sure to check that out if you're interested. Privacy guides is a nonprofit that researches and shares privacy related information and facilitates a community on our forum and matrix where people can ask questions and get advice about staying private online and preserving their digital rights. And we'll talk a little bit more about

that later. But for now, we're going to talk about Hong Kong and a new law regarding device passwords. And I'm going to turn that one over to Jonah. All right. This was reported by the BBC. Hong Kong police can now demand phone passwords under a new national security rules. This article starts out, Hong Kong police can now demand phone or computer passwords from those who are suspected of breaching the wide-ranging national security law.

Those who refuse could face up to a year in jail and a fine of up to Hong Kong dollars, which is about US dollars. and individuals who provide false or misleading information could face up to three years in jail. It comes as part of new amendments to a bylaw under the national security law that the government gazetted on Monday. The NSO was introduced in Hong Kong in twenty twenty in a week in wake of massive pro-democracy protests the year before.

Authorities say the laws which target acts like terrorism and secession are necessary for stability, stability, But critics say they are tools to quash consent. Of course, this is an issue that we have talked about in other countries. Certainly in the UK, for example, this is a problem right now that we know of.

It's also kind of a gray area in U.S. law where you technically don't have to provide this information, but what they can do for you, do with you in the meantime is kind of up in the air and not decided. We've seen stories certainly of people being held in temporary custody. temporary jails for years or more because they didn't decide to comply with sharing their passwords with police or they simply forgot their passwords and weren't able to, which is always a possibility.

And in a lot of cases, it is exactly used to quash dissent or target people who otherwise haven't committed crimes. This is a big part of the issues that we see with encryption in general and end-to-end encryption, where governments really want to make any form of encryption or end-to-end encryption illegal. Simply the act of using it because it... certainly makes it much easier to investigate crimes if you don't actually have to do any investigation of the crime or any of the data involved.

If you can just say, hey, the fact that this encrypted data exists is a crime enough that can be used to target a lot of people who have otherwise done nothing wrong. And it wouldn't surprise me to see the same thing happen here. There's a couple stories mentioned in this BBC article, if you want to check it out later, about some examples of activists and other big names in the area being sentenced to jail or being being targeted by laws that expand on this kind of NSL national security law.

So it's definitely being used to target protesters, activists, former opposition lawmakers even in Hong Kong. So unfortunate stuff for sure to happen here. I think that that would be would be kind of my main point. It's it's something that we could certainly see expand to other countries. And it's something that if other countries aren't doing this, there are at least plans to do something like this, which is is bad news for everyone around the world.

Yeah, Nate, do you have any other thoughts on this story? I don't think so. I think you kind of covered it. Jordan said they've already been doing this for years in Australia. That's wild because, yeah, it's very – here in the U.S., I – Oh my gosh. I've taken in so much information the last few days I'm forgetting.

Basically, the way the courts are supposed to work is they're supposed to take existing laws – like when it comes to new technology, they're supposed to take existing laws and interpretation and figure out how to apply them to the new laws in a way – supposed to, for the record – in a way that protects Americans and preserves their existing rights. So for example, with privacy, right?

Here in the US, we have the Fourth Amendment, which says that cops need a warrant to come in and search your home. And so in theory, the way the court is supposed to interpret that when it comes to the electronic world is the same way. They're supposed to figure out, electronically speaking, what counts as your home, and therefore the police would need a warrant to come in and search that.

So- Yeah, that's not to say like this couldn't happen here in the US because in the US we have repeatedly refused to make a final decision on whether or not you need a warrant to search your phone. But it's just really. Yeah, it's really unfortunate because I'm with you. This is something I think we could see here in America, in the UK, if it's not already. I mean, anywhere, really. And it's just it's such a. Things get really bad once we go downhill like that.

And, you know, they also I think they said, what is it like you could face? Yeah, here it is. They could face a fine or jail for providing false or misleading information. So like my first thought is if you have a graphene phone and they're like, oh, what's your passcode? And you give them the duress pin that wipes the phone. Congratulations. You're still going to jail because that wasn't the pin and you knew it. You knew that wasn't what they meant. So, yeah, it's absolutely. It's bad.

I have got a ton of thoughts about courts, uh, interpreting the laws, but I think we can talk about that in the next story here. So, well, maybe we should get into that one.

Okay. Yeah. So, uh, on that note, um, let's talk about the courts and meta and Google and, uh, Man, so this isn't directly privacy related, but it has a lot of knock-on effects. And this headline, this comes from NPR. I was going to quote Reuters, but they do this annoying thing where it doesn't do a link preview in Ghost. But NPR also covered this story very well. This is a very thorough article. And the headline says, jury finds Meta and Google negligent in social media harms trial.

So the short story – the short version is there's a woman. I believe some other article said that she's in her twenties. And she was suing Meta and Google. And she also sued Snap and TikTok, but they settled before it went to trial. So Meta and Google went all the way to trial. And – This woman basically says she's been addicted to social media since she was a child because these companies purposely make social media addictive. And therefore, they should be held accountable.

And the jury agreed. And they awarded this woman six million dollars in damages, mostly coming from Meta. And the article rightly points out for all of you who are thinking like, oh, six million dollars, who cares? You're one hundred percent right. Mark Zuckerberg probably – his breakfast probably cost six million dollars. He doesn't care. But what matters is that this is now on record, and this is now set a precedent, and that – Oh, man, this this just has so many knock on effects.

And I think that's why we want to talk about this is not even so much for what the story itself is actually about. Although, for the record, I think that is a very important thing that I'll elaborate on in a second. But the fact that it holds these companies accountable and opens the door for so many more legal actions in the future. On behalf of everyone, I feel like, because who hasn't had a Facebook account or a YouTube account at some point? Many of you are watching on YouTube.

And thank you for watching, by the way. But yeah, I do want to point out real quick, again, personal opinion here. I've been saying for a long time about a variety of privacy topics that I think it's extremely... We'll take misinformation, for example. I know a lot of people who are like, oh, I don't fall for fake news. That is extremely arrogant. And I'm including myself in this.

I have definitely read stories that somebody else is like, hey, here's an opposing viewpoint and all the things they left out. And I'm like, oh, I probably called that one wrong. Because when there are companies whose whole job, forty hours a week, is to sit there and pump out fake news, They're going to get you at some point or another because that's just how it works. Like, think about your job and how good you are at your job because you do it all the time.

And now imagine some random person coming in off the street and being like, I could do that. You know, whatever your job is, it doesn't matter. It's like, no, dude, there's certain skills and flows and processes that I've learned over the years. And it's the same thing with these. I think... we really underestimate how addictive social media is. And I'm not trying to let people off the hook. Agency comes with pros and cons.

