Subscribe
Share
Share
Embed
Techlore Surveillance Report is your weekly deep-dive into the privacy and security news that matters for your digital freedom. Hosted by Henry Fisher, founder of Techlore and long-time digital rights educator, each episode cuts through the noise with carefully selected stories, context, analysis, and historical perspective.
Topics include: privacy tool updates and vulnerabilities, data breaches, surveillance technology and government overreach, Big Tech privacy policies, encryption standards, digital rights legislation, and corporate data accountability.
Whether you're just starting to take privacy seriously or you're a seasoned expert tracking the ecosystem, Surveillance Report delivers the weekly news you need. New episodes every Wednesday. Subscribe and join the community at techlore.tech
This week, Surveillance Support covers the most severe Linux threat in years that has sent researchers and distributions scrambling.
Apple is patching that weird bug that police were using to extract deleted signal messages from iPhones.
Utah has this new weird law regulating VPNs and trying to make those much harder to access.
And Microsoft Edge just wants to store all your passwords in plain text memory.
Just typical Microsoft shenanigans.
Welcome to the Techlore Surveillance Report, your essential weekly tech news where I deliver
deep analysis on the latest threats to security, privacy, and digital freedom, empowering you
to reclaim control and defend your rights. My name is Henry. And a quick note before we get
into the news, just have a quick announcement. I owe you all a pretty big apology here as this
episode is landing way later than it should have. We've been working on some big projects back here.
We are a two-person team. And a lot of times when we put more emphasis on those, it's really hard
to keep up with this, the anchors that we have. Now we've done some restructuring back here to
make this a little bit better. So going forward, I want to really emphasize that consistency a bit
more. And I just wanted to get something out this week. And so today's episode is a little bit
lighter. I'm just going to cover the most major stories. That way we can at least get this news
out and get back on track. Let's start with two really crazy Linux stories. The first one being
the most severe Linux threat to surface in years. Now, if you're reading news or you keep up with
this kind of stuff, the way that this attack is overall referred to is called copy fail,
which is one word. Now, the overall idea of this is that it gives an attacker root access to Linux
machines quite without many restrictions. It's quite interesting. Now, what copy fail does,
it's described as a critical flaw. It's a local privilege escalation, which is a vulnerability
class that allows unprivileged users to elevate themselves to administrators. The example they use
here is that an attacker exploits a known WordPress plugin vulnerability, which we cover
on a weekly basis at this point, and then it gets shell access. They run this copy-fail proof of
concept, and they are now root on the host. The way the researchers described this is the
vulnerability does not get the attacker onto the box. It changes what happens in the next 10 seconds
after they land there. So if this was combined with another vulnerability, it can just take over
your machine, which is quite scary. I really want to outline a little bit of the drama around how
this came to light because it's quite relevant to the story. Because normally the way that
disclosure works. If I am a security researcher and I'm investigating a piece of software and
I find something critically wrong with it, what is typically considered reasonable slash proper
disclosure is I reach out to the affected software vendor, I work with them directly,
and then they ideally issue a patch before the public finds out. So that way it's kept low-key
and attackers can't exploit whatever that security researcher found, assuming they didn't already
find it. Now, this didn't quite work that way. A vulnerability analyst here that I'm showing on
the article on screen if you're on video, but their name is Will Dorman, said that this org
doing the disclosure did an absolutely terrible job of vulnerability coordination because at the time
of making this video, not every Linux distribution is actually patched. Now, they did disclose this
weeks before to the Linux kernel security team, and they actually patched that vulnerability in
the Linux kernel itself. The problem is that few of the Linux distributions, which are downstream
of the Linux kernel and need to actually integrate the Linux kernel into their operating systems,
actually incorporated those fixes. Now, this Ars Technica coverage happened last week,
and at that time, the only people who actually patched this were Arch Linux, Red Hat, Fedora,
SUSE, and Ubuntu. That was kind of it. And so if you had any other distro, it wasn't really known
if you were patched. Now, if you're using a different distro from one of those, it's really
important to check your distro and see if they have patched this issue. Now, before I share a few
more of my takeaways, I wanted to also share this story as well, which came out a few days before
that last one, which is there was an open source package with 1 million monthly downloads that stole
user credentials. This is a command line interface for a piece of software called Element Data. And
what this tool does is it helps users monitor performance anomalies in machine learning systems.
