What Bitcoin Did - Exposing Pegasus: How the State Spies on You | John Scott-Railton
Episode Date: September 9, 2025John Scott-Railton dives into the dark world of spyware, surveillance, and state power — and what it means for our freedoms in the digital age. From uncovering Pegasus spyware in 2016 to exposing pr...ivate intelligence firms like Black Cube, John explains how governments, corporations, and authoritarian regimes exploit our phones and data to control narratives and suppress dissent. We discuss how spyware has evolved from phishing texts to zero-click exploits, the chilling stories of journalists and dissidents targeted, and why even democracies are sliding into mass surveillance under the guise of “safety.” John also warns about the next frontier: AI supercharging surveillance, corporate data brokers selling your life by the byte, and if Bitcoin faces the same creeping panopticon risks if incentives aren’t carefully guarded. In this episode: - The rise of mercenary spyware like Pegasus - How the state abuses surveillance tech - The role of corporate surveillance and data brokers - AI’s potential to supercharge surveillance - If Bitcoin could face the same panopticon dynamics THANKS TO OUR SPONSORS: IREN RIVER ANCHORWATCH BLOCKWARE LEDN BITKEY Follow: Danny Knowles: https://x.com/_DannyKnowles or https://primal.net/danny John Scott-Railton: https://x.com/jsrailton
Transcript
Discussion (0)
You are sideways to the interests of a state right now.
There's like a reasonable chance that something is on your device.
And the thing is, you won't know.
Nothing you see, nothing you do, no flickering screen, no sudden drain of battery,
no warning sign, no link to click, no attachment to open.
You're just compromised.
There's nothing behavioral that you can do to protect yourself.
What scares me about this conversation as we apply it to the world of like Bitcoin
is that many different players in this ecosystem,
I think are going to discover many of those same incentive structures if they haven't already.
What they're actually asking for is something that changes the structure of the internet.
And you get a situation where you're going to need a passport to speak and a passport to post
and a passport to listen.
If you build systems that allow for control and access, the temptation is just too great.
Welcome.
It's good to have you here, John.
This is a show I'm really excited about.
Like, I do so many Bitcoin shows.
I love Bitcoin.
I love talking about it.
But stepping outside the box into these, like, tangential issues.
And I do think this is tangential in a lot of ways.
Yeah.
It's always pretty refreshing.
So I'm glad to do this one.
We met a couple of years ago.
We did.
I've been kind of following your work loosely since then,
and you're a very interesting person.
So you were one of the team that in 2016, I believe, discovered Pegasus or exposed Pegasus.
Yeah.
Do you want to start by maybe explain?
what Pegasus actually is, and then what happened in 2016?
So think about your phone in your pocket right now.
It contains a large part of your external brain.
It wasn't always so, right?
It was only like 15 years ago that we didn't really have a pants computer
that we carried around with us that contained all this sensitive information.
Well, as mobile technology has proliferated,
governmental desire for gaining access to that technology has exploded.
And one of the many ways that governments do that is something that we call
mercenary spyware. So this is the ability, silently, covertly, to infect your phone and turn it
to a spy at your pocket. Activate the camera, the microphone, read your contacts, listen to your
signal calls, read your encrypted messages, look at your photographs. Anything that you can do on your
phone, it can do, and some things you can't, like silently making the phone a hot mic,
debug a room, recording from the video, accessing your cloud accounts. Pegasus is one of those
technologies. There are many. Pegasus is in many ways the most notorious and the most well known,
partly because of its market success and selling to lots of different governments, and because
we keep finding it. And did that spyware, where did it come from? So Pegasus originates from a
company called NSO Group, which flies different name flags, but we'll call them an ESO group
for the purposes of this conversation. They're an Israeli company, and they took, I would say,
of technologies and skills that came out of unit 8200,
which is the Israel sort of like NSA equivalent
military entity and other parts of Israel's
military intelligence complex and turned it into a profit-making product.
People call Pegasus software, but it's, I think,
more effective to think about it as a service.
Basically, imagine you're a government.
You've got, you know, a leader in his 80s,
doesn't want to leave. You're worried about your governmental stability. There's a bubbling
opposition somewhere. What are you going to do about this? Well, you want to monitor that opposition.
So you go to an SO group and you say, listen, I like to buy Pegasus. I want to get on these people's
phones. And the contract that you'll get, it's so interesting, it's like DRM for spyware. You get a number,
not of seats like with Microsoft Word, but concurrent infections. So you might have like a 20 concurrent infection
contract. And then for the period of a year,
NSO is going to basically guarantee you, look,
for this year, we promise that we'll do our best to make sure that you can hack iPhones,
that you can hack, and then it's kind of up to you how you use that.
Some governments that are just like a float in cash will buy like 100 concurrent licenses,
big numbers. Others that are like tightwads will get through 20.
And then they will just grind on those licenses. It's like hack like 20 people in the morning,
finish those infections, 20 people in the afternoon.
do it again the next day, right?
And when they infect a phone,
can they essentially download everything
they want from that phone and move on to the next one?
They can.
And in fact, there are these cases that we see.
So when we do forensic analysis of devices,
we can often see numbers of infections, right?
So like on this date, your phone was infected,
on this date, your phone was infected.
And there are journalists, for example,
who are in the ire of certain governments.
Their phones might have had like 20, 30,
40 infections over the course of a year or two.
So they're just checking in periodically, sweeping data.
It's like your top up, right?
You know, like the state's just going to go poke by
and look in your underwear drawer.
You know, it's a Monday.
Let's go check it out.
And this, like you said, this came out of an Israeli company,
but they're selling this to basically every government
around the world, is that right?
So there's a whole ecosystem of these players.
And I think we can talk about NSO kind of like as a stand-in for a lot of them.
There are certain restrictions that the Israeli government places
on, what are there, like, offensive technology sold from,
Israel. And so there's certain states, they're not going to sell to like Iran, for example,
or maybe Russia, because maybe the Israeli government sees a diplomatic risk in doing that
deal. But they sell to a lot of governments. And the consequence of this has been the massive
proliferation of this capability to governments that previously had no technical bonds. So think
about it like this. You know Neapolitan ice cream? Of course. Strawberry, vanilla, chocolate. Do you like
Neapolitan ice cream? No, I'm not really a fan. Me neither. But it's seared into my memory because
as a kid, I hated getting my hair cut.
My mother cut my hair.
And to try to distract me, she would put a bowl of ice cream in front of me.
There's always a Neapolitan.
So when I think Neapolitan, I think I was sort of hair in the ice cream.
I mean, it's just tears, terrible things.
I just missed the days of haircuts.
But let's, we're all getting there.
So let's think about these three flavors.
So, strawberry.
Governments that have a deep STEM pipeline, they've got cryptographers, they've got mathematicians.
They can develop their own technologies for doing this highly sophisticated hacking.
they can develop exploits, they can do this.
Then vanilla are governments that don't have that pipeline,
that don't have those mature security services,
but they've got a checkbook.
Chocolate is like pariah states.
Syria would have been an example, right?
Where they can't necessarily go to the open market.
They can't go to Israel and say,
hey, we'd like to buy your best toy.
And so they'll find other kind of clever cobble together.
My cousin knows computers ways of doing hacking.
But whatever the flavor, the root is like to your phone, to your webcam.
And what's so interesting about this problem set is that when,
states, especially sort of like states that don't have a STEM pipeline, suddenly get this technology,
they're like technically punching way above their weights. And dissidents, activists, and politicians
are not ready for it, right? One day their government had bumbling security service that couldn't get
its act together and was shot through with corruption. The next day, right, like, you know, their local
intelligence officer is like sitting on their phone. It's a crazy change. Okay, so who are the people
that are abusing this technology the most? Like, is this?
the kind of behemoth countries like the USA,
or is it the people who are trying to fight dissidents in their country,
like authoritarian regimes trying to fight dissidents in their country?
Yeah, the answer is like, yes.
Everyone.
And different countries have different trajectories
with this technology, but I think a lot of people listening to this
will have heard of Pegasus.
And probably in the back of their mind,
they associated either with a prominent case,
like the murder of Jamal Hashoggi,
or with the idea of spy were being sold to dictators
who then abuse it.
The truth is, there are,
two distinct piles of abuse cases.
One set come from dictators who predictably use this technology
to monitor their opposition or like the then-president of Panama,
like monitoring his mistress too and maybe his business rivals,
why not, right?
The second category is democracies or democracies on paper,
teetering on the edge of authoritarianism that acquire this technology
and the temptation to abuse it is enormous.
Think about it.
And think about what we know from history, right?
when a state gets a secret surveillance power,
they will often abuse it.
It's a matter of time.
And so what scares me about Pegasus and similar spy war
is not just, oh man, the dictators of the world
can flex their power and do so far across the constraints
of their geography, right?
But that democratic societies are also at risk
from this technology.
They're at risk because this temptation
to have a Stasi-like capability,
is just way too big.
Way too powerful.
Way too powerful.
And this is kind of a hard question, I think, to answer.
Is like, where is the line in terms of state surveillance being not necessarily okay but acceptable?
Like, nation states are going to try and monitor and track criminals and, like, terrorists, whoever that might be.
But when does that creep over the line to be they're spying on all citizens just in case you're a terrorist or a criminal?
Just in case.
You're asking a really good question.
Now, if you look at like the marketing materials for NSO
or similar categories of spyware, we've been like doing work
on this spyware for more than a decade.
And what we find is that the marketing is they call it
like lawful intercept software, right?
The premise being, well, if a police service is doing it,
it's lawful.
The implication is, well, police need to be technologically
enabled to chase bad actors down deep all the way to Hades,
right?
So it's an intuitive thing for people.
The challenge with the technology is that it often arrives into countries that don't have
anything like the legal oversight mechanisms, judicial mechanisms, warrant systems to ensure
that people in that country, like their rights, their choices about the kinds of power
that they want to give their government, are being respected.