If you're in charge of your own actions, you're also responsible for the consequences. But at the same time, we have to acknowledge these things are made to be addictive by experts who are paid to make this thing as addictive as possible to keep you there one second longer. And I feel like when we discredit that, it's like we're forgetting that It would be like saying, oh, cigarettes aren't that addictive. Bro, they bake nicotine into it. Yes, it is.

And it's the same thing here with this kind of stuff is like this stuff is made to be addictive. And I think we're just really – yeah, I know I'm kind of going in circles now, but I think we're just really being – it's just really not good to ignore that is what I'm trying to say. So yeah. I think that's kind of all I've got for now on that one. I know you said you have a ton of thoughts on this. So what, what was your takeaway from this?

So I've seen a ton of mixed responses to this case on the internet, and I have a lot of mixed feelings on this myself, because I, even on this show, have said that all of the social media stuff, and especially the stuff that Meta is doing, which we've, I think it's even mentioned in this article in a separate case from the six million dollar one, but It's been found in Discovery that they have internal discussions about specifically targeting kids who are

thirteen or even younger and making it as addictive as possible. And this is, in my opinion, a public health concern for exactly the same reasons that marketing cigarettes to children was a massive health concern. But on the other hand, I think that this really closely relates to Section two thirty issues that we've seen here. And the social media companies originally tried to use Section two thirty as a way to say, hey, we shouldn't be responsible for any of this.

And they tried to get the case dismissed. Thankfully, in this specific case, they chose not to address any section two-thirty issues at all. So this can't be used as a way to like get around section two-thirty in a court case. That still applies in this case, did specifically focus on the design of these apps and kind of the algorithm that they're using and not on the content of these apps themselves.

Um, but I have a lot of fears here that this case will be used as a gateway to attack some of this section two thirty stuff. Um, because I think it is not a stretch for a lot of these, uh, concerned parent groups or these conservative religious groups to say, hey, you know, the algorithm on this app turned my child trans or gay or what have you, and they just blame the algorithm instead of the content, and it's a new approach to attack these companies.

And depending on how those go, it could be a similar case to either attack these companies without Section two thirty being involved, or this could be used as an excuse to implement such something like COSA or the repeal of Section two thirty in the future. And this is just kind of a way in.

Even though the issue at play here really has nothing to do with the content, I think that the parallels here to the tobacco industry and how they were marketed they were marketing to children, for example, are very apt here and they make a lot of sense. And that is a case where like regulation was needed.

And I think in a similar way, like the way that these apps are designed and the way that the algorithms work, which is to kind of find all of the most inflammatory and addictive content they can find um and really highlight that which is not the fault of the content itself but it's the fault of the algorithm that these apps designed i think that that is a big problem and just like um the the tobacco industry um which i mean their their products weren't banned um

they're they're still around you can buy them anywhere um but they really got hit with um huge restrictions on marketing and how they can sell their product. And I think that that is probably something that should happen here. And just like that, I think the fact that cigarettes weren't banned, for example, that's kind of similar to how all of the content on these apps shouldn't be banned or restricted. We can't be going after the content itself.

We have to be going after the format with which these companies are presenting that to make money. Because we know... that some social media is not inherently addictive. We can see non-algorithmic social media like Mastodon, for example, which doesn't have these problems, even though you can post the exact same content there that you can post anywhere else.

And we know that Facebook and other social media platforms like Twitter, they didn't used to be so bad until Twitter really started making very algorithmic timelines instead of just showing, you know, posting chronological order from people that you follow.

Or, I mean, I remember the days before Facebook had the news feed, for example, and they made that switch to kind of tell people um that like hey we're going to be showing you the most relevant stuff instead of uh just a way to keep up with your friends or whatever and there was some controversy there but facebook was really adamant that hey this is a very good thing whereas in reality we know that while they were designing this they were intentionally trying to make their

platform more addictive and more um don't know reactionary i don't know the right word but it was a way to get people to stick around on facebook for longer and to uh more effectively sell ads right and i think that those motivations that these social media companies have is really at odds with how they sold these things to consumers and that is a legitimate problem in deceptive marketing.

There is really no place, I think, in our society and from these companies to be deceptive, just completely deceptive to how they sell their products to consumers. And so some restrictions here do make sense. But I think that I think that the big problem is that courts and lawmakers do not really understand technology or the Internet. And lawmakers are consistently very unwilling to make a decision about this themselves. And it's only gotten worse lately.

And now that the doors are open here to this issue, I think that the doors are open to wider issues that may impact content or Section two thirty and other courts, because All of these courts around the US are going to have slightly different interpretations. This isn't something that the Supreme Court decided on. And I think that that's really unfortunate.

My main thought is that We should be focused on some of these very specific problems with how social media apps market themselves and how they design very addictive platforms, because it is a problem. But we need lawmakers to say, hey, we are only focusing on this specific thing, right? We're leaving all of the content and all of the Section two thirty and all the free speech stuff alone. We don't want courts to think about it.

We want to have this law that just focuses on this one specific issue so that it doesn't expand into a ton of different issues, which is exactly the reason Section two thirty was created in the first place. We already have these protections under the First Amendment, but lawmakers had to step in because courts were interpreting. how the First Amendment applied to technology companies slightly differently or very differently, depending on like what court you were in.

And lawmakers had to say, hey, this is how the First Amendment works for all of these tech companies. And now tech companies can use Section two thirty to easily get these cases dismissed.

And I think that we need um another federal law like this that says like hey this specific design is bad but it doesn't mean that we have to regulate or ban free speech on these platforms because that is an unnecessary problem but it seems to be the the direction that some of some future cases could go in based on this um so I think I think it's kind of unfortunate just because I can see what direction this is going in and I don't think we live in an ideal world and i think this is more of

a failure of lawmakers than the courts to be honest and i just wish we were more effective about making these laws that are more substantial and specific than than we currently are we're just leaving everything up to the courts it seems like these days and that is not an effective way to govern a country not at all Um, I don't necessarily disagree with you.

I definitely see how this could be a slippery slope, but did you by any chance happen to see the last section of this NPR article that says the LA case focused on design of social media platforms to overcome liability shield? Uh, was there a specific point? Yeah. So they, they, um, they specifically mentioned how the, the prosecution, I believe it was stayed away from section two thirty. Um, they said that, uh, Where was it?

Yes. By taking this approach, the lawyers pursued a case alleging defective design that was able to get around the high bar set by section two thirty. It's not what the users post, but the very architecture of the platform itself. So, I mean, again, I don't disagree with you because I I know there's probably there's a saying in the legal world that you can indict a ham sandwich. So, I mean, which I know an indictment is not the same as what we're talking about here.