It's a very niche tool, but it clearly has a lot of downloads. The developer account was taken over
and they published a compromised version of the piece of software.
You might be wondering, Henry, what's my takeaway?
Well, first off, I just want to zoom out and say that vulnerabilities happen on every operating system,
so this isn't a Linux-inherent issue, and it goes all directions.
And I think that it's also important to debunk the myth that just being on Linux is inherently crazy secure.
Now, I do think Linux has a ton of benefits from an open-source perspective,
from a transparency perspective, from a philosophy perspective,
from also sometimes just a usability perspective.
I understand why someone would want to use Linux over Windows or macOS, especially Windows with how that whole world is going right now.
I don't need to expand further than that.
But I think it's really important to challenge this overall conception that if you're on Linux, you're resistant to every attack out there.
That's just not true.
We've seen really severe exploits in the Linux world.
And because Linux is just overall this ecosystem of hundreds of different distributions, and it requires more to fix these kind of issues.
If Apple catches something like this, they just roll out an update to all their devices and everybody has the update.
But with this, it's a little bit harder to do that because it reflects the openness that is the Linux ecosystem.
And so whatever distro you're on, it's really important to just do a quick web search and just type in copy fail and then your distro name.
And you should get some kind of coverage or some kind of community response to whether or not they have patched this.
And I have no issue saying if your Linux distro of choice hasn't made any kind of public statement and isn't communicating this issue to their users, I would genuinely flag that as a real concern and reconsider your Linux distribution of choice.
This might sound harsh, but it's for two reasons.
One, these are the developers pushing code to your machines, and it's partly their responsibility to keep you safe.
And so if your safety isn't a number one concern to them, I would argue that's already sacrificing a major value that a Linux distro is supposed to provide.
The other thing is that I think that reflects an overall communication pattern of a project. And so if this project that you're using day to day, if they're not responding to an issue this massive, are they going to respond to an even larger issue? Are they going to respond to their accounts getting compromised? So these are things that I would be thinking about personally. I know the Linux world has everything from Hannah Montana OS to Red Star OS to actually really legitimate operating systems used day to day to the servers that you connect to.
So there is literally the craziest stuff out there to the most legit stuff out there.
And so I just want to make sure people are aware of that spectrum when they're moving over to a Linux distro.
And to also make sure that you're updating your software and actually getting the latest security updates along the way.
It was also quite disappointing for me to read the way that this was disclosed
and how there wasn't enough time given to some of these Linux distributions to actually patch the issue.
But I was still happy to see some of these major distros, a lot of which we recommend back here, did patch this quite quickly.
So those are kind of my initial thoughts there.
All right, coming soon, we have Utah's new law regulating VPNs, which is crazy.
And we'll talk about what to do there.
We also have Microsoft Edge literally saving your passwords in plain text on your computer.
Just typical Microsoft stuff lately.
But before we get there, very quick signal boost.
We talked recently, I think on the last surveillance report, about how there was essentially this bug slash issue, whatever you want to call it, this problem.
I don't know how you want to describe this issue, but pretty much there was a court case that came out that revealed that there was a user that was being investigated using the Signal Messenger, the end-to-end encrypted messenger.
And pretty much they already deleted the whole Signal app before the law enforcement agents started trying to break into the phone and trying to get access to those messages.
Pretty much, they were actually able to intercept messages retroactively, even though the Signal app was completely deleted, because of notifications on iOS.
Essentially, the operating system, only on iOS, was caching all the notification content locally, even for apps that were already deleted.
So that was a pretty serious problem.
A lot of people were concerned.
We got a huge amount of questions about this.
And so I did do coverage for that back then.
But the real update here is that you can just update your iPhone to the newest version.
and that will even retroactively fix the problem.
And so even if your iPhone has been collecting
all of your notification content the last 10 years,
the moment you update to the latest version of iOS
from a couple weeks ago,
I know we're a little late on this,
this is resolved now.
And I think they also pushed out this update
to iOS 18 as well.
So you didn't even have to go to iOS 26
to still get that update on some older devices
or if for whatever reason you don't want to go to iOS 26.
So this is a quick signal boost
and it's good to see Apple address this
because they don't always address things like this.
All right, so we are now going to talk about this new law that came out of Utah, the land of freedom.