Moreover, because the industries itself, like an absolute morass and opaque maw of secrecy,
people don't usually know when their governments are using this technology until we, my brilliant colleagues, other people who are working in our space, investigate and we find abuses.
That's a problem.
I believe firmly that citizens need to know the constraints, the limits on the power of the state.
How long are the state's digital arms?
And technology like Pegasus means that those arms are often way longer than people realize with huge implications for their.
of freedom. Bitcoin is absolutely ripping and in every ball market there's always a new wave of investors
and with it a flood of new companies, new products and new promises. But if you've been around long
enough, you've seen how this story ends for a lot of them. Some cut corners, take risk with your
money or just disappear. That's why when it comes to buying Bitcoin, the only exchange I recommend
is River. They deeply care about doing things right for their clients and are built to last with
security and transparency at their core. With River, you have peace of mind knowing all their Bitcoin
is held in multi-sid-cold storage.
and it's the only Bitcoin-only exchange in the US with proof of reserves.
There really is no better place to buy Bitcoin,
so to open an account today, head over to river.com,
forward slash WBD and earn up to $100 in Bitcoin when you buy.
That's river.com forward slash WBD.
What if you could lower your tax bill and stack Bitcoin at the same time?
Well, by mining Bitcoin with blockware, you can.
New tax guidelines from the Big Beautiful bill allow American miners
to write off 100% of the cost of their mining hardware in a single tax year.
That's right, 100% write off.
If you have 100K in capital gains or income, you can purchase 100K of miners and offset it entirely.
Blockware's mining as a service enables you to start mining Bitcoin right now without lifting a finger.
Blockware handles everything from securing the miners to sourcing low-cost power to configuring the mining pool, they do it all.
You get to stack Bitcoin at a discount every single day while also saving big come tax season.
Get started today by going to mining.blockware solutions.com forward slash WBD,
and for every hosted miner purchased, you get one week of free hosting and electricity.
Of course, none of this is tax advice.
Speak with blockware to learn more at mining.blockwresolutions.com forward slash WBD.
This episode is brought to you by the massive legends, Iran,
the largest NASDAQ listed Bitcoin miner using 100% renewable energy.
Iron are not just powering the Bitcoin network.
They're also providing cutting-edge computing resources for AI,
all backed by renewable energy.
We've been working with their founders, Dan and Will, for quite some time now,
and have been really impressed with their values,
especially their commitment to local communities and sustainable computing power.
So whether you're interested in mining Bitcoin or harnessing AI compute power,
Iron is setting the standard.
Visit irin.com to learn more, which is iriareen.com.
Can I, this is a little bit of a tangent,
but I'm sure you followed the Tucker Carlson story.
I don't know when this was maybe like a year ago.
I think it was when he was going out to Russia to interview Putin.
and he claims that his signal account was hacked.
I personally highly doubt that.
I assumed at the time that that was actually
that he had Pegasus on his phone.
Do you know what the likely scenario that was?
It's an interesting question.
So one caveat, which is,
I can't speak about cases that my colleagues
or I haven't looked at,
but I don't know what's going on there.
But what I can tell you is
governments everywhere have an appetite
for using this kind of technology.
And if there's one thing we know, it's that you, especially if you're a prominent person, may have multiple governments that are interested in you.
So we talk about proliferation, like a term from the monitoring of like the proliferation of arms, right?
Like it's a bad thing.
Like if sophisticated weapon systems go everywhere, conflicts are bloodier and there are more of them.
It's like an axiom.
I think the same is true for sophisticated surveillance powers.
And my view about cases like what Tucker Carlson claimed and others have said,
is that if you are sideways to the interests of a state right now,
and that state is technologically enabled
with this kind of powerful stuff,
there's like a reasonable chance that something is on your device.
And the thing is, you won't know.
The absurdity of the scenario right now is
there's no commercial tool you can buy
that will protect you from this.
There's no third-party app that you can put on your phone
that will scan it and tell you with high confidence
you're clean or you're not clean.
And so you have a scenario
where people are walking around with the awareness and sometimes without it,
somebody could just be in my shit at any time.
That's dangerous.
It's dangerous to thought.
It's dangerous to the ties that bind us together,
our ability to safely share what we think,
our private explorations of knowledge and ideas on the internet,
and ultimately it leads to self-censorship.
And it's not like an abstraction.
So the movie, The Dissident.
I've not seen it.
Brian Fogel, really good movie.
That movie.
had a huge, huge challenge getting picked up by American distributors. Vogel was just coming off an
Oscar for another movie that he'd done. Why? Well, it did the story of Jamal Khashoggi getting hacked
with Pegasus. Or excuse me, people around Jamal Khashoggi getting hacked with Pegasus.
We don't know the status of Jamal's phone because it's in the con, says he like the
Turkish authorities, but everybody around him seems to have been targeted. His wife, his fiance,
his friends, his colleagues.
why didn't that movie get picked up?
They don't want to get out that.
Well, I think movie executives
were themselves terrified by the story of Jeff Bezos, right?
The idea that your business too
could be rifled in by Saudi Arabia,
even if you're sitting pretty in a studio
in Southern California
and enjoying the Clement Breezes of Malibu, right?
You still ran the risk of your personal world
being dumped out on the, you know, shiny,
aluminum table of a dictator's security services halfway across the globe and then have that
used against you.
This stuff has huge global implications because of that idea that they can sort of project power.
We talk about proliferation a second ago.
We view the proliferation of ballistic missiles as generally a bad thing, right, because of their
range in part and because of the things that they can carry.
Well, spyware has like infinite range, right?
This is terrifying.
It used to be that if you were a dissident, like in Egypt, for example,
you could seek the protections of geography.
If you could get out of that country,
you could go somewhere.
You go to the United States,
and you could be reasonably safe.
You weren't going to have 15 Egyptian security officers
in ill-fitting trench coats and polyester suits
following you around in like Memphis, Tennessee.
Couldn't happen.
That's not true anymore, right?
You have this thought in the back of your mind.
If you're a dissident, those...
You can always be touched.
And if not me, it's my spouse.
It's my friends.
it's the global village of people who I'm in touch with.
That's a terrifying and dangerous reality.
So in that reality, is the only solution if you're like a high-flying tech executive,
if you're like a politically exposed person, you're a journalist who's like writing about whatever,
to just not have a phone?
Except that's impractical.
And so the reality is everybody's got a phone.
Most people don't know like the status of their phone, but they think about it.
Somewhere, whether it's a pebble in their mental shoe or,
a general sense of foreboding.
So we check hundreds, thousands of people a year.
We screen them for a spyware like Pegasus, Paragons,
graphite, predator, all kinds of things.
Something really interesting happens
when you check a person's phone for a spyware
and you give them the result.
I thought when I first started doing
like large-scale checks with my colleagues,
you know, I have these incredibly brilliant colleagues.
And one of my colleagues, Bill,
developed an amazing technique.
that we automate for checking phones for mercenary spiral
like Pegasus, Android's iPhones.
I thought, okay, the super majority of people we check
are going to be negative.
They're going to be clean for the things that we check for
according to what we know, right?
Like it's very possible that there are things
we don't know to look for.
And I thought, well, people are going to feel like
their time is wasted, right?
I'm wasting people's time.
I've convinced them to get checked, right?
We've got a line of people, and I'm giving them,
like, in my mindset, the bad news
that they wasted their time.
most people like getting a result,
and they like getting a clear result
because they have carried with them,
whether they realize it or not,
some baggage.
Some baggage, bubbling in the lower bits
of their consciousness are way up front.
And suddenly we can say, look, now you have knowledge.
Now the really crazy thing is I was equally afraid
of having a scenario where I would have to tell person
the bad news, which I do every year again and again
and again, whether it's a phone call
or it's an in-person conversation.
I have to tell them, listen, you didn't know it at the time,
but your digital world was not your own.
There was somebody in bed with you when you were talking with your spouse.
There was somebody in the room when you were taking a ship.
There was somebody watching as you were thinking about your finances or your health.
There was somebody looking at you as you were trying to understand the challenges of your adolescent kid, right?
It is very traumatic to receive that news.
But there was this one moment.
So I was doing an investigation with my colleagues into the abuse of Pegasus, SpyWor,
in Togo, small country in Africa.
If Africa is like an ice cream coming with two balls,
Togo is sort of on the second ball,
it's kind of overheard, very, very small,
little notch of a country, French speaking.
And I had to call up a bishop, a Catholic bishop,
and let him know that he had been targeted with Pegasus.
I'd never called a bishop before.
What's that conversation like?
So I calm up.
Introduce myself, I gave him this result.
is this sort of long pause.
And I don't know what to do with myself in this moment,
feeling everything.
And then he thanks me.
And he says, I'll never forget what he says.
He says, thank you for bringing me this truth.
In a dictatorship, we don't have a lot of it.
And it's like being in a place without a lot of oxygen.
You just gave me a breath of truth.
You gave me a breath of oxygen.
Thank you.
That's super powerful.
It's funny, when you were sort of started that,
I thought you were going to say something different.
I thought you were going to say,
when people receive the result and it's negative,
they would be disappointed in the sense that maybe I'm not pushing hard enough.
Like, I thought they would be watching me.
Some people are.
And there's like a category.
We should find out.
Should we?
Can you should find out?
So maybe, I would love to do that.
Can we do it now?
We can do it right now.
How long does it take?
10 minutes, 15 minutes.
Let's do it.
Should we do it?
Should we break and do it?
And then we can see what we're going to do.
We're going to check you.
And we're going to have to turn these things off.
Yeah.
Is that because what you do is...
So the challenge, it's like doing a rapid test for, like, I don't know, strep throat.
The difference is that, like, strep can read all the scientific papers, right?
It would be as if strep was, like, looking at how the test work and it was like, all right, I got to change myself a little bit, right?