But the point being is like a good look. for better or worse, our legal system in the U S is basically who makes the better argument. And, um, so it's definitely could happen, but I think it's just a, maybe a little bit reassuring that they purposely stayed away from talking about section two thirty or even any of the content itself. And instead they focused on things like infinite scroll, constant notifications, auto playing videos and beauty filters.

And they mentioned how, um, when she was young the the the plaintiff when she uh what was it she so craved the validation of social media that she would run off to the bathroom at school to check the number of likes her poster received um and where did it go There was another section where basically they talked about the beauty filters. Oh, here we go. She developed depression and body dysmorphia as she continuously compared herself to others and used beauty filters to enhance her appearance.

And that's the thing that I think applies to everybody. If not the beauty filters or the physical thing, I will admit, I fall prey to this where somebody's like, oh, I'm going on vacation. We're going here. We're spending the weekend here. My sister has been to Europe more times than I can count.

because we have different uh different dads i don't want to talk too much about privacy we have different dads and her dad has a lot more money and i don't know if she ever used that for the record maybe it's all maybe she's just really damn good with money but either way like she's traveled quite a lot and i really haven't and i i won't lie that i'm like jealous of that but also like being her brother i have the insight into like i know how hard she's worked i know that she's good with money

It's not necessarily just that her dad wrote her a check, like, yeah, go to go to Germany or whatever. Like she probably earned all that money herself. It's not like she was there every other week. But when you don't know that person, when you're looking on social media and you're like, God, they're in Europe all the time. Yeah, maybe they're posting a picture from six months ago. And they've been back in the States this whole time.

And you don't know that because you don't know them or you don't know how many overtime shifts they worked or overnight shifts. Like you don't know how many times their friends were like, hey, let's go get drinks. They're like, oh, no, thanks. I'll catch the next one because I'm trying to save money. Like, you know, and it's what's the statement about like you're seeing somebody's highlight reel. And anyway, I mean, I guess that's more about content.

But my point being like we can all relate to the fact that social media gives us this warped interpretation of what's going on in other people's lives that if you don't know them personally and you can't ask them like man how are you affording all these trips they're like oh you know my dad's really good with credit card points or something um i forget who it was but one of the podcasts i listened to said the same thing they're they're i think they're even a personal finance podcast they're

like yeah we don't make that much money but my wife is really good with the travel points or else we would never travel this much so it's um Yeah, it's anyways getting back to the topic. Sorry, I kind of got distracted there. It's I think it is heartening that they purposely avoided the content and the, you know, people are posting this. And it's the beauty filters. It's the infinite scroll.

It's the architecture of the platform itself, which I think is absolutely a huge part of the problem personally, but maybe not the whole problem, but definitely a big part of it. So yeah, not to say that it couldn't happen because I could totally see a world where this does open some doors, but hopefully that will at least make it a little bit harder since that's not the direct argument they took. Yeah, I totally agree.

I think that them sidestepping the whole content issue entirely was the correct approach, and I think that that is the main issue with these social media platforms.

The challenge that I see here is that I think the line between the content on this platform and the algorithm serving that content is... it's not it's it's a fine line it's not very clearly defined and i think what we could see is future court cases um exactly like i said um not necessarily focused on the content but focused on the content that these algorithms are promoting um for like these conservative or religious groups to say like, hey, it's the algorithm that turned my child

gay because it surfaced all of this content related to that or whatever. And I think that we could see... a response to that from social media companies that would be very similar to the response that we would probably see if Section two thirty was repealed. I think that they could interpret that like like if that's the case in the future. And there are already some cases where this exact argument is being made.

I think and I think in other countries, I'm not aware of cases in the US right now, but we've seen this before and we know it could happen where Like if Facebook gets sued for that issue and they lose that case, I can see them potentially censoring or moderating much more heavily like LGBTQ information or education or not even that. It could be any topics that... certain groups find undesirable or they'd rather ignore.

And I think that that could lead to a free speech issue on these platforms if the algorithm can be targeted like that. even if Section two thirty remains just for liability reasons. So this is the main reason that I would love to see a law that really restricts app design and a lot of that stuff, because I think that that or like the beauty features that filters that you mentioned, for example, or some other aspects of these apps do need to be reined back in.

And I think um just how heavily these apps are marketed to kids in the first place i think that needs to be reined in as well um but it would be nice to have a law that delineates that from even from the algorithm which which is problematic but um I would be worried about it being impacted in future cases because I do think even if it doesn't mandate censorship or moderation, I think that censorship and moderation could be a likely outcome if these platforms become liable for the content

that they display with those algorithms, basically. That makes sense. I hear you. Yeah, I don't have an answer to that. Hopefully that does not happen. So yeah, it's something to keep an eye on. I don't know. I'm never very optimistic about the things that our government is doing, but you can always hope for the best.

But yeah, I've definitely seen a lot of people very concerned about this case, even if they agree with some of the issues that are being addressed here, because... there are concerns with how this will affect future cases. Totally. I think that's kind of it, if you don't have anything else to add. In a minute, we'll start taking viewer questions.

So if you have questions or if you've been holding on to any questions about the stories we've talked about so far, you can leave them in the forum thread for this show, or you can leave it in the chat here. We'll try to get through all of them.

For now, I think we should check in on our community forum. There's always a lot of activity on our forum every week. We can't talk about it all, but we wanted to highlight a couple of this week's most interesting discussions, in our opinion, that are happening there. Our first forum thread that I wanted to take a look at was called Remembering Device and Master Passwords.

This was a question that was asked to the community talking about password managers and replacing all of their reused passwords with randomly generated passwords that are stored in the password manager. But there are some passwords that the password manager can't remember for them because they need them like the master password, to access the password manager in the first place, which is, of course, a problem.

So they mentioned some examples, the master password, the user account password for each of their devices, the disk encryption password for each of their devices. And then if they had five different devices, they would have eleven... six word passphrases to remember, which is a challenge. So they asked basically what strategies we have for remembering so many passwords, or what password should you reuse in those situations?

So Nate, I know you had some things to talk about and you saw Fria's answer there. Do you want to kind of cover what Fria talked about here? Yeah, because I really appreciated Fria's response. So for example, one of the questions that the original question asker said, is it safe to reuse the same password for disk encryption and user account? And Fria said, it's probably best to make those different.

But ideally, your online account would use a passkey or something like that instead of a password. And they also noted that your device passwords don't leave your device. So, for example, my computer in front of me here... Well, this is a Mac, so this is a good example. But my Windows computer, you know, I have a VeriCrypt and I have the login to my local account, which is not a Microsoft account. It's a local-only account. So, in theory, I can make both of those the same password, right?

Because they're not going to leave the device. And they also mentioned that you can... You can go ahead and enable biometrics. I guess I should have said this to start with. It really depends a lot on your threat model, right? Because my threat model, for now, is basically getting robbed. Laptop, laptop, laptop, laptop. several phones laying around. Like my concern is not really the government.