It is called SB 73. You can read this yourself. I am showing it here on screen and what it looks
like. But of course, you can always find this in the show notes down in the description if you want
to actually read the bill for yourself. I will be doing a dedicated video on this to dive into it a
little bit more. So stay subscribed if you want to see that. It should go live in the next day or so.
So pretty much this law builds off of the 2023 law that was their adult content kind of law.
Now, this has been happening all around the world for a little bit of context. We see all these
countries and states that are trying to target age verification slash adult content websites in the
name of keeping children safe, adults safe. It's a bit unclear. And I still haven't really gotten a
really good answer as to what the real intention and the real proven benefits are to these kind of
things. And it's hard to see this in any kind of optimistic way for me. Now, a big problem for this
is that even if we could get a good answer out of these politicians and the people really promoting
this stuff, implementing this is very hard and it's quite challenging because of the way the
internet works, right? If Utah's blocking something, but California isn't, someone could just use a
California-based VPN or even just a VPN based out of Utah, but that has servers in California
and just access the site anyway, right? Like the internet is really hard to censor in the way that
they're trying to do. So this already happened yesterday, May 6th. This law was passed that now
puts VPNs in the crosshairs of Utah. And the craziest thing is this doesn't just impact you
people in Utah because the law puts the liability on the adult content websites to age check Utah
users to fully comply. This means that a website has to verify the ages of every visitor regardless
of where their IP address says they're located. So theoretically, if any of you are using a
California-based IP regardless of where you come from, NSFW website doesn't know if you're a Utah
resident or not. So they still have to figure out where you're actually residing somehow.
Somehow, I don't know. The same law also prohibits adult content websites from sharing instructions
on how to use a VPN, and it creates a 2% tax for transactions on online pornography websites.
It's actually quite interesting because here is a direct quote from a Republican sponsor of the
law, which is Senator Calvin Musselman, I believe is how you say his last name. He said, quote,
protecting kids while preserving freedom is not a new concept. SB 73 is about accountability,
requiring companies that profit from material harmful to minors to take reasonable steps to
help prevent access by children. Now, before I continue on what he said next, which I think is
actually the crazier part, I think it's really important to clear something up, and at least my
stance on this, which is I would argue this is not preserving freedom. This isn't preserving freedom
for even people outside of Utah. Someone should have the freedom to access content and be able
to do it in a privacy-respecting way, and there is no privacy-respecting way to do this. This isn't
preventing access to just children is preventing access to adults as well. So this is inherently
not preserving freedom for everybody along the way. This is kind of the difficulty with trying
to navigate this really touchy subject. Now, here's where I think it gets crazy. And this is
where I think there's a technical gap or a intentional or unintentional understanding of
what this technology looks like. He says websites could, with a C, could, not should, could have a
process for users to verify their age or confirm which state they're in, quote, while still
preserving the encryption options for users. Now, I've been doing this for over 10 years.
I've gone through all these marketing slogans like military-grade encryption and anonymous data,
like anonymizing data sets and this kind of nonsense that is really hard to actually prove.
There's all these marketing phrases that are used. And this man just goes out and throws out
preserving the encryption options for users. This is the kind of person who's going to say,
Well, they used HTTPS on the website when you uploaded your ID, so it's encrypted.
And it's like, well, that's just the data in transit to make sure there's no middleman
that's actually intercepting that ID that you're uploading.
What are those encryption options that you're talking about?
There is absolutely no discussion right now about even zero-knowledge proofs really in
the US.
That's kind of happening in Europe.
I did some coverage for that recently.
That is at least a step in the right direction, but that still calls into question the freedom
of information, even when it's done properly in a privacy and security respecting way that's open
source. None of these US politicians that I've seen are actually proposing this. They're just saying,
yeah, you know, these websites got to figure out it's their problem. But them trying to offload
all of that responsibility onto a provider is also jeopardizing all users and their data along the
way. And it's very reckless. If they are going to pass this, which I don't agree with, by the way,
I don't agree with age verification in the first place. But even if I was in support of age
verification, I would still be a big proponent of finding out a way to do it safely so that it's not
just going to chuck a ton of users' data out into the ether with no regulation and no thought behind
it, which is what this guy is saying when he's saying, oh, yeah, people could preserve the
encryption options for users. Like, yeah, I really hope that websites asking for my ID are actually
using a proper SSL certificate. That's a good starting point. Thank you, Mr. Musselman. I'm
getting really angry talking about this. Stay subscribed if you want to see more coverage for it.