So there's some chance that somebody from NSO, hi guys, is watching this conversation, hoping that I would.
hoping that I will emit a little signal that lets them know the ways that we're checking.
So we should turn things off from it.
We can do a check, have the process bubbling along, and then maybe a little bit later get your result.
All right, let's do it. Let's break it.
All right. So we were in, you've got your thing running away.
We're going to find out if Pegas is on my phone.
Answers are about ready.
I seriously doubt I have Pegas on my phone, but I'm excited to find out.
I don't think I'm the kind of person that anyone would want to target.
Let me just do the weirdest thing and be the one asking you a question for a second,
which is, I think part of the value of this for people who are watching this is most of us go around
every day without the knowledge of what's going on on our phone.
Yeah.
And maybe they're wondering right now, like, is Pegasus on my phone?
And if you're watching this, like, take a minute to think about what you're feeling.
But what are you feeling right now as you're thinking about this?
Like, what is this triggered in you?
Honestly, I think I'm probably treating it quite flippantly because I'm very confident it's not going to be on there.
Like, I don't think I'm interesting enough to anyone for it to be on there.
Yeah.
But, like, we might turn out to be a really naive take.
But maybe that comes down to, like, who are the people being targeted?
Like, yeah.
Like, would it ever be just, like, a relatively, like, just a normal person?
Absolutely.
And I've talked to a lot of them.
Here's the thing.
So, it's, like, dating in your 20s in reverse.
So when I was in my 20s trying to date, I was often saying,
it's not you.
It's me.
Right.
Spy was the other way around.
It's not me, it's you.
You are as interesting and as likely to be targeted
as the most interesting person that you know.
Why is that?
Well, think about it like this.
If I'm a government and I want to catch you
in unguarded moments, I want to know what you think potentially, right?
I've got a set of questions about you.
Maybe you're being careful.
But are you forcing, are you enforcing that carefulness
on everyone around you?
No, it's impossible.
And so we would call this off-cent.
you're targeting. It may be that you are at your most unguarded when talking to the people
around you. I think that probably be true to almost everyone. Exactly. Because we exist in
communities and groups, like one of the biggest challenges that I think people have when they
sort of get interested in privacy and safety is they think about it in this frame of like my phone.
How locked down is my phone? But every conversation happens with another person or a group of people.
How locked down are they, right? You can't really ask them to be as obsessively locked down.
as, you know, the Bitcoin core woman who's got, you know, she got graphene, and she's like only,
you know, she's compiling everything herself and she's verifying all the builds, right? Like,
that's not reasonable for most people. And the economics of spyware benefits from that fact.
There's a second category of risk from this technology, which is it keeps showing up being used
by actors that didn't develop it. What do I mean? So twice now that we know about, thanks to some research
from Google's like threat analysis team.
Exploits, which are the techniques used to put spyware on a device.
Yeah.
Very sophisticated exploits, we call them.
This gives like zero click, which means there's no interaction required by the victim.
It's just like one minute you're chugging along, the next minute your phone is hacked.
Oh, so I had the complete misunderstanding about this to say.
Oh, let's talk about this.
Because I thought this was coming from, like, dubious emails that you accidentally click away,
and that's how Pegas has actually got on your phone.
Let's pull back for a second.
So back in the day, it did.
Back in the day, the way that you would infect somebody with Pegasus, typically,
by sending them a text message.
So in the earliest days, our earliest investigations,
the biggest one that we did, me and a group of my colleagues
and then collaborators at three different Mexican civil society organizations.
So organizations working with dissidents and journalists,
organizations working with the families of people who have been disappeared by cartels.
We found that the Mexican government had been an extensive abuser of Pegasus by
were. How did they infect people? Well, they would send them text messages. Well, if you're sending a person
a text message and you're a hacker, you really want them to click and you're a government, you know a lot
about them. So the messages would be like hyper-personalized. Maybe it's like, hey, your name just
showed up in a news article, check this out, right? Or a message appearing to come from the phone
company about your phone balance. You're running out, right? Or, hey, name, your daughter,
correctly name, just got in a graphic accident. I'm just letting you know, she's in this hospital.
here's the map point to it.
Right?
That shit happened.
Or, yo, name.
I just saw your wife having sex with somebody.
You're not going to believe this.
Here's the video, right?
Very personalized, very deeply enmeshed.
That was true for years.
And for years, the way that we would find Pegasus
was actually by looking for the targeting, right?
Now, when they would infect a phone successfully,
they would often delete the message.
But the infections didn't always work.
They weren't always careful about it.
And so we would find,
of like, you know, you find like the, like the burglar has left his skeleton key in the door, right?
But starting in like the end of the 19th, at the end of the teens, NSO started selling zero-click capability.
So this means you're just chugging along and then your phone is compromised.
Nothing you see, nothing you do, no flickering screen, no sudden drain of battery, no warning sign, no link to click, no attachment.
to open. You're just compromised. And do we know how they actually do that? We do because we keep
catching them, despite their claims about being untraceable. So in 2019, we worked on a very big case
where NSO was providing a technology that allowed for hacking people through WhatsApp.
In this case, it was through like a missed video call. And the first case that we really came
across was a lawyer who was representing other Pegasus victims. And, and, you know, and, you know,
And he was like having these weird half dreams where he would like wake up in the middle of the night and there would be like a notification on his phone like missed call.
And he'd like, all like figure it out in the morning.
And then he'd wake up and the notification would be gone.
And he probably thought, you know, maybe I'm going bananas.
Like I've got a, you know, tone down the ambient dose here.
It turned out that and so it had acquired a very.
sophisticated exploit and done a lot of development work on it. And this allowed them to use WhatsApp as the
means of entry onto the device. And then they would put the spyware onto the device. So what they'd
figured out was like, you know, when a phone connects to their phone on a WhatsApp call, right,
there's a bunch of stuff happening. It's like a hand check, like a modem tone for those who were that old.
You could put all kinds of other stuff into that communication that would be the leading wedge of
infecting a device. And what we've seen time and time again is that companies,
like NSO and others, look to popular chat programs,
IMessage, WhatsApp, FaceTime,
Cicine, calendar sync things that have a cloud component
and a discovery component where devices are a little vulnerable
with each other, right?
They're exposing something.
They've got to do something.
They've got to pass an avatar of the caller to the other phone.
They've got to do something during that call sequence
that they can then target for developing
sophisticated means to put spyware on a device.
But it means that there's nothing behavioral that you can do to protect yourself, which is a
banana's reality.
And it's why this stuff is so concerning.
It really is like push button, I'm in your closet, in your underwear drawer, in your business.
Yeah.
So, I mean, that's terrifying.
And you have checked hundreds, thousands, however many devices.
Have you ever been targeted by any of these things?
So there's sort of an interesting thing that's going.
going on.
Because you must be a massive thorn in their side.
They'll know about you for sure.
Yes, we're more than a pebble in this shoe.
Me and my very talented colleagues.
I'm going to take a story.
2019, a colleague of mine, Bahar, gets a guy reaching out to him and is like, hey, I would like
your help coming up with a project to provide financial solutions to unbanked refugees,
which is a noble idea.
Bahar, refugee from Syria himself.
was interested. So he takes a meeting with this guy, goes to a fancy hotel, have a meal.
But in the course of that conversation, the guy starts asking some really weird questions.
What's your father's name? What's your mother's name? Tell me about your religion, right? All this, like, weird. No investors asking those questions.
Bahara's backstory is that he had been imprisoned and tortured by the Syrian regime before he successfully fled.
He knew what it was like talking to an intelligence operative. He smelled it. He could feel it. And so he listened.
He listened, excused himself, and called me and said,
John, I think I was just in a meeting with his spy.
So we immediately started digging into this guy's identity,
and we discovered he was a ghost.
The name wasn't real, profile picture, the company.
None of these things seemed to really exist.
So who had targeted my colleague?
Well, we were about ready to have a story published about this.
The thinking was, you've got to protect others
from whatever this is.
It's going to be a story, like a blind story, like, you know, researcher targeted by unknown person.
And then I think it was the day that the story was going to get published, I get an email in my inbox.
And it's like, John, you've used this technology to do aerial mapping, which was something I was doing for PhD research a long time ago.
I am an investor in Africa.
I'd like to use your technology, which was kite aerial photography, which was cool before drones, right?
I like to use this technology to map my, like, big investment.
Would you like to have a meeting?
And I was like, shit, okay.
You know who else is being targeted?
it's me. Maybe there's what we do about this. Let's run this back on these people and figure out who
they are. So we played along. We arranged the meeting and we went to it. Want to hear what happened?
Of course I want to hear what happened. So I'm not a spy and I don't know how spies think,
but you know, I've read a few books and I realized I had to, along with my talented colleagues
and helped from some journalists, think like one and had to be a version of myself.
that would be compelling to this person.
I can't give up the game, right?
Like, I'm like an academic.
How am I supposed to do with this scenario?
Like, I'm not made for this.
Made like a necktie camera.
Because I was like, I can't go buy something, right?
Because like he'll recognize it, right?
If I have like a spy pen or something,
but I got to record this.
So I ended up working with a group of journalists
from the Associated Press.
And we're like, okay, let's play this along
and have a meeting.
So we did.
The Peninsula Hotel, Swank Hotel in New York City.
Come to this meeting.
And there's this guy, the invest.
right? And you'd made your own tie camera? I had like modified a sort of a nanny cam into a
necktie that I bought. I love that because I was like, well, I have to make my own thing,
right? But the hilariousness of this is I broke on the on the taxi ride over, I broke the
camera like I separated it from the hole that I had made in the necktie. Luckily,
I was bringing a group of journalists with me to the restaurant. They were already going to be
there covertly monitoring. We were going to be recording. I had like recorders on my body.
So we were able to capture this whole meeting. The transcripts online if anybody was curious.
So go to this meeting and it's an hour of like get to know you and this and that.