I personally am a strong believer in a five dollar wrench attack and I do not have a high pain tolerance. So, you know, the minute they threaten me with violence, I'm going to fold like a souffle. I'm just being honest. But, you know, if somebody comes in and breaks into my house while my wife and I are out and they steal all the laptops, I want to make sure that they're not going to be able to get into that because that's when they're going to be able to get into my password manager.

And I don't keep browser history, but browser history and any apps I have saved, any like, like I use Thunderbird. So all my emails are downloaded locally, things like that. And that's what I really want to protect against. So in that situation, yeah, really just having one really strong password is probably sufficient because they're not going to crack that as long as I don't write it down and stick it on the desk anywhere. Right. Um, you know, like one randomly generated six word passphrase.

If I really want to be safe, I could give each device a different passphrase. So that way it's not, um, you know, if they get one, at least they don't get into all of them, but at least that way, you know, it's not, uh, What's the word I'm looking for? Like that's only three different passwords instead of six, right? Or something like that. So it really does depend on your threat model.

But going back to the biometrics thing, what a lot of people have, I've seen several people notice this where they've been in a public situation and for whatever reason, they have to pull out their phone and unlock their phone. And they realize as they're typing it in, they're like, dude, there's a camera right over the cash register looking at me type my password into the phone.

Hmm. And they're like, man, I kind of wish I had just used biometrics because at least then they wouldn't have my password, right? Or, you know, we've covered stories in the past about there's a scam that I think is still going around where somebody will basically watch you unlock your password for whatever reason.

You know, maybe they're flirting with you at a bar or something and they see you type in your passcode and then them or their accomplice will steal your phone, try to unlock it and send a lot of money. And I know Apple and Google have rolled out some defenses against that, but that's a good example where if you unlock it with biometrics, They're going to have a harder time unlocking the phone when they steal it from you.

So it's really about what are you trying to protect and who are you trying to protect it from. If you have a very high threat model, then yeah, you probably want a bunch of different passphrases. I think it's also worth noting that it is I know this is really unpopular, but it is okay to write down passwords in some situations. For example, do not call it password. Do not stick it on a sticky note on your screen.

But if you have a little notebook that you carry with you everywhere or something like that. So I think my thing, I'll be honest, I basically have two main passwords I use, one for the encryption and one for the local account. I don't know why I do it that way. I just do. Because now that I think about it, if they get past the encryption, they can just pop out the disk, right? Yeah, I don't know. But I think that's the big thing is the threat model.

If your threat model is not very high, it's probably safe to reuse the local passwords that don't leave your device. Just be aware that that is a risk. If somebody gets it, they can get into all the devices, I guess. So I don't know if Jonah has a different strategy that he would approach it with. No, that makes a lot of sense.

I mean, the main thought that I would have is I think for most people, the information that you store on your different devices, if you have multiple devices, is usually pretty much the same information. you're going to probably install your password manager on all of them and the same web browser that you have synced across them. And people have a desktop and a laptop and a phone for convenience purposes rather than just separating all of their data.

And so I think using the same password for encryption And using the same password for your local account probably makes sense in those situations. At the end of the day, those passwords aren't exposed to the internet.

You don't have everyone on earth trying to hack you in the same way that... you have like thousands of hackers trying to attack your online accounts all of the time because because they can and it's so easy to attack like all of this local stuff it does it's not as much of a deal and i think memorizing one password for all that is good um you definitely do want to have a different password for your local account versus your encryption password just because you don't want to be entering your

encryption password all the time in case of like shoulder surfing attacks. So keeping that separate is nice. And I wish that's a feature that could be used on more smartphones, but I digress. But other than that, Yeah, there's a lot of good advice in this thread, and I think it really does depend on your setup, but usually I think that works.

If you do have very different information on your devices, it might make more sense to not reuse those passwords, but I would also say if you're just trying to remember these passwords, even if you do use biometrics, usually you could try disabling them for a month or a couple months because I think muscle memory is usually the way to memorize these passwords quickly.

I remember back when I was in... college I would always have to log into different computers like in the computer lab we didn't have laptops or anything we just had these these desktops and I'd have to use my account that I would normally use a password manager for like um like to access my email but the password was the same to log in locally to these computers and I didn't want to have to like grab my phone or something to copy my password over I just had to have a passphrase that I could

Memorize to log in and it only took like a month or maybe a month and a half to eventually like have the pretty long passphrase down I think if you just do it all the time it's you'll probably get it so yeah lots of good advice, but I think typically. There's only three main passwords that most people have to remember, which is for their local accounts or pins or their encryption key and then their password manager, master password.

I think that you should keep them all separate, but you probably don't need more than that unless you have a good reason that you know of to have more passwords than that. So, yeah. Oops. There we go. Yeah. Last thing I want to add just to double what she said is if this is something you're struggling with, definitely check out this thread. Cause a lot of people gave really good ideas from like different, I wouldn't say different threat models, but just different perspectives.

Like don't forget, you know, hardware tokens and don't forget this. And if this is your threat model than this, and it was, it's a really, really good thread for sure. So there's a lot of different, we're kind of just given like a rough, you know, what, what would probably work for most people, but people gave a really thoughtful answers about, you know, keep this in mind. And if your threat model includes this, so. Really good thread for sure.

And then, if that's all we had on that one, there was one other thread that I thought was interesting that I wanted to talk about a little bit because I've been... My router started giving me issues right before we went to Austin, and I just got it fixed this week, finally. And this forum post asks about apartment Wi-Fi privacy. And so they were specifically talking about the... the router issued by their ISP.

They said they moved into a new apartment complex and there's fiber pre-installed from a provider. The complex states that that provider is the preferred provider and they have a partnership. And then after moving, I was contacted by representative to begin the internet setup process. And so they were basically wondering, can the apartment complex get any insight into what I'm doing on my Wi-Fi and what would be the best way to get more privacy?

They mentioned, should I get a different provider altogether or something like that? So as a longtime apartment dweller, for most of my life, I've lived in apartments. Jonah can correct me on this one. I don't think the complex would necessarily have any insight into your traffic. Um, but I think they probably just have a relationship with that. It seems like every apartment I go to has a preferred provider. So that doesn't really surprise me, but it can definitely go both ways.