I'm sure I'll make a dedicated video on it coming soon.
Okay, this is a pretty wild ride from Microsoft.
I swear, every week that we do this podcast,
Microsoft does something else that just,
it just makes me question what they're thinking back there.
And every time I'm like, well, this can't get worse,
it somehow gets worse.
So Microsoft Edge, which is the default browser
that Microsoft tries to shove down everybody's throat,
that's not even an opinion, that is a fact.
Every update, there has been reports from the Mozilla team,
They've done studies now that show all the dark patterns that Microsoft does on Windows to try to get you to use Edge.
It can even undo your default browser during some updates.
It's crazy.
But yes, that browser they're trying to shove down your throat apparently has been saving all of your passwords in the password to your device's memory and doing it in plain text.
Now, I'm going to say Tom because I don't know how to pronounce the letter O with a line through it.
That is a new concept to me.
So I'm going to call him Tom, which I think is accurate.
And there's no line through that O.
So that's good for me in my pronunciation.
But he actually went public.
We talked earlier about kind of what a typical vulnerability disclosure looks like.
And so this researcher went public, but because Microsoft wrote him off,
which is typically the next best thing.
So if somebody goes to a company with a real problem and the company doesn't respond
or they ignore them and that researcher tries their best,
it's a little bit more acceptable for them to then go public
because then at least there will be public pressure to fix the issue.
Now, Microsoft looked at this problem and responded to him saying, quote, Microsoft Edge loads all of your saved passwords into memory in clear text, even when you're not using them.
What's so fascinating is that even though Edge is based on Chromium, which is what Chrome is based on, this isn't even a behavior in Google Chrome.
This is an Edge-specific behavior.
To be clear here, what this means is that if somebody has administrative access to your machine, they can exploit this vulnerability.
And what they can do is they just access the memory of all logged in user processes, and then your passwords would just be in there.
I'll touch on my thoughts on this in a second, but the Microsoft response to this is, quote,
Safety and security are foundational to Microsoft Edge.
Access to browser data as described in a reported scenario would require the device to already be compromised.
Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats.
Browsers access password data and memory to help users sign in quickly and securely.
This is an expected feature of the application.
We recommend users install the latest security updates and antivirus software to help protect against security threats.
Now, my initial gut reaction to reading this, again, this is more of an emotional reaction, is that this is quite lazy, right?
I think there is always some kind of thing that you can say is someone else's problem or that's intended by design.
If I build a website and it has some kind of vulnerability in it, but the website's vulnerability can only be exploited if something else down the chain gets exploited, then I can just say, well, that's out of scope.
that assumes too many things. So this is actually working as designed. But I would argue that's not
best practice. Best practice is to assume and try to protect your users at every step of the process.
And we know that Microsoft kind of has that same carelessness to Windows as an operating system,
and what they're actually depending on here is themselves. So imagine I was like, oh, hey, yeah,
there is this exploit. Yeah, I know you guys are reporting this exploit on my website,
but it's okay because the downstream or upstream person
would also need to be exploited.
Oh, but that person's also me.
So that's what Microsoft's doing here.
They're pretty much saying,
hey, yeah, Microsoft Edge has this problem,
but it's okay because it would require
some of the compromised Microsoft Windows.
But what do we see?
We see Microsoft do a lot of really lazy things as well
on the Microsoft Windows side of things,
also sometimes from a security perspective.
And so I think that this is just lazy.
It's careless.
It's not thinking about, well, what if something goes wrong?
It's also maybe too much confidence in their own product in some ways that I don't know where that's coming from the last year or two as Microsoft has not had a strong couple years.
I really struggle to follow Microsoft's reasoning and their explanation for this.
I'm not saying there isn't any layer of legitimacy to it.
I just think that especially coming from them as a company and their history and their lack of explanation on what it's actually providing, I'm inclined to say that this is something that should be fixed, especially when every other browser doesn't have this problem.
So I think no matter what, try to avoid Microsoft Edge.
There are many reasons to do this as well from a privacy perspective and also just a transparency perspective.
I think that the Brave browser is a really good alternative.
The Firefox browser is a great alternative.
Firefox forks are great as well.
Whatever you want to use, if it's open source, it's probably going to be a bit better than something like this.
On top of that, if you want to do things a little bit more best practice, you can always use a desktop-based password manager instead.