But the guy, a little bit like pieces of bad driving keeps deviating from the kind of like friendly
get to know you thing into a couple of different conversational paths. The first thing that he does,
his first conversational gambit is to try to get me to say something racist, which is bananas,
Almost like the first thing out of his mouth is to try to goad me into saying something really racist and offensive about how Africans speak French. I'm not going to say it. Racist and offensive. And I'm thinking like, okay, I have to like play it cool. Can't, you know, play into this thing. But like, wow, this guy is clearly thinking like he's, he wants this conversation at any given moment if it has to stop. He wants to have his stuff, right? He would be recording me too.
Oh, you're trying to get it really early in the conversation. Yeah. I mean, like, you know, you get your first bit early and then you try to develop more things, right? So, and the hilarious part is,
the guy was so, in his own way, like, bumbling.
He had index cards in front of him.
And there were three colors, green, yellow, and red.
And when he was asking me mundane questions,
he was, like, working from the green index cards.
And it was like, so, tell me more about, you know, this.
And then, like, he'd, like, cut in with a yellow card, right?
And then, like, you know, into the red cards.
And the red cards, like, the stuff that he was trying to ask about
was he was trying to discredit our work.
Okay.
And when he wasn't trying to do that,
he was trying to find that information about our work on like the case of jemal hashokji he was trying to get
sensitive information about the lab and i would sort of like have to give him little conversational
gambits like i'd be like well you know how is the life of that well you know we've got a lot of
drama oh drama he tells me i love drama tell me more right and then i have to sort of chase lee
pull it back so we played along like this for an hour and like a half the whole time is like
encouraging me alcoholic try the cognac right like um i don't drink which you didn't know
definitely put him at a disadvantage.
And eventually I get like a frantic text message
from the journalists who I'm like studiously trying
not to look at, right?
Yeah.
He hasn't noticed either.
They're like, our batteries are running low.
Like we've got to wind this thing up.
And what I didn't know at the time was,
they were like on a journalist budget
and all they could afford at that restaurant
was like one fish cocktail.
So like two guys sitting at a booth behind me,
like eating a fish cocktail.
For two hours.
Like an hour and a half,
like, sipping their ice water.
So we're, we're just,
we wrap it up, I try to distract him, and I get him looking at the window, I'm like, you know,
kites in Africa, like, well, if you just look out the window over here, right? And he then turns
back to discover a journalist and a cameraman, like, in his face. And of course, it's like game
over for this guy, right? It's panic. He, like, the journalist, like, so what are you doing?
He's like, I know what I'm doing, right? And he sort of panics. He asks, you know,
did you get permission to film this? And then he, he, like, almost knocks over a chair in his
haste to leave the restaurant. But he'd forgotten to pay the bill. So the guy has to turn on his
heel, come back into the restaurant, followed by a reporter, a cameraman, me with my GoPro,
all peppering him, that I've been pulled out of my pocket, right, all peppering him with
questions like, who are you? Do you work for, you know, the black, this is an organization called
Black Q, which we'll talk about in a second. And so the poor guy's like time, pay the bill.
And then he hides in a back room in the restaurant, closes the door. And it's like, okay,
We've done as much as we can here, like, we can't pester this guy further.
What we didn't know, but learned shortly thereafter, from the news reporting,
was that the guy was an ex-Israeli intelligence official,
and that he was working for Black Cube,
which is a private intelligence firm that,
a little bit like NSO performs, like being, like, super competent, super secretive, right?
And we know this in part because one of the private investigators that his team had subcontracted,
who was also, we learned later running surveillance on the meeting,
became a whistleblower, told his story.
And eventually it becomes somebody I know and has told me the whole story.
It's also in publications.
It's in a book by Ron and Farrow.
This stuff is all public knowledge now, which is why I can say it without fearing a defamation lawsuit.
And is that video online?
It is.
in this interview. You have my permission. Perfect. Let's go.
I witnessed a foreign private intelligence agency running around New York City as if it's some
spy playground. If I'm getting the geolocation of your cell phone and you're not willingly
providing that, then we're breaking some laws somewhere, right? I'm a licensed private investigator.
He was a subcontractor for a private intelligence firm called Black Cube. Black Cube is an organization that
It's a mercenary in the spy business.
An elite Israeli private intelligence agency.
Harvey Weinstein hired Black Cube to help him investigate his enemies, the women who were
accusing him of rape, and the journalists investigating the situation, especially Ronan
Farrow and Jody Cantor, who both won the Pulitzer Prize for their reporting on Weinstein.
I didn't know who the client was, there was always a mystery.
We're going to follow Jody Cantor.
New York Times reporter and he explained to me that we're interested in her sources.
Here's a heads up. We're going to follow another reporter.
Ronan Farrow. Harvey Weinstein had sources. He had rats in like all of the media.
Specifically had us do surveillance. He told me that they're going to use the geolocation
feature to find out where Ronan is. Ronan's phone was in this area between, you know,
for at least a two-hour time period.
that the point of this tracking is to kill the story,
to suppress journalism.
Once Igor figured out what he was doing,
that he was helping Harvey Weinstein,
he had real concerns about that.
I felt like we're doing something that's very unpatriotic
by following journalists to find out who their sources are.
Sort of independently decided he was going to come forward to this.
I called Ronald Farrow and I said,
I thought I gotta tell him that he's
being followed, that he was followed. I was in the crosshairs of, frankly, an insane international
espionage operation. Black Cube wanted to give him a polygraph exam to see if he was, for instance,
working with Ron and Farrow, which he was. And I totally freaked out. I didn't know what to do.
The whole Weinstein case was done under my license. You know, I'm the one who should be scared.
If you already self-custody or Bitcoin, you know the deal with hardware wallets.
complex setups, clumsy interfaces, and a seed phrase that can be lost, stolen or forgotten.
Well, Bitkey fixes that.
BitKee is a multi-sig hardware wallet built by the team behind Square and Cash App.
It packs a cryptographic recovery system and built-in inheritance feature into an intuitive,
easy-to-use wallet with no seed phrase to sweat over.
It's simple, secure self-custody without the stress, and time named Bitkey one of the best
inventions of 2024.
Get 20% off at BitKee.world when you use code WBD.
That's B-I-T-K-E-Y-D and use code WBD.
One of the things that keeps me up at night is the idea of a critical error with my Bitcoin
cold storage.
This is where Anchor Watch comes in.
With Anchor Watch, your Bitcoin is insured with your own A-plus rated Lloyds of London insurance policy,
and all Bitcoin is held in their time-locked multi-sig bolts.
So you have the peace of mind knowing your Bitcoin is fully insured while not giving up custody.
So whether you're worried about inheritance planning, wrench attacks, natural disasters,
or just your own mistakes, you're fully protected by Anchor Watch.
Rates for fully insured custody start as low as 0.55% and are available for individual and commercial customers located in the US.
Speak to Anchorwatch today for a quote and for more details about your security options and coverage.
Visit anchorwatch.com today. That is anchorwatch.com.
Do you wish you could access cash without selling your Bitcoin? Well, Leiden makes that possible.
Ledden of the global leader in Bitcoin-backed lending and since 2018 they've issued over $9 billion in loans with a perfect record of protecting client assets.
With Leden, you get full custody loans with no credit checks, no monthly repayments, just easy access to dollars without selling a single sat.
As of July 1, Lennon is Bitcoin only, meaning they exclusively offer Bitcoin-backed loans with all collateral held by Lennon directly or their funding partners.
Your Bitcoin has never lent out to generate interest.
I recently took out a loan with Leden and the whole process couldn't have been easier.
It took me less than 15 minutes to go through the application and in just a few hours I had the dollars in my account.
It was super smooth.
So if you need cash but you don't want to sell Bitcoin, head over to leaden.io forward slash WBD and you'll get 0.25% off your first loan. That's LEDN.com.
That's a wild story. It took a while. You know, feel free to cut as much of this out as you'd like and just use the...
I don't want to cut any of that out. That was brilliant. The footage is there. So this is 2019. Obviously, long time's past since then.
Yes. I'm sure you are pretty considered about like how you...
how you travel the world, how you live your life.
Yeah, that's right.
Has there been anything since then?
So I don't want to say too much about more recent things,
but we're obviously extremely vigilant to this.
But there is another kind of protection.
Before 2021, the only problem that companies like NSO had
was like researchers, like us, blowing the whistle.
Since that time, a bunch of things have happened.
NSO got itself sanctioned by the U.S. government.
Suddenly, we weren't its only problem.
And there's now what I like to call an accountability ecosystem
of like dozens of organizations that do legal work,
that do advocacy, that do research, they do technical work,
also all investigating the mercenary spyware world.
And so whereas some years ago,
we might have been like a narrow point of failure,
we now have a protection in this amazing kind of network
because suddenly, like, take one out,
there are others.
Sorry, remind me the name of the company in Israel.
Black Cube.
Not at all the shitty name.
The one that developed Pegasus.
The NSO group.
So you're saying they were sanctioned by the US.
But you sent me an article a few days ago.
Haven't they just renewed a contract with them?
Let's talk about that.
Yeah, let's.
You tell me what's going.
So for like, so I started working on this topic in like 2011, 2012,
long ago.
Did a detour work to Google for a bit?
came back into civil society full-time.
During that time, a relatively small group of people,
some very brilliant colleagues of mine,
our director, Ron Dibert,
we have been shouting, and it feels like shouting into the wind
about this problem set.
And it hasn't really had the impact that we wanted,
which is conferring some kind of like major protection.
Partly because a lot of governments
like the existence of this industry,
or at least their security services do,
because just like arms dealers, right, they're useful.
If a government, you know, would come to like the US or, I don't know, Germany and be like,
hey, we want to cooperate with you.
Like, can you give us your sexy tools?
And of course, the US is like, no, no, no, we can't do that, but we know a guy, right?
We'll put you in touch. And maybe they'll do it, right?