Um, there's definitely a lot of apartments and especially probably older apartments where they have like, one provider like a cable provider or a fiber provider that has just like pre-installed cables to all of the rooms and so it's much easier to get that access um and so that might be what they mean when they're talking about like this is our preferred provider and especially typically if you have to set up an account with the isp yourself usually that's the case where the complex wouldn't

have access to that i have seen in a ton of new developments around here um apartments basically getting their own connection and then running their own uh ethernet and and access points to all of these rooms but they run a central router basically that keeps all the rooms separate but it is all managed by the apartment and usually they have like apartment-wide wi-fi for example so all of their routers it gives you um sometimes they give you a uh like a personal connection and

sometimes just this one wi-fi connection for the whole building um that's in all of the rooms um and you could certainly see that and that would be managed by the complex so it could go either way for sure um and i it seems to be even more common that it is apartment run so i wouldn't rule that out necessarily was how our last apartment was they had um i don't know if it was managed by the apartment but they were like hey this is included with the rent and they

did have the apartment the complex wide wi-fi like you mentioned and there was one ethernet port that was in the study for some reason and that was the only one that were no it was in the living room and we had to run a cable into the study because my wife has a desktop that doesn't have wi-fi i remember that now yeah so that was probably the case i think in my last apartment it was a similar situation where If I wanted my own network, I would have to plug in my own

router to their one Ethernet port that was provided on the access point, but I couldn't remove their access point from the room and make a direct connection. And it was basically like a double NAT setup. It was on their network, and then I had my own network just for security, but it was not a direct connection to the ISP. Okay. Which leads into what I was going to say. This is what I've been doing for years, and this is what I would recommend.

For those of you who are really passionate about your privacy, which is probably most of you watching this, I would strongly recommend getting your own router. Our official recommendation, I believe, at Privacy Guides is OpenWRT, correct? I think so. We do recommend that as one. You could use OpenSense or PFSense as well if you want something more... robust, but usually that has to run on a computer, whereas OpenWrt can install on consumer router platforms. Gotcha. OK, yeah.

Historically, I originally went with DDWrt. For years, it was not an issue. And then recently, it became an issue. I don't know what happened. Now I'm using a different one that Jordan actually recommended to me and so far has been amazing. Thank you for that recommendation, Jordan.

um but yeah if i if i whenever this router dies assuming i can buy routers again um given our headline story i'm probably gonna go ahead and get uh the what is it the the one, I don't remember who makes it, but it's endorsed by the free software foundation. And it is specifically designed to run open WRT. And I did try open WRT on my router, but it, because it is so open source, it couldn't get access to multiple wifi networks, which is something I really want.

That's, that's really important to me. Um, so it was like, yeah, you get this one wifi network. And I'm like, no, that ain't going to work. Um, But I'm sure if I bought something like the one router, it would be specifically designed for that and it would probably be able to do more, I'm hoping. I'll definitely look into it more when the time comes.

But yeah, anyways, where I'm going with this is every apartment I've ever been to, they tell you like, oh, you can't use your router and our, okay, some of them have not told me that, but almost all of them are like, no, you can't do that. It's worked just fine for me, no problem. Personally, your mileage may vary, but for me, I've never had an issue. There's only been like one or two that are just like, yeah, whatever, use your router, we don't care.

Um, I, I know my current router and I think a lot of ISP provided routers have this, they have a bridge mode where it basically shuts that router off and turns it into just a pass through. Um, because a lot of the time it will be, especially if it's fiber right now, it'll be, um, what's the word I'm looking for? The fiber connection will have to go into the ISP router. And then from there it goes into your router or there'll be like a coax cable.

So it's not like an ethernet that you can just plug straight into the wall usually. And that's why you'll need their router. But a lot of them, you can put it in bridge mode and then it shuts their router off. Mine is not in bridge mode and it still works just fine. So yeah, I mean, there's a lot of ways to go about it, but I really do think I would highly encourage, and some of them can be expensive.

Like I think my router, when I bought it was like, almost five hundred bucks, and I think that was used. So it's a nice router. I love that router. I'm glad it's lasted me this long. It's a good investment. So I'm not saying you have to go buy a five hundred dollar router.

There's a lot of options out there, but definitely if you're passionate about your privacy and you are a renter and you don't have complete control over your ISP and what router they give you and stuff, definitely i would recommend doing your research start on privacy guides start with the open wrt see if that'll meet your needs and um you know see see about get another router because it pays off now we've got an iot network we've got a guest network we've got our main

network we've got a built-in ad blocker we've got ad blocking dns um all the networks are segmented vlans it's just wow which is super overkill but i'm just saying like the possibilities are endless man yeah yeah Absolutely get your own router. I mean, that's the point of having a router. It's to segment your network from your ISP. Even if your apartment complex is your ISP in this case, you want to keep your stuff separate from that.

And you can always do more advanced stuff with your own router. Like if you don't trust your apartment, you can run a VPN on that to protect all of your devices and stuff like that. Or you just use the router to prevent other people on your apartment Wi-Fi or maybe just other people on the internet if your apartment doesn't have proper security, which they certainly might not because they're an apartment building that knows nothing about the internet.

You want to have like a firewall in between to keep your devices safe. So yeah, there's almost no reason you can not use a router because generally they can't really tell what device you connect to it. So even if they tell you you can't use a router, I would definitely just use one anyways. Yeah. Like I said, they, most of them tell me you can't. And then I'm like, Oh, let me try it. Plug it in. Works great.

Um, one last thing I wanted to add real quick actually is, um, when we're listing benefits, a lot of the time, the benefits are not always privacy related. It makes set up in your new place super easy because you move to a new apartment, you plug your router in and look at that. All your devices are ready to go. You don't have to type in a new network. You don't have to set up a new network, just plug it in and go. So yeah. Yeah, absolutely.

All right. So I think that's all we had for the forums for now. And now we're going to take some viewer questions. So we're going to start with questions on the forum, specifically from our paying members, but I don't believe we had any paying members right now. But if you would like to become a paying member and get priority, you can go to privacyguides.org, click the little red heart icon in the top right corner. So we'll jump into the forum first and then hop over to our live chat.

Um, and we only had a couple of questions in the forum. The first one asked us to talk about this article from wired, which I'm not going to talk about too much. Cause honestly, I don't think there's much to talk about. Um, but I think it is a good thing to have on your radar because it may become more to talk about in the future. Uh, the headline says using a VPN may subject you to NSA spying. I did see this article.

The issue is the keyword there is may, and that's kind of why we didn't include this as one of our main stories is basically, uh, Excuse me. Lawmakers are – well, I'll just read the first part. Lawmakers are pressing the nation's top intelligence official to publicly disclose whether Americans who use commercial VPN services risk being treated as foreigners under U.S. surveillance law, a classification that would strip them of constitutional protections against warrantless government spying.

So I know I mentioned this before in the past, but really quick recap for those who don't know. The way that – surveillance laws on paper are currently structured is the government is not supposed to spy on its own citizens, but any signals that move in or out of the country are subject to surveillance because now you're including somebody who's potentially not a citizen, potentially. And there's a whole lot of reasons for this.