Those typically have dedicated security teams to make sure they're pretty much locked vaults on your system.
I can highly recommend something like Bitwarden or 1Password or ProtonPass.
These are good starting points that are quite easy for a lot of people.
And then you have more advanced things like KeePass as well if you want something a little bit more advanced.
So this is something I wanted to put in your guys' radar.
I think it's just another kind of flag to plant inside of the drowning Microsoft ship of all of their problems they've been going through the last couple years.
I talked about earlier when you look at these Linux distributions, and there's one of the most critical vulnerabilities that we've seen in the last few years.
And some Linux distros may or may not even be taking it seriously or communicating properly to their users or patching it as quickly as they can.
Something that should be something that a developer stays up overnight to fix to help keep their users safe.
I know I would if I ran a Linux distribution and there was a critical vulnerability.
I'd be up all night to make sure my users were kept safer.
So that is an important thing to flag.
Two should be the same for Microsoft.
So if Microsoft is getting these exploits and they're like, well, that's just intentional.
Yeah, you know, we trust that Microsoft's safe, blah, blah, blah.
That's a big red flag.
So I do just challenge you all, if you are using some kind of vendor or piece of software that has someone who communicates like this about real security problems, flag that, right?
Doesn't mean you need to move away from it day one, but I think that's something worth considering.
All right, everybody, and now we're going to get into the defense bulletin.
Now, again, this was a shorter week, so I'm keeping a defense bulletin a lot shorter than we normally do.
And I'm just going to cover what I felt were kind of the most interesting or most important stories of the last couple weeks.
So next week, we'll go back to a normal episode, but let's just get through these.
First one is that there was an issue in cPanel.
If you've ever hosted a website, you might have experienced with cPanel.
But there is a very massive vulnerability here that was used on millions of websites,
which allowed attackers to hijack and take full control of the servers running the affected software.
This is patched.
And so if you run anything that has cPanel on it, please make sure you would have updated by now.
I really hope you would have updated by now because it's been like a week.
So definitely get on that.
Now, this one's pretty crazy.
It happened a couple weeks ago, but it's from Bitwarden.
The Bitwarden, which is the password manager's command line interface,
was compromised as part of an ongoing supply chain attack.
Now, supply chain attacks are really hard to pull off, generally speaking.
They're quite rare.
And so this is something that is very hard to protect against as a software vendor.
I think that kind of context is important when discussing this kind of thing.
With that said, Bitwarden's security team identified and contained that malicious package,
provoked compromised access, and deprecated the affected release pretty much as soon as they could.
So this is what I'm talking about, guys.
So this was deployed at 5.57 Eastern time, and they patched it and removed it by 7.30 Eastern time,
which means that users would have had like an hour and a half to download this.
Now, if you were in that hour and a half window, A, really bad luck.
I'm sorry.
But B, they do have instructions that they posted formally, and they send out really proper announcements.
Now, I think that a lot of people might come down on Bitwarden here, and I don't even use Bitwarden personally.
I have no reason to say this, but I have a lot of respect for their team.
I know that they have a really good security team.
And this can in some ways happen to anybody.
And so this is the kind of thing that I personally look more for the response times, right?
If they were purposely leaving the password saved in memory, and then there was some vulnerability that exploited that,
and then I would be like, that's a little bit different.
But supply chain incidents like this are really hard to protect against.
So typically, in these situations, I'm looking for the response, how quickly they dealt with it, how they communicated it to their users, and also just the kind of approach that they're taking to this problem.
And for me, I'm quite happy with this.
If you are a Bitwarden user, I recommend actually reading in the show notes the responses that Bitwarden wrote and see how comfortable you are with them and if there's something that you feel like is lacking.
And if there is, then maybe you can reconsider your password manager.
But I think what I want people to kind of take away from this week's episode is to really
look at the software you're using, look at the communication behind the developers and
who's running it as they're pushing software to your device, and just see if it's something
that you align with and that you're comfortable with.
And if you're looking at this Bitwarden story and it makes you feel weird, that's something
you can listen to.
Just make sure to act appropriately and also try to find an alternative that you think
is actually fixing whatever communication problem that you feel like you've isolated out.
It's kind of the theme of the week.