And Israel managed to use spyware, so Haritz, the Israeli publication, use the term
spyware diplomacy, right? A lot of governments want this stuff. It seems like an oxymoron.
And for them, and for the most part, like, the security voices had the ear of politicians.
And what they were sort of saying to politicians, lawmakers was like, look, we're doing secret, spooky business.
It's in the net interest of us and our country that things stay secret and spooky.
But something happens. And this is not at all a big surprise. So if you take a like a pie chart,
Like, take a core sample of who's being hacked with like Pegasus on a Wednesday, right?
Well, who's in that pie?
Obviously, you know, the cases that we work on in our mandate, activists, dissidents, journalists,
political voices, artists, truth-tellers, whistleblowers.
But a major slice of the pie, maybe the biggest slice of the pie, is government on government.
Of course it is, right?
If you're a government, even if you acquire this technology, which is marketed, it's like
the marketing frame and the justificatory frame of these kinds of,
It's like, we're here to help you solve serious crime
and track terrorists.
But the open secret is that this is an espionage technology,
and the primary business that governments make with this
is hacking other governments.
Now, governments are gonna hack.
They're gonna hack each other, right?
And I guess it's almost like-
I don't play a violin for those governments,
but it pisses governments off if they discovered it.
The major inflection point was the US government
realizing that their diplomatic personnel were getting hacked.
in spades and not just the US government.
We made the phone call to the UK government
to be like, by the way, we found evidence of an infection
on the networks of number 10 Downing Street, right?
And suddenly it became clear that government's willingness
to just totally ignore the problem as a problem
and treat it as like a secret thing
was gonna have consequences for them too.
Yeah, because if someone has it,
they may as well have it too.
And basically it's like any other game theoretic problem, right?
Like you can only only
in this case, like, you can only allow this industry to proliferate so far before the pee in the pool begins to fill the rest of the pool, right?
Like before we're all swimming in it.
And suddenly governments were seeing a security and a national security problem, not just a benefit.
And that was like the major inflection moment.
Now, the question that you asked me was like, so fast forward to today, like, what's with this news about like the U.S. government doing business with spider companies?
Well, during the past administration, there was, I think, a very strong, clear-eyed awareness of the national security risks that the proliferation of this technology posed.
And the truth is, like, America's got pretty good, you know, this from Ed Snowden and others.
America's got, like, pretty good skills, right?
Like, in theory, America doesn't need the existence of these mercenary players the way that, like, if you're Togo, you might, because you're not going to develop that in-house.
And so it's not entirely surprising to me that the U.S. would have seen this problem set as, like, okay,
this is not in our interest to have NSO being a cowboy selling this technology to all these governments.
We're going to hack us, right?
Like, we don't like this.
And moreover, right, it's going to misalign with, where then the foreign policy objectives of the United States.
Like the U.S. doesn't want, you know, democracy activists having all of the work that they've done eroded.
What has changed?
Well, if you're a spyware company, what's the big prize?
What's the market prize for you?
It's not selling to dictatorships.
Selling to the U.S. government?
selling to the US government, biggest possible client, and a big brother of protection, right?
Yeah.
How do you deal with the fact that you're pushing right at the edges of the law, right?
You're buying exploits potentially from like Chinese hacking groups that are also linked to the Chinese government.
Or maybe you're connected to really shady characters.
Maybe you're doing cross-jurisdictional business that could be considered like money laundering, structuring, right?
You're living in the grays.
You need protection.
And so NSO group and others have paid untold amounts of money to lobbyists,
to formers in government, to try to convince parts of the U.S. government,
like, put their arm around and be like, listen, we're friends, right?
Buy our stuff.
Well, it didn't really work out that way for NSO because of this sanction.
But in 2019, something else happened.
A company called Paragon, another P.
Right.
Was founded, also in Israel, with some American venture capital backing.
two founders or co-founders.
Was this palantir backing?
It was like there's a whole ecosystem of private equity
that I think kind of enjoys the sexiness
of like pushing it edgy surveillance things.
Like they kind of like it, right?
It's like Walter Middy, but for like espionage and surveillance.
So who are paragons like, you know,
among the co-founders and co-founding board members?
Former Israeli prime minister.
Hu Barak, Ehud Shornsen, former head of Unit 8200.
Big names, and their whole pitch was,
we're going to be stealthier than NSO.
Like, we're not going to get caught.
Unlike those NSAO people who keep getting caught
by Citizen Lab, right?
Like, government, are you tired of getting your shit
discovered again and again and again hundreds of times?
Right, like, don't worry.
We've got a cooler, a lighter touch technology.
And by the way, that means it's less invasive,
more likely to comply with your laws.
And we're ethical, right?
By our ethical mercenary spyware.
So Paragon made a big push with that narrative during the era when NSO was in the biggest reputational soup and their fortunes and valuation were falling.
Like, NSO's debt lost like 80 cents on the dollar after a string of things, including U.S. government action.
Like all of the advocacy work that had happened didn't much touch it.
Entity listing, having it publicly disclosed that they hacked the U.S. government.
That was like game over, right?
And like, people lost money.
Now, Paragon's narrative is like, we're the solution to this, right?
All the good stuff, none of the bad.
And that narrative sort of worked, I think, on the U.S. government because the part of the government wanted to believe that there was like a way for this industry to exist and be shaped towards better.
What happens?
Well, towards the end of the Biden era, somehow, somewhere in the Department of Homeland Security and ICE, immigration and customs enforcement, there is a deal.
done with Paragon, which is like mana from heaven for Paragon, presumably, right?
Like, okay, we get our kind of wedge in.
And by that time, the US government had an executive order on spyware that required review
for national security, counterintelligence, human rights issues.
So when the US government learns about this, they're like, okay, stop work order on this
contract.
We're going to have to seriously review this.
Now, we've talked about security problems.
talked about human rights abuses, but there's also this counterintelligence problem, which is,
like, if you're using spyware developed by foreign developers, well, that's a huge problem, right?
The U.S. Air Force would not field a Chinese stealth fighter for obvious reasons, right? There might
not be a Chinese spy sitting in the backseat. Similarly with spyware, if you're using
technology developed by somebody else, right, you have to assume that at minimum they have a special
insight in maybe how to find it. But there's, of course, more, which is,
if that company is plugged into the US government,
there's gonna be information flowing back and forth, right?
Even more concerningly, they're selling to multiple governments,
which means that multiple governments may have a special insight
into the things that the US government is doing
with its spiral deployment, with this Paragon,
Spiro's called Graphite.
Now, all of those seem like pretty strong reasons
to do like a scorched earth counterintelligence assessment.
And it seemed like Paragon was like, you know,
wallowing in this, but then something changed.
We just got an announcement that the stop work order was lifted
on that Paragon graphite contract with ICE.
We don't know this because they told us.
We know this because a journalist named Jack Paulson
spotted the stop work order lift in the federal contracting database.
Now, the real question here is,
is this kind of technology like, does it align
with values that Americans would recognize?
Is it dangerous?
to American values.
Do Americans believe that there should be this,
like, secret, unaccountable, hidden surveillance technology?
I think many Americans, if they kind of had it laid out,
would be like, this feels dangerous.
Absolutely.
This feels like it doesn't align with the Constitution
as I understand it.
And so, obviously, we've spent the vast majority of this
now talking about Pegasus and Paragon.
Yeah.
Can we take it a little further into sort of general state
of surveillance?
Yeah.
Because the question I would have is, like, how do you view the, like, the new technologies, things like AI in terms of surveillance?
I'm fucking terrified.
Let's start with the thing that I know best, which is my little world.
Me and my colleagues tracking spot runs around and stuff.
Well, okay, so if you hack a person's phone, you're doing it because you want data from that phone, right?
Maybe you're doing that top up that we were talking about earlier.
You need to move a bunch of data from the phone.
And then you're going to go analyze it somewhere else, right?
So it would be like, I've got to, you know, photocopy every page of every document in your house,
and then I've got to somehow, you know, sneak that bag out of the window, right?
Well, with the arrival of on-device AI and sort of private enclave cloud AI,
I think there's a real possibility that now an attacker just needs to talk to that AI and be like,
hey, go find every instance of this word, or go find only the communications of this person,
go find only the videos featuring this person's voice.
And suddenly, instead of having to export like a couple hundred megabytes of stuff,
which might be detectable by some vigilant network monitors,
I'm sipping like 12 kilobytes, right? Tiny little information.
Or I could just say like, hey, I sit on there and monitor and let me know
when, you know, Danny reaches out and talks to this person.
So I think it has immediate potential to change how difficult it is to, like, move stuff
and how easy it is to remain undetected,
I think that's kind of only the beginning.
Processing the information, understanding it,
it's going to get worse from there.
We can pull out the lens a little bit further
out of spyware as well.
One of the great challenges that you have,
if you sell spyware, is like having reliable working exploits, right?
You've got to have these, and these are like,
they cost millions of dollars.
They're highly sophisticated code at this point, right?
Part of the consequences of our work and efforts by Apple
and others has been to drive up the cost now.
Exploid discovery.
involves a lot of work.
Some of that work can be done, I think, by AI.
Sure, you can use it for a defense as well
and finding stuff, but like, balance.
Because it's just great at passing massive amounts of data.
It is really good, and at trying lots of things
in lots of different ways.
And that's kind of intersecting with other realities
about the abilities of virtualized,
different kinds of self-in-operating systems.
So just there's a real danger there.
And there's a danger that the problem expands out
from the kinds of like very sophisticated spyware
that we find that we're working on it.
And we're talking about here.
The second kind of layer of this problem set,
as I see it, is with tech, it's like everything new is actually old.
And people now, many of them have invited a new chat window into their lives
where they talk to somebody else's computer.
And that computer gives them answers.
Now, we could talk for a long time about the sort of concerns about what that means for
like the safety of your cognition, right?
Your ability to really know what you feel and know which thoughts are yours and are you going
to get one-shoted by a system designed to butter you up and keep you chatting with it.