Edward Snowden has a classic interview with John Oliver, or I guess John Oliver has a classic interview with Edward Snowden, where Snowden explains how a lot of the time the communications will route through the fastest network, which may temporarily take them out of the country, or companies may move the server to another location digitally to do physical maintenance on the server, whatever. Point being, it's really not a good way of doing things.

And this article points out why, because they point out that since VPNs are so ubiquitous, Even if a VPN server is located here in the US, like say you've got your VPN set to New York or LA or Dallas or whatever, there's a really good possibility, especially in those examples I gave, that there may be users from other countries using that server. And so they're basically saying, I don't know if somebody tipped them off to this.

I didn't have a chance to fully read this article all the way, but they're basically saying because these VPN servers could potentially include foreigners, does the NSA treat them as foreign traffic, which would mean that even if I'm a US citizen, if I connect to a server in Dallas, I'm still in the country, but are you going to assume that I'm not? So, yeah, we didn't cover that story because it's very speculative, but I do agree it's definitely a good thing to have on your radar.

Yeah. I don't know what the impact of this would be.

I think the opposite is also true here, which people are concerned about, whereas you're talking about connecting to a server in Dallas, and that could be a concern, but also if an American server connects to a server in some other country um like like france will their data be collected by the nsa because they don't know that it's an american and they're spying on people out of the country i think that that's also a concern i don't think about that that's a good perhaps

even more of a concern than connecting to uh to an american server i would say that this is probably likely to be the case knowing the nsa we've seen similar things um And it is one argument that I've seen as to why maybe you should use a U.S. server, because if you are concerned about U.S. surveillance, there are more restrictions on what the government can do in the U.S., supposedly, than what they can do outside the U.S., which is pretty much anything they want.

But, I mean, even in the U.S., A lot of the way that this government intelligence works is like the U.S. can get other countries to do this intelligence for them and spy on American citizens, just like they can get big tech companies to spy on American citizens. This is a huge problem that we've talked about for many weeks now, especially with Flock, for example, where the government doesn't have to do anything because they just pay someone else to do it. It's also an issue with data brokers.

We've talked about that as well. The government doesn't have to collect all of your location data, but they can buy all of your location data, and that, for some reason, is perfectly legal. So I would say, I think I already said this, but I think that this is likely to be the case. I guess we don't know for sure, but I wouldn't be surprised if this was. But also, if it is, I'm not exactly sure how to protect yourself against it at the moment.

The best thing we could do is if this is confirmed, you know, we'd have to demand change and demand some restrictions on how the NSA works, which we've also been talking about for a while. And I'm not sure if that'll happen. Yeah. Before we move on to the next question, this is kind of a follow-up here from one of our viewers. We advertise VPNs as a tool against surveillance capitalism, not government surveillance. So would this change how we recommend VPNs?

Yeah, I guess that's kind of my main point. It doesn't seem like for the purposes that most people use a VPN for, this is going to make a big difference. It's obviously a concern. I don't think that the NSA should be allowed to spy on American citizens, just like the CIA shouldn't be able to. None of these... None of these agencies really have authority to do that, and they probably are anyways through loopholes like this.

But there's a lot of ways that they can get around this, and it's not really the intent of a VPN in the first place. They're much more useful for like sharing an IP address with other people so that you So that your data can't be like uniquely identified in logs or by data brokers and stuff like that. So, yeah, it's not something that I think is going to protect from government surveillance in the first place.

I think it's clear that And using an anonymity network like Tor makes a lot more sense if this is your threat model, but also if you are extremely concerned about being targeted by the government rather than swept up in their mass surveillance, even something like Tor may not be the best choice for you and you really need very specific help. Whatever Edward Snowden is doing, he has experts working on the best way for him. You can't just do that on your own.

But yeah, for this mass surveillance stuff, I think commercial VPNs are still all right, usually better than your ISP. At least you have a choice between VPN providers. But They're certainly not perfect. And yeah, none of this would surprise me if it's true. Yeah, that was kind of my same thought about using Tor instead for government stuff.

We had another question here about our outgoing team member, M. I think I'll leave that one to you, because you would be more qualified to know what's going on behind the scenes with all that.

um really there's a lot of questions here um this person so em uh recently posted on our forum about how she's leaving privacy guides uh she's also posted some stuff on mastodon um earlier this month so this isn't like brand new information um but i don't think we've talked about it on the forum or their show before um So, I guess I'll go through these questions one by one. I guess I'll start with the end first, because there's a couple questions here that I probably can't get into.

So they asked, what was the decision behind choosing which staff to let go? Are there plans for hiring Em again once the financials allow for it, as long as she's also available for hire? Do we plan on hiring someone else? Did you guys know we would have to let someone go for some time, or did it come as a shock? A lot of questions about specific people on our team and the contracts that we have with them, I can't really get into.

It's not really my place to discuss a lot of these contract questions and there's kind of a lot going into it. It's a very personal situation. So unfortunately, I can't really share a lot of information on that front. Because yeah, that's that's that's not my place. That's kind of a Personal thing Yeah, I just can't talk about any employer stuff about specific employees, right? That is more of a one-on-one thing that we have with them.

So yeah, I won't get into really any of that, unfortunately, for you. But I can talk about some of your other questions. So are there any goals or plans we have for ensuring good financials to maintain our current employees? Yeah, right now we have pretty solid financials and there's definitely some plans to improve fundraising and make more revenue this year. I'm not concerned at all about our ability to keep our team hired. And so that is not a concern for me at all.

I think a big part of that will be to focus more on videos. We've seen a lot of good growth on the video YouTube side of things and also making more stuff for members. You also asked, do we plan to make more merchandise? That is something that I, we'd certainly like to do this year. That's not, the whole shop and merchandise thing isn't a big, like, source of money for us or anything. We're really doing that more as like a marketing expenditure.

It's good to get designs out there so people are wearing them, starting conversations about privacy, all of that stuff.

yeah i hope to have more designs um we definitely want to sell shirts and other you know other stuff to to get privacy guys out there and i'd be happy to see more people wearing that stuff and talking about it and going to conferences or whatever and talking about privacy but that's not a huge um like revenue generator for us i will say um so that is definitely not our main plan to make money um They asked about YouTube. More views mean more revenue. Yes, they certainly do.

The nice thing is that we've seen a ton of growth on our YouTube channel so far. In the last twenty eight days, we've got fifty thousand views, which is thirty three thousand more than our usual average for a month. So things are definitely on an upswing and we hope to continue that going forward. Have we reached out for grants? Yes, we have some grant opportunities that we've explored. That's definitely a big thing that we'd want to do.