WordPress. I think I mentioned earlier, every week we have WordPress stuff. So yeah, there was people
who planted backdoors in dozens of WordPress plugins used in thousands of websites. So as we,
tale as old as time, guys. It's called the Essential Plugin that says on its website that
has over 400,000 plugin installs and more than 15,000 customers. And yeah, it's been hijacked.
So if you use any kind of WordPress plugins, definitely check this one out. All right,
I did want to just highlight a couple data breaches here that were kind of the larger ones.
And so France confirmed a data breach at a government agency that manages citizens' IDs.
I wish that they used encryption, as our U.S. senators would say.
But I'm sure they did use encryption when it came to collecting this information.
But I think this exposes the problem, which is just because you used encryption while data was in transit doesn't mean that it was actually properly secured at its location and it can't keep out malicious actors.
So they didn't specify how many people were affected by this breach.
But if you are a French citizen, please keep up with the story because it could impact you.
This next story has a really important lesson that I want to clear up as well.
So there's a home security company out there called ADT, and they had a data breach.
So this is a company that's like, we're going to keep you safe.
We have security cameras, window sensors, door locks, whatever.
You come in, you type in a passcode.
One of those security companies, right?
But they had a data breach, and they confirmed that it was limited to names, phone numbers, and addresses.
The real concern I have about this is that for some people, this is actually a very serious thing because ADT has such sensitive information like where you live.
And now if an attacker has a list of all their customers and where they're located, etc., that's actually pretty sensitive private information that could make them a larger target.
So this is an ironic story for me because this is a company that's literally his entire business model is to keep you safer.
And they are caught in this breach.
So for me, the lesson and kind of why I wanted to outline this story is that I think the companies that genuinely, and I mean genuinely care about keeping you safer, even if they do provide you some benefits like ADT, they're also going to provide ways to restrict the kind of information they can access as well.
What I mean by this is even a company like Amazon with their Amazon Rings, I am not an Amazon fan. I don't like Amazon Rings very much, but they baked in a feature that allows end-to-end encryption with Amazon Rings. And so if you are an Amazon Ring customer, you just enable end-to-end encryption and that prevents Ring themselves from accessing your camera footage.
I think this is a really good example of how this is still providing you security without that inherent downside of them getting to see your data, which comes with so many other side effects.
You're not trusting every employee as part of the company to not spy on you.
You also are trusting that they don't get hacked and some random person tries to leak it, which could put you in the crosshairs of something else.
And so again, I think the right companies to put your trust in are the ones that genuinely try to collect as little as possible about you to still offer you a good service.
So within reason, but this is a good reminder.
There was another data breach from Vimeo, the video service, that did expose user data, email addresses for some of its customers.
But most of the exposed information was technical data like video titles and metadata.
So if you want to learn more about this, there's always the show notes in the description.
This one I thought was pretty cool.
So Proton, the people behind ProtonMail, ProtonVPN, etc., are now doing post-quantum.
They have a whole help article that I'll leave in the show notes as well that teaches you how to enable it.
This is being gradually rolled out. And so if you don't see it in your account yet, there's nothing you need to do. Just keep checking. And as they're gradually rolling this out to do this, you just sign into your account, you go into settings, you go to encryption and keys from the sidebar, and then there's a enable post quantum protection button. And then if you're watching this video, you can see that there is an enable and generate keys, and then you can manage your account keys, etc. It's cool. This is really awesome stuff.
I believe Tuda, kind of the main competitor to Proton, has already rolled out post-Quantum.
And so this is a good way and we see some healthy competition here.
And I think it's cool that Proton's really pushing the envelope there on that.
We also, a couple weeks ago, had Tails, the anonymous operating system, release version 7.7.
It comes with some extra security notifications when it comes to Secure Boot.
And it comes with other updates like updating Tor Browser and Thunderbird and some bug fixes as well.
This next story is a very interesting one.
And if you haven't heard of this before, it's an interesting thing, I think.
So pretty much Apple does a really bad job of handling VPNs on iOS because Apple just
has random exceptions.
Apple doesn't force everything to go through the VPN tunnel.
So even if you're connected to a really nice VPN provider, like in this case, Mullvad, they
can't really guarantee that all of your web traffic always goes through the VPN on iOS.
And this is just kind of like the Microsoft thing of like, yep, that's just how it works.
That's by design.