But the other component of this is that those systems are also getting a unique visibility into people's lives and thoughts and the things that they're doing.
It's a huge data flow.
Totally.
And that is like back to your analogy of that, like the burglar and the house.
It's almost like you're passing the burglar, whatever it is in your house out the window.
And so the first point you made there is interesting.
I've not heard that.
The second point was really the thing that I have been thinking about in the sense of like are we just giving up all this mass amounts of.
personal information to corporates and do we go into a world of sort of corporate surveillance,
the corporate Penocticon.
We're there.
We live in a world of corporate surveillance.
And what is absolutely infuriating is that the corporate surveillance machinery was designed
to sell you stuff to better understand behavior, to better sell advertisements to sell
you stuff, right, like you're turtles all the way down.
But of course, that whole machinery is like catnip for an intelligence service.
10 years ago, if you wanted massive data collection people, you had to build that system.
Now you go to advertising exchanges.
You get that data. You get that analytic data.
Like, you want to know where people are, right?
Like, all of that data flow that was once also the purview, only of the states that built it,
is now available to anybody that can pay for it.
And that means that many of the legal protections that were, like, sort of carefully honed
in any given, like, country about what governments can collect, how they can collect it,
how they can retain it, who has to review it.
Like, none of that matters if you can just go use your credit card and get, like, you know,
80% of the places that Danny went with his phone from, like, a shady, you know, third-party
data broker, right?
And even more scary, a bunch of those data brokers will sell to, like, China or other
adversarial regimes.
And so if you're a government now, you don't just have to worry about, like, foreign spies
following your shit.
You've got to think that, like, you're actually, like, all of your people, all of your actions,
like, it's super legible.
That extends all the way down to you and me, but it's fiendishly difficult.
Like with spyware, okay, I find spyware on your phone, right?
You're going to get your answer later in this conversation.
Maybe we can figure out who did it, and maybe we can trace some lines to that.
But with data brokers, like, how would you know that it was data broker X?
Like, what is the chain of the six intermediaries through which your data flowed that eventually resulted into being used against you?
That's just a black bag of who knows what?
It's a black bag of badness.
And what we have created is like, it's just like a million honey pots for a thousand bears.
All of them just stuffed with every possible kind of personal data.
And I am deeply personally angry that so many very talented people built these systems
designed to monetize behavior without thinking for a second that they were creating a parallel
structure of control, a parallel structure of monitoring that is now with us.
Now, if you take that, I would say increasingly mature structure, and you bolt it into the world of AI and the new ways that like AI chat systems are understanding people, you start fusing that data.
You get an absolutely terrifying degree of understanding of people.
What scares me, like pulling out from the sort of initial privacy question, like your stuff is being exposed, is this.
I believe in the core of my being that there's a category of questions that governments should never be.
permitted to ask about their population.
I 100% agree.
They should never be permitted.
And unfortunately, in too many societies, friction was the only thing preventing that
from happening.
Your data, data about you, has less friction than you trying to make a financial
transaction.
That's bananas, right?
So when it comes to this, like, big tech corporate surveillance, what do you put it down
to?
Like, the people running these businesses, like, is it, are they, are they,
evil? Is it ignorance? Is it just profit-driven, ignore the consequences? Like, what is it? Cash
rules everything around me. Cream, right? Like, you look at each, shout-out-ut. Every organization
that is trying to do stuff and it winds up collecting data at some point is going to have this
conversation, oh, man, we can have another revenue stream. Like, oh, we're helping people solve this
problem. We're connecting different bank accounts, right? Like Plaid, we're connecting this bank to that bank.
We're helping you get your check deposited, right?
So it's like, oh man, we have a second parallel monetizable flow of data.
Our shareholders are going to love this.
A version of that is repeated over and over again in company after company.
And it isn't necessarily framed as privacy violating.
It can be framed as helping prevent fraud, right?
Transaction analytics, right?
Quality of experience.
These things are always put that way.
They're always in the same way that the online safety stuff is framed at like age assurance, right?
Like saving the children.
And I think a lot of good, well-meaning people, good-hearted people, got themselves into corporate structures where they built, like, 85% of the privacy-destroying chainsaw.
And then, like, suddenly they started seeing a chain getting attached to it.
And they're like, oh, fuck, right?
And many of them left, or they became disillusioned.
Some of them volunteer and work at Citizen Lab, right?
But we got here through the god profit and through, you know, a million KPI's.
What scares me about this conversation as we apply it to the world of like Bitcoin is that many
different players in this ecosystem, I think, are going to discover many of those same incentive
structures if they haven't already.
And it's going to be happening everywhere a little bit all at once.
It's like arsenic poisoning by eating a lot of a certain kind of food, right?
No one bite is the bad one, but the sum total is trouble.
And I'm really curious what you mean about that.
Is that the fact that there's kind of like KYC choke points,
anywhere you want to go and buy Bitcoin?
Is it the fact that like anyone now working on privacy software
has to fear going to jail?
And like if Bitcoin can't have any privacy tools on top of it,
does that then become another sort of surveillance penopticon?
The thing about surveillance panoptica, right,
is that I think there is something strong,
structural right now that means that like a version of this thing is going to keep repeating itself in every business structure.
It's kind of like there is a certain crystalline structure that protects privacy, but there are other versions of that.
And if those crystals are introduced, suddenly and over time the crystalline structure pivots.
And suddenly it becomes not just like, you know, potentially resistant to privacy and rights,
actually like the fastest rails to violate those things.
What got me into this whole world,
I was doing something totally different,
and the Arab Spring happened,
and I saw governments trying to suppress speech.
So my, I got into this by building projects
to get information out during internet shutdowns
in Egypt and then in Libya.
And the big personal excitement that I experienced was,
oh my God, technology has ended
the historic asymmetry between
people and the powerful in the ability to push information out. Holy cow, right? Suddenly,
you don't need to take over a TV station to have a protest movement and to tell people in your
country what's going on. You don't need to persuade a foreign journalist to talk about your story
or get your quote. You can broadcast it. But what social media platforms had not done,
they had not reduced the historic and abiding asymmetries between people and governments of power
and of risk and of resources.
And the other shoes started dropping
even during the Arab Spring
as countries realized, uh-uh,
the solution is not to turn off all the tech,
to do internet shutdowns the way that Egypt and Libya did.
The solution is to do what Syria and so many others did.
Keep the tech on, but start surveilling, right?
Give people the feeling of the freedom to express
and then slowly find and pick people off.
Versions of that keep happening all around us.
The craziest thing about that as well
is I think when you, when people hear these stories,
you assume that that's going to be the stuff that China's doing.
And I'm sure China are doing it.
But it's also happening in the UK now.
It's happening across Europe.
Like, the online safety act that passed in the UK is terrifying.
And again, as you said earlier,
it's framed in this way that it's to protect kids online.
Yeah.
But like, and there'll be a lot of people who don't pay close attention to this,
that will just believe that narrative and think that that's just a good thing by default.
But maybe you can talk to like the actual risks
to stuff like this.
Don't listen to what they're telling you.
What they're telling you is you need to protect kids online.
And you and me and everybody else, opinion polls show, right?
Like seven out of ten people do believe that kids online face risks
and have some appetite for a better solution.
I think a lot of people, for different reasons,
have some version of that belief.
So where do you?
you go with that, right?
Well, parents often want like a big red button
that they can press that will just make the bad stuff
go away from their kids online.
Unfortunately, politicians, for whom everything is a nail
with their big sledgehammer, are like, okay, we have a solution.
Let's just put a bouncer at the door, right?
Like how intuitive?
He just wants to look at your ID, you just flash him your ID.
That is the bouncer fallacy.
What they're actually asking for is something that
changes the structure of the internet. What they're saying is you want to go to the club,
you show your bouncer, your ID, he makes a copy of it. Maybe he's also going to check your bank
account. And then everybody you interact with is also going to receive a copy of your ID,
where are they going to store it in their sheds out back. You're creating a situation where people
are suddenly forced, law-abiding people who just want to interact with the internet, to docs themselves,
to KYC for speech.
And I firmly believe bad things come from this model.
And in fact, like the model has already got problems.
So the Washington Post, Drew Harwell,
this journalist in Washington Post,
this really cool bit of data analysis.
He looked at web traffic to adult platforms
after the Online Safety Act had its switch turned on.
What did he find?
Did you find this?
I've not seen this, so I'm going to try to guess.
Like I would-
What happens, well, let's say the two categories of online platforms.
Yeah.
There are rule-abiding platforms, and there are platforms that don't care.
Yeah.
What happens to the traffic of those two platforms?
They go to the ones that don't care.
And even the people going to the rule-abiding platforms,
I would assume traffic seemingly drops from those countries,
but really people are using VPNs and ways to get into them anyway.
The harder the government squeezes on the internet,
the faster and more effectively people get around it,
which is why we talked a minute ago about opinion polls.
Do you know there's another number in UK opinion polls
about the Online Safety Act, which is most people don't think
it's gonna work.
Like only the 30-some percentage of Brits actually
think that this thing will work.
So it's a paradox.
Most people want something.
Most people know it won't work.
Well, that's a great example of a scenario that highlights
really that like the answers being provided are wrong.
I can't think, because like, you don't have to have an expert tell you that it won't work.
So what happened?
It drove traffic in mass.
Two, three-xed the traffic of platforms that didn't comply, which that will always be, because they will be outside of the jurisdiction.
And almost certainly, not only did that, was a traffic that would have otherwise gone to complying platforms, suppressed their traffic.
And like you say, it drove people to use VPNs.
And led to this sort of absurd scenario of a British official going online and being like, can we all please not use a VPN, which is the best viral
marketing for VPNs I've ever seen in my life.
100%. And VPNs went to like the top of every app store chart.
And like really the sort of second order consequence of that is people just have better
online privacy as a result, regardless of what websites are trying to wear.