We'd love to get grants for specific projects in the future. Yes, our sponsorships on the table. All of the sponsorship stuff and affiliate links, that's not something that we plan to do on our main content, like the website or the forum. It's not totally ruled out for the videos that we make, especially because it's so common on YouTube.

um that's still an idea that we're exploring we likely could at some point do sponsorships from like companies uh completely unrelated to privacy if if the opportunity makes sense i i won't say that we're that we never do a sponsorship with this company but just because they're so common on youtube i would just say like raid shadow legends could be a good example of something we might do just because They're completely unrelated to privacy and they, I don't know if they still do,

but at some point they were sponsoring like every single YouTube video I watched. So I won't say that specifically, but that's kind of an example of something we could potentially consider. Another thing we could consider on the video side of things is like if a company we do recommend wanted to sponsor like a tutorial about their product or something like that. Like, it could be any company we recommend, like Proton, if they wanted us to do a walkthrough on ProtonMail.

It's something... I can't say whether we would do that or not. We'll have to explore it if the opportunity arises, but it's not something we would totally rule out at this time.

So on the video side of things, we may do that in the future in some cases, but... yeah we'll have to think about that a lot more um and it's not something that we totally that we have any immediate plans for anything like that um but potentially on the table uh do we intend to make more members only content to incentivize membership uh yeah absolutely we do want to do more members only stuff especially in the video uh side of things um there's there's a balance that we

uh want to draw though because a lot of our members only a lot of the content that we publish in general um we feel that it's important to get out there for everyone so it's very tricky to do members only content in the first place um it's i'm glad we have so many members that um are generous enough to kind of keep up with their subscriptions even as we uh haven't published a ton of like members exclusive content only like early access to videos and stuff just because

Those memberships really help us get all of this content out there and let us make things that everyone, hopefully everyone in the world, anyone interested in privacy benefits from. So yeah, I don't know where that line will be, but we have some ideas and that is something that we want to explore further in twenty twenty six. I think that's kind of all the questions I will say. A lot of the stuff that Em has been working on recently, we definitely plan to continue.

So like all of the activism stuff, we want to keep up with that section, expanding it. It's going to be very challenging. Of course, it always is losing any team member for us, but Will will make do and we, we certainly don't want to give up on any of those projects, because we have received a lot of positive responses to things like that. And we're hoping to expand it. So if you guys do like that stuff, definitely let us know.

But all of that is we still plan on sharing that with people, trying to expand it as much as we can and keep it up to date and really promoting it to people in organizations who can use those resources because they're really fantastic resources. Yeah, I think that's all I would have to say on that topic. I know there's a lot of questions, and I just said a lot of stuff. But hopefully, that answers most of your questions. And if you have any other questions for us, let me know.

I did want to add a couple things to the questions about YouTube specifically, since that's kind of what I do. They asked about upping the production quality. I'm not under the delusion that we have the best production quality. I know in a perfect world, I would have a studio with multiple cameras and everything. And I mean this genuinely, like I'm not offended by this question. Like, what do you mean? Feel free to like offer suggestions.

I can't promise we'll do them because again, we are limited by financial constraints, space constraints, equipment constraints, editing constraints. But I mean, if you have any very specific, like, you know, oh, other channels do, because honestly, that's how, at least me, that's how I learn a lot of my tricks is, you know, watching other channels. And I'm like, oh, I really like the way they do their titles or I really like the way they do their transitions or whatever.

Um, so yeah, if you have any specific ideas, um, I'm personally all ears again, can't promise we'll do it. Maybe it's just, you know, um, but yeah. And then you said current videos get around one to ten K per views. And yeah, I mean, they're gonna fluctuate a lot, especially because we do so many different kinds of videos. Like we do some, uh, interview videos, we do some tutorial videos, we do some We're going to do some tutorial videos.

We do some videos that are more entry level, like here's encrypted messaging. And our next video is going to be a little bit, not more advanced, but it's not going to be quite so entry level. So, I mean, it's kind of a wide range of topics. So the views are going to fluctuate, but I mean... What I was taught learning YouTube is that anytime you get more views than you have subscribers, that technically counts as going viral.

So considering we don't quite have ten thousand views yet, getting ten or ten thousand subscribers, getting ten thousand views, twenty thousand, thirty thousand, which I know is those are the exception but we have some videos that really racked up quite a few views and uh you know our our hope is that eventually of course someday we want to get you know a quarter of a million subscribers and we want our videos to get a million views each like we definitely want to get there but um

yeah it's like jordan said here like i think we punch above our weight for sure so um just to kind of put it in context like we're still very much growing i think um Oh, and I had another thought that got away from me. Oh, yeah. Just the other thing to remember is that we are a very small team. I think with Em leaving, I don't know if I can say how many staff members there are, but there's not many. And we all wear a lot of hats.

So a lot of these bigger YouTube channels, like Veritasium and Fern and stuff like that, they typically have... Like, at least one person whose sole job is to write and research and write the script. And one person whose sole job is to film the script. And one person whose sole job is to edit the script. And one person whose sole job is social media management. But, you know, here we've got... I cut most of the clips for the shorts, which, again, I haven't been doing lately. I'm sorry.

But I cut most of the vertical clips and stuff. And I think Jordan and Jonah mostly handle the social media. And Jordan does most of the editing because they're just so much better at it than me. But I try to at least do the basic cuts and stuff. So just kind of keep that in mind, I guess, just that we are – I'm not trying to make excuses.

I'm just saying that when I said feel free to offer suggestions, sometimes we just may not have the manpower to do something a certain way, but we definitely want to get there for sure. I mean, we talk every week about growth and what our strategies are and what we can do next to get the message of privacy out to more people.

Yeah. Yeah. Some of those YouTube channels you mentioned, I think they're definitely... misleading not in like a malicious way but just like i don't think a lot of people understand there there's huge teams behind them i mean the ones that you mentioned fair tasium fern like they've they've got more than one person working on all of those things they got multiple editors they're doing they're doing like multiple animators uh people don't think about that because i think a lot of

people just think about the person on the screen on a youtube channel doing everything and that is definitely not the case for those larger channels um but yeah definitely open to suggestions on what we can do i wouldn't i wouldn't rule anything out so let me know what you like to see um i don't wanna like uh i don't wanna we're i'm not under any delusions that we're making like perfect videos but i do think that our videos are pretty good and i think that a lot of what we can do

uh maybe better comes down to marketing those videos and somehow finding out like the best way to work within the algorithms and stuff to get it out to more people and there's certainly improvements we could make there whether it's with the script or whether it's just with titles and thumbnails um but i don't think the quality is that bad um personally and i think that I think that we're set up pretty well to get a lot more views in the future, thankfully.