Though at least in Apple's case, they kind of try to justify it by saying, well, we don't
want everything to go through a VPN tunnel because then you can't reliably connect to
Apple services required to offer you a clean experience, whatever. But I think that reasoning
falls apart when they also release features like lockdown mode, which is geared towards activists
and people in higher risk situations, public figures. And those people probably want to know
for a fact that all of their traffic is going through something like a VPN. And so I think at
minimum, something like lockdown mode should make it so a VPN on iOS actually works system-wide
reliably. Anyway, I offered the context before Mullvad described it here in the article, but they
say here they have been stuck with a VPN app that they knew would leak some traffic in some
circumstances, and they explained kind of the technical bits for it. They did implement a
workaround, though. We've decided we're not going to wait anymore, and we would like to offer our
users the best possible privacy and security, even if it comes with a major UX limitations.
So pretty much they are releasing a new version of the iOS app that will contain a new feature.
This is from Lovat VPN called Force All Apps.
Under the hood, enabling this feature sets the Include All Networks configuration option to true,
and they have tried to make sure that users who enable the feature do so deliberately
without making them jump through too many hoops.
The phone will still enter the broken update loop,
but now users should receive a notification about a new version being available
before the app gets auto-updated.
We expect a minority of our users using this feature will end up with a broken networking stack,
and unfortunately, there is not much we can do.
If you've been affected by this, we can only encourage you to capture the anguish
express it as feedback to Apple. If you're a more technical person, they have a few more technical
details there in the blog article as well. But the idea here is that Mullvad has looked at this
problem on iOS and said, you know what, we can roll out a fix for this, but it's actually quite
a risky fix that might actually cause a little bit of breakage for some users. But yeah, this is,
I think, a cool thing. I think Mullvad's trying to put themselves out there. I think what I'm
personally excited about for this is that now there's a real bug there. And Apple might look
at this and go, oh my God, people are using VPNs and it's causing their devices to break,
but the VPNs are doing this because we haven't fixed this other problem.
So it might create and force a better discussion that Apple might take more seriously.
And so that's kind of what I'm hoping is going to happen.
I can't say I'm going to recommend this to really anybody unless you're in a super high-risk scenario.
But in that situation, I'd say you probably shouldn't be doing whatever you're about to do on your phone
and maybe migrate to a proper Tor browser or even something like Tails OS or Hoonix
or just something a little bit more established for that kind of use case.
But in the meantime, I think this is a really good form of leadership from Bolvan.
This is a really quick update for Brave users.
Brave has a feature called the Shred button,
which pretty much lets you just delete data on a per-site basis when you leave it,
or if you just want to just delete data right away at the click of a button.
They're now moving that over to Android.
So it's been on iOS.
I don't know what the delay was or why it took so long to bring us to Android,
but it is now on Android.
Maryland has become the first state to pass a bill banning surveillance pricing.
If you don't know what this is,
essentially there are websites that try to take your personal data, like your location,
your browsing history, your purchasing behavior, and try to actually change pricing online
based on how much they think you'll actually pay. And so Maryland has banned this practice.
This is really cool. I think it's really frustrating if this is in any way a normalized
thing nowadays. And I think it's another selling point for privacy. If you're using privacy tools,
even free ones, you might actually be spending less money on websites that aren't profiling you
to see that you'll actually pay more money for something. And so it's cool that this is happening.
I'd love to see kind of more initiatives like this out there.
With all of that said, I want to thank you all for listening.
I know it's been a while, so I especially also want to thank you for your patience.
That is going to conclude this week's surveillance report.
We're hoping to get back on track.
And maybe I didn't want to announce this at the front, but the idea is that this is actually
a video podcast.
So if you are watching this on Apple and it's a video podcast, then this worked.
Let me know how the experience was.
I'd love to hear from you all if this worked cleanly.
And then if it did work cleanly and everything worked appropriately, then next week I'll actually make that a formal announcement at the beginning.
Now, if you like this podcast and you got value from it and it helped you reclaim control for you or the people around you, you can become a Techlorian and support us down in the show notes.
You'll get access to our exclusive communities on Signal.
You'll get key perks along the way in our community as well.
And you'll also help the podcast keep growing.
I also want to ask all of you if you can definitely try to leave a rating, share this episode with friends and family.
and you can also help spread digital freedom
by just talking to them for things like Mother's Day
or anything like that.
Thank you all for listening.
Thank you all for your patience again
and I'll see you in the next episode of Surveillance Report.