For now. But follow the follow up. What's going to happen? Well, what scares me of the
Online Safety Act and the versions of it that we see in the United States, in specific US states
that are doing their own like age verification. Because Florida has something similar, I think.
bunch of different US states, like dozens have done something on this. And whether it's like ID or scan your face or age gating, right? Like, there are elements of the same thing. Well, you're told that this is about protecting kids from harm. But if you look at the definitions, they're often really vague. Like the harm is pretty vaguely defined, which gives governments a huge amount of ability to define things into censorship. But it goes further, right?
What problem do big platforms face in this scenario?
Well, the Online Safety Act has this feature
where like, you know, some Cleverboffin sat down
and they're like, okay, you know what?
We're going to like, we're going to solve
the free speech problem too.
So the Online Safety Act has penalties if you show people,
you show kids bad content,
legal but harmful content.
But it also has penalties in theory if you over-censor.
But here's the, here's like,
Here's the truth, right? Like, if you tell a major online platform, we're going to dock 10% of your global revenue if you mess this up and show somebody something harmful, they're not going to call a constitutional lawyer to be like, how can we like push right up to the edge of this? They're going to just start over-complying. So Alec Muffet.
Well, but that was, sorry to interrupt, but that was the cool thing about what Fosham did. Because they basically said, just fuck you. Like, we're an American company, you can't imply this law.
Yeah. Part of this Laura knows.
Yeah. Well, so, and so the British government is face off comes through this problem,
which is like, what do you do?
Like, you know what the analogy is like?
It's kind of like the analogy to taking your shoes off and, like, you know,
putting your liquids in a little bag, in a little bag.
Like, it's security theater.
It's safety theater.
And the problem is, what ends up happening is the rules that result in the mass transfer
personal data, the mass, like, secret census of online design.
higher that is being created and given to governments, that stuff is going to stick around,
even as everyone's going to know it doesn't work, right? It always ratchets like this. Getting back to
this question for a second of like the implication. So Alec Muffet, who writes thoughtfully about
age verification stuff, is like platforms historically, the way that they've sort of categorized
content is kind of like may contain peanuts, right? Like could be harmful. But like what's harm?
Well, it's like might be something that would bother people if they view it in their office, right?
NSFW, right? They're not designed to do these sort of careful categorizations of each kind of speech
in ways that maximally protect people's freedom of speech. So, of course, platforms warn to do this,
they're going to over-categorize. They're going to apply this sledgeham. It's not a scape, it's a big sledgehammer.
And the end result is people seeking health information, people like collecting flags,
people struggling with depression, people want help quitting smoking. All their communities are going to get turned off too.
And you get a situation where you're going to need a passport to speak, and a passport to post, and a passport to listen.
That is bananas.
And as it doesn't work, the other thing that I think governments are going to do is they're going to say, okay, well, we can't solve the problem of these noncompliance.
Right?
So what do we do?
We need a great British firewall.
We need to start blocking at the gateway to our little island.
We need to start blocking VPNs because just too many bad things are happening with these technology.
A lot of people are going to quickly draw that conclusion.
And if they start implementing it,
it's not just going to be lessons learned from China.
It's going to be like parallel evolution
of some of the same structures of control.
And, okay, let me say my big suspicion.
Like, I don't think that everybody who promotes these things
is a prude.
I think many of them, many lawmakers,
are exercised by concerns, legitimate concerns about children.
We can talk about maybe better ways for your knowledge.
this, but in the US, some of the groups that are bankrolling this stuff, they just want to end
things that they don't like. They want to stop people from viewing adult content, but also
other kinds of content that they deem societally harmful. Well, what is that? That's a bunch of prudish,
often religiously driven censors trying to censor everybody. This is very bad. Doesn't belong in
democracies. And so what are the things that people can actually, in fact, before I ask that question,
Because the part of this that we've not necessarily spoken about yet is the risk to end-to-end encryption.
So I don't know the exact state of this as of right now, but I know as part of this act, they were trying to have a backdoor that they were trying to call not a back door in the sense of that if you're using the signal protocol to communicate, they wanted, I believe, to verify a message before it was sent on device to make sure it didn't contain anything harmful or hate speech or however they deem it before you actually send that message.
Like, that is not into an encryption.
If you have to premise what you're saying with,
this is not a backdoor, it's a back door.
Yeah.
So client-side scanning is this concept that, like,
people might send harmful things that the state can't control across the platform.
So how do you deal with that?
Well, you push a bunch of rule sets to a device.
And that device is then going to censor the stuff,
prevent it from going,
and maybe also send a little notification to the powers it be
that you tried to send it.
China has also experimented with
and implemented all sorts of versions of this in chat apps.
Like a bunch of Chinese chat apps will have,
like, rule sets that they download of words you can't share, right?
So, UK treading where others perhaps have tried before.
The problem with that system is that even if it is implemented
for the purposes of blocking content
that you or I might regard as morally reprehensible
and is harmful in its creation and in its sharing,
all the government needs to do,
it has that system in place is to push some new rules to that system.
And suddenly it is an on-the-device speech monitoring system, right?
I can just tell it, well, actually, you know what else bothers me is a certain kind of flag.
You know what else bothers me is like a certain kind of meme, right?
China does this, right?
Winnie the Pooh memes, got to block them.
And-starmer memes will be banned next?
You've got to protect the children from those memes.
This is a serious business.
And the problem with that kind of structure, and this is the problem.
like, look, I've only worked on this issue and related privacy issues for like 14 years.
That's a pretty small slice of time. Our director, Ron Debrot, brilliant guy who founded the
Citizen Lab, like back around 2000, looking way into the future when he founded us. We remain
like reliably independent of government and corporate pressure and funding. The view is,
and I think he would tell you this, I don't want to speak from it, he would tell you this,
if you build systems that allow for control and access,
the temptation is just too great.
And like everything that we know
from every other surveillance technology,
in fact, every historical example
of secret surveillance capabilities created
is that they get abused.
Nowhere more so than when the state is pretty confident
that they can surveil without the citizens
of knowing that is happening.
I think it's almost analogous to the idea
that is talked about a lot in Bitcoin.
If you give the state the ability
to press a big red button and print more money,
that's too powerful than not to press.
And it's the same thing here.
Like, during the entire Cold War,
people lived in fear of a big red button.
We don't want to be in a position
where people have to fear the pressing of a big red button
either for them specifically,
because of something they said,
did thought or shared, privately or in public,
or for speech generally.
And I think what we've learned
from the excesses of the past few years
is that platforms are really bad
at playing a role.
of speech police.
Yeah.
They don't want to be speech police either.
And like, it's going to sound controversial, but like this stuff harms platforms too.
They're not designed for this.
They shouldn't be asked to do it.
Now, the Lland Safety Act has like, you know, categories of platform, three different tiers,
depending on how big the platform is, how big the user base is, how big the potential
for harm is.
But ultimately, this stuff harms innovators too.
And it harms people that are trying to run communities that are helpful.
And I think fundamentally, like, it creates a, like, it's like, it's like, you
You don't want a scenario where the people overseeing the speech world
are the equivalent of the teacher monitoring the detention room
to make sure that people aren't talking to each other.
And that's where we're headed.
It's funny.
We talked earlier about the risk of these mega corporations,
just harvesting data and doing corporate surveillance.
But in some ways, are they the potential answer to this
in the sense that if Meta and Apple,
I mean, Signal have already said,
if the UK implement these laws,
they're just going to pull out.
But there's so much more weight
behind a company like Apple and Meta doing that.
Do you think that is one of the ways
that we can actually fight this?
I am a pragmatist
in a lot of ways.
And I think that we benefit
when there are certain alliances
or alignments
with interests
that might otherwise be strange bedfellows, right?
Like, it's kind of remarkable
that there was like a national security
and human rights problem
with mercenary spyware.
But those,
things change when political realities change. Those things change when realities change for
platforms. It wouldn't take much for a big platform to not be an ally. And I think when it comes
to our privacy, like we have been massively victimized by most of the platforms that we've
brought into our world, right? As the Russian saying goes, the only free cheese is in the mousetrap.
And right, we are just getting every day, the mousetrap is just hammering us harder than,
you know, like a self-flagellating, you know, medieval attempt to get rid of the plague. And,
What I see, though, is that, like, where there's potential is decentralization, systems with less permission, systems that have a robustness and that aren't susceptible to somebody sitting down with their leadership and being like, hey, look, your other product line, which is providing services to our government, whether it's a cloud service, whether it's a messaging platform, whether it's an AI platform, you want to keep those contracts?
We're going to need certain things from you.
Right?
The problem is many big companies are big enough and shareholder-driven enough that they cannot really be trusted as allies in the long term.
In the same way that most politicians really can't be trusted as allies in the long term.
So I've, again, met you a few times throughout the years.
You're a very positive person.
And despite that this has been one giant black pill, where is the kind of hope here?
Because I know you, Citizen Lab are at Oslo Freedom Forum,
like you've been to these HRF events.
Is the answer in Freedom Tech, things like Noste
and these new platforms that are being built?
I think like being in a really stifling speech submarine, right?
Like a big breath of oxygen goes a long way.
I believe that certain kinds of freedom tech
is that breath of oxygen.
And I think when people start breathing it,
they feel the difference.
I am most optimistic, both of the growth of some of those technologies
and also of what happens when they get mainlined into popular things that get used by everybody.
When encryption for, like, think about it like this.
My personal view, one of the biggest developments in like the 20 teens was when Google decided
to turn HTTP encryption on for all of their user base.
Because suddenly government went from literally reading all of your emails
to having to try to figure out a new way, right?
But like being knocked out, like a switch was flipped.
I'm a great believer in that kind of switch.
Well, what was one of the other big switches that was flipped in the teens?
I would say WhatsApp implementing end-to-end encryption, right?
Even if they did it kind of shitty.
The implementation of end-to-end encryption that they did is using the same ciphers that Signal uses.