And we're also almost at ten thousand subscribers. Probably could be as early as tomorrow or next week based on how these numbers are going. So that's exciting stuff. Yeah, I'm super excited for that. That's going to be a big milestone for me. Also, Seas said that it's World of Warships sponsoring everybody now. So we need to look into that. We'll see. All right. I'm going to scroll back up to the top here. It's been a little bit of a quieter week. But let's see here. We talked about ships.

Somebody asked about age verification. We talked about that. I know there were some questions. I just have to go find them. Oh, yeah. Jordan mentioned, not really a question, but here in the US, if emails are more than a hundred and eighty days old, they don't require a warrant. Um, so this is one of the reasons that we encourage, uh, encrypted email providers like Proton and Tudor and mailbox.

If you turn on mailbox guard and, um, use that is because if you've got Gmail or Yahoo or whoever it's, I forget what it's called, but it's basically this legal doctrine where the government treats your emails as abandoned property, which is completely insane because like, I'm sure, especially those of us who are older, you probably have like, I don't know, letters from, okay, using me as an example, I was in bootcamp and my family sent me a lot of letters. I used to be in the military.

And so if I had kept those letters, I'm sure my mom did, if I kept those letters and put them in a shoebox in the closet, now that I've been out for over a decade, I don't think anybody would be like, yeah, those are abandoned. Like, no, those are my memories sitting there. Like, it's completely insane. But if you use an encrypted provider, then- The cops can't access it anyway, so it's a moot point. Jordan asked if we saw that the FBI director's email got hacked. I did see that on social media.

I didn't have a chance to read the story. I just saw it this morning, but I saw that that had showed up, and I saw a lot of jokes about it. Like, his password is probably cash with a dollar sign and stuff like that.

Yeah, I believe it's just his personal email, which probably... I mean, I don't think it's like a threat to the government, but it is probably a pretty embarrassing reason for him because I would imagine he I'd imagine he's using a major service like Google or Apple iCloud that doesn't have security issues, so it was probably more of an OPSEC failure from the director of the FBI that caused this rather than any service issue. Yeah, I haven't read that article myself either, but...

Yeah, it doesn't look promising. I haven't heard a lot of like what's in the emails, anything yet. So I don't know if they're going to parse through it, but. So that came in like last minute today. I think yeah this article from the Guardian says it was a personal gmail address and The government has also said There's no government information. It's all just personal stuff.

It sounds like a lot of random pictures of them and like historical emails in the case of Google I Like there's, there's plenty of ways to protect your account. If you're going to be a Gmail user, you can have a strong password. You can have, um, the advanced protection program, uh, to call this a hack is probably not the most accurate because I would imagine there were plenty of things the director of the FBI could do to secure his data.

It probably wasn't like getting into the mainframe of Google servers or anything like that. It was probably pretty mundane. But what can you expect from the current government? Yeah, right. Let's see here. Okay, I'm catching up to the front now. Yeah, I think that was all for questions. I thought there was another one. Oh, yes, here it is. Anonymous, fourteen sixty five said that there should be a section on the website for router scenarios. I have no idea how to set one up or be private for it.

The problem with detailed tutorials about like, here's how to get started and here's how to do it is they get really outdated really fast. And so it would almost turn into like a full time job just trying to keep these tutorials current and, um, yeah, I mean, just trying to keep them current and keeping on top of like, oh, the UI changed and this options over here and they added this new option. And so, um, yeah, we do want to do some tutorials in the future.

I think I mentioned that earlier, but it's, uh, it's definitely a bit of a challenge to figure out. It's, it's a challenge to keep them as evergreen as possible. Yeah. I wouldn't rule it out. But yeah, we've been talking about doing something like that for a while. Which, I mean, just among the volunteers, actually one of them really wants to do that eventually, but hasn't been able to yet. But hopefully we can do something like that.

Jordan asked if we saw that iCloud Hide My Email was traced back to somebody after a warrant. I would imagine that's probably the case for any of these aliasing services, because that is how email works. They can typically tie it to your mailbox.

yeah not yeah um most interesting story i feel like but it also involved fbi director cash patel because it was regarding an email sent to his girlfriend so a lot of cash patel stuff going on in the email space this week i don't know what's up with that it's been a busy day for him i guess I mean, at the end of the day, like that alien, the aliasing services and email in general, that's not going to apply to serious threats. Right.

So it's, it's more like a spam prevention or again, kind of like the, kind of like the VPN thing. It's good to protect yourself against, uh, like mass surveillance or data brokers because. using a different email for every website that is a good protection against your accounts being correlated, among other things. But you know, it's an email aliasing service. It's not like a unique identity generator for everything on the internet. And they certainly can be linked together.

That's not really what these email aliasing services are for. Yeah, for sure. I actually did remember one more question that I skipped past. I had another tab open. Where did it go? Oh yeah, so earlier when we were talking about social media, somebody asked if there was a book on the subject. And I'm assuming you mean a book on the, because we were talking about how social media is designed to be really addictive. Age of Surveillance Capitalism by Shoshana Zuboff touches on this a little bit.

Not so much the design of social media itself, but just like how big tech works, what their playbook is for invading your data. Jaron Lanier has a book called Ten Arguments for Deleting Your Social Media Accounts Right Now. I have not read it personally, but I know that is one.

And then a couple others I haven't heard of, but I found mentioned when I went looking for answers, Hooked by Nir Eyal, Addiction by Design by Natasha Shule, and The Shallows, What the Internet is Doing to Our Brains by Nicholas Carr. Again, have not read any of those, but those did come up when I searched that subject, so. Because when I saw that you asked that question, I was like, I know there are some, but I'm drawing a blank. So those are what I found. All righty.

Last chance for questions in the chat, everyone. Otherwise, we'll start wrapping this up, I think. Got a bit more to share here, but... But yeah. I think we can close off questions here then, probably.

Thanks for tuning in, everyone. All of the updates from This Week in Privacy, we share them on our blog every week. So you can sign up for the newsletter, or you can subscribe with your favorite RSS reader if you want to stay tuned on all of this and get all of the sources. For people who prefer audio, we have a podcast version available on all podcast platforms and RSS. We also sync the recording of this video to PeerTube.

Privacy Guides is an impartial nonprofit organization that's focused on building a strong privacy advocacy community and delivering the best digital privacy and consumer technology rights advice on the internet. If you want to support our mission, You can make a donation on our website at privacyguides.org slash donate. You can make a donation by going to any page on our website and clicking the red heart icon located in the top right corner of the page.

You can contribute using standard currency via debit or credit card, or you can opt to donate anonymously using Monero or with your favorite cryptocurrency. Becoming a paid monthly member will unlock exclusive perks like early access to video content and priority during the This Week in Privacy live stream Q&A. You'll also get a cool badge on your profile on the Privacy Guides form and the warm, fuzzy feeling of supporting independent media. Thank you all for watching.

We will see you next week.