My issue with it, and tell me if I'm wrong here, is if someone has, like, cloud backup on their chats,
does that not remove the end-to-end encryption for everyone who's communicating with them?
Indeed, the great challenge with many of the most popular devices and platforms
is around backup and encrypted backup.
And it is extremely meaningful to me that WhatsApp now provides,
backup encryption.
Okay, I didn't realize it in that.
Apple provides backup encryption for iCloud
because it used to be the case that like,
I think part of why states were so comfortable
with iPhones being like pretty solidly encrypted
was that they could just go get
iCloud stuff on the back end.
Yeah.
I see the efforts that big players make
often to incorporate these technologies.
There's often a bit of a workaround somewhere in there.
And I think that that is partly, you know,
because it's hard to do everything at once.
Sometimes pragmatically, it ends up functioning
a little bit like a pressure release valve
for governmental pressure.
But nevertheless, on balance,
it still massively increases privacy.
Because, for example, like,
if, like, let's go back to a time period
where people had WhatsApp encryption
but were backing up to Google Drive.
If the state wanted the contents of your Google Drive,
they'd have to go to Google.
They would have to prepare a judicial request.
They'd come to Google.
Google would review it,
decide whether or not it appeared
to comply with rules.
they would sort of look at the case, and then they would respond.
That's a huge layer of friction and oversight.
That's people in the middle.
The truth before that was there was nobody in the middle.
The state could just monitor from the wire.
And so there's still tremendous net benefit with friction,
but it's incomplete.
So this is like, don't let Perth be the enemy of good kind of thing.
And the problem that we have as a community is we have to be very clear
about what winds look like,
but just as clear about the fact that we're incrementing.
And one of the problems again and again is the sort of heroic individual model of privacy and security
where someone is like, you know what, this tech, this encrypted messenger is the only one that I really
trust.
And you have to come to me and use my thing if you want to.
I'm guilty of that.
And honestly, like, it's like being with like the most and the most insufferable privacy
vegan you've ever met.
Oh, no.
I did that with my family.
I said if they want pictures of my daughter,
then they have to be on Signal.
Well, Signal is a good balance.
I think that there's a lot of room for incrementing, right,
and for creating network effects.
I think it's a totally legit thing to do
as a son or a daughter to be like,
mom and dad, I would love to send you pictures of my family,
but it's going to have to be with some encryption, right?
That is healthy.
What's unhealthy is when people are like,
I reject all popular platforms
and only do this one thing.
Because the problem is,
the enemy of political organizing, right?
What do we care about in society?
People talking, communicating, sharing ideas,
inter-exchange, intercombeo, right?
That stuff, for it to work,
requires that there not be too much entry-cost friction.
And so what I worry about is that the privacy world,
and it's like, you know, understandable but most exhausting,
winds up shitting on everything other than the orthodox perfection.
But the truth is, so often,
they're not really doing the perfection thing themselves all the time either.
It's just a bit of a performance.
It's hard and your friends aren't going to be there talking with you.
So I feel like if we're looking at the problem set, and this is my pragmatic frame and others might disagree,
there's a huge value in large-scale big increments.
And there's huge danger in large-scale friction reduction in surveillance.
those two things are kind of, in many cases, like the biggest fights.
What I'm excited about is at these ends,
there are developers and others working to develop tools to their standards, right?
Let a lot of flowers grow.
Some of those are going to work.
Some of those are going to become really popular.
They're going to be network effects like Signal.
Others are not.
The trick is, so we were talking earlier about, like,
who's going to get targeted by Pegasus?
Here's the truth of the matter.
We don't know who tomorrow's targets are going to be.
they don't know themselves because they may not have made a choice that puts them into the like target line of a government.
They have not yet decided to step out and speak their truth or speak up against something that they see is wrong or share a thought that bothers somebody.
They don't know and we don't know who they are.
We have to be designing our technology so that those people will have already on their devices, tech that has like 80% of the way there.
and then can have some small changes.
Because once a person has made that choice,
it's too late to sit them down and be like,
okay, you need to behave like a total spy.
You've got to use all this sophisticated technology.
And none of your friends are there, right?
Like, they raised their voice,
and they were dangerous because they raised their voice
and people listened.
You can't suddenly tell them to turn off their voice
for the sake of being safer online.
You have to work with them and balance with them,
which means that a little bit like trimming a bonsai,
if you trim the branches and you trim the roots
and you bend it and you water it all at the same time,
you kill it.
It's kind of you do one thing at a time.
And the same is true for user behavior with security.
So I'm a huge believer that user experience and ease of entry, which means no scolding,
has to be as friction-free as possible.
It's more consequential in many ways that like a popular app has an on-ramp for a privacy
and freedom technology than that there exists somewhere carefully honed polished
parole of perfection.
And that is why signal is perfect.
In my opinion, I think it's the best messaging app.
Because like it just feels like anything else.
And you know you have the additional air security and privacy.
Can I make two suggestions to your viewers about how to use Signal a little bit more of a secure way?
Absolutely.
Okay.
So here's what you need to do.
Go into your signal settings and check out privacy.
I'm going to do this as you start.
Yeah, let's see how I do.
Go into Signal Settings and Privacy.
Yeah.
Okay.
Yep.
Now choose Advanced.
And tell me what you see on there.
Senship circumvention. What else? Proxy, always relay calls, show status icon, allow from anyone.
Okay. What I want you to do is turn on always relay calls.
On. It's already on. Good man. Do you know what it's doing for you?
I don't. So when I call you on the signal, it's all signal, you install signal, we just make a call like that.
It's a pure-to-pure communication, right? Which means that our devices are talking to each other across the network, which means that the network may know that we're having a signal call.
They can't hear what we're talking about.
They can't see what we're messaging about.
But the fact of that call is known to various parts of the network.
That is a really interesting piece of metadata.
Call relay bumps your call through servers that signal controls.
It's still encrypted.
But that means that the network now, in this place that we're sitting,
all that the network knows is that you're having a call that looks like a signal call, right?
They can't see the IP address of your correspondent.
And your correspondent can't see your IP address either.
major improvement. Now, I want you to go to your WhatsApp.
Okay. Is that the only setting in there that it's the...
No, actually, should we do another single setting change? Okay. So the other thing that I want you to do
is I want you to turn on disappearing messages by default.
He's already on it four weeks. Great. Here's why. Remember we were talking earlier
about how governments do top-ups with surveillance, right? They're like, you know,
they're a little penny pinching with their surveillance technology. Same holds true for all
kinds of other hacking. If your device doesn't have old chats on it, a hacker can't get them either.
Disappearing messages at four weeks is a great default mechanism, set it once and don't think about it more,
so that your phone is not carrying five years of your life's worth of interesting conversations.
I do turn off on some of my chats though, because I want to have the history.
Exactly. And the model should be turn it off as needed, not turn it on when paranoid.
Yeah. You should be default concerned.
Okay. WhatsApp. Let's go to our WhatsApp.
This one will be worse because I don't use WhatsApp very much.
Okay.
So I probably never played with the settings.
I want you to do exactly the same thing.
Privacy.
Go to privacy.
Okay.
And go to, I think it's advanced.
Yep.
And do you see protect my IP address and calling?
That's off on this one.
Turn that bad boy on.
Okay.
Same deal.
Now, people should understand there are structural privacy difference,
and obviously turn on disappearing messages by default on WhatsApp.
Yeah, I think you have already.
Okay.
People need to understand there are structural differences in the privacy that you have
when you use different kinds of platforms.
So meta will know more about you as a WhatsApp user,
then Signal will know about you as a Signal user.
So act accordingly.
But what I like about both of these settings is,
especially with Signal, like, you're now way more secure,
and you're more private.
This is really important.
And it took like 30 seconds, right?
Should we talk about another thing that people should do?
Please.
Okay.
What kind of phone is that?
iPhone or Android.
Are you comfortable saying it on the iPhone?
iPhone.
Have you ever heard of lockdown mode?
Yes, I think I actually saw a thread on Twitter.
I think I might have done this.
Let's see, lockdown mode.
So go to privacy and security.
Got it.
Go all the way to the bottom and you should see lockdown mode.
Yeah.
It's not on.
Okay.
So let's talk about what lockdown mode is.
So in 2021, November 2021 was a shitty month for NSO Group.
Not only did they get dinged by being put on the entity list by the U.S. Commerce Department,
but Apple also notified a whole bunch of people that had been hacked through Apple service.
with Pegasus, and they sued.
Very bad situation for NSO.
Apple also began the process of rolling out lockdown mode.
Well, what's lockdown mode?
There are ways of taking a regular device
and turning it into a much more secure, hard-to-hack device.
They come with some trade-offs.
Apple watched how NSO group and other
governmental actors were hacking people's phones through Apple services and through different settings,
default settings. And it was like, okay, we can come up with a list of changes that you can make
that price out whole categories, right? Ricefield's worth of attacks. How cool is that? The thing is
some of those things will introduce a bit of user friction. What we don't want, and I'm now guessing,
because I don't know the internals of Apple's thinking here, but if I'm Apple, what I don't want
is to suddenly push out a high security setting to everybody,
and then people have, like, a bad experience of friction
in their next purchase as an Android.
We don't want that.
And is the friction here you have to save your private keys for it?
No.
The lockdown, so go to turn it on.
Okay.
And what does the first screen show you?
Turn on lock, mod, turn on and restart.
So click on that.
Okay.
We need some elevator music while this happens.
Okay, let's see.
Oh, did we restart?
Yeah.
Oh, okay.
It's going to take...
So let me then tell you what else would have happened.
So Apple also warns you as a user that this is an extreme security mode,
and it's not intended for most people,
because they're worried, I think, I speculate,
that people turn that thing on, forget that they turn it on,
and they have a bad experience, right?
Like a regular person who's not facing those threats.
And if you're like a big company, you've got to worry about that sort of thing.
If you're watching this and you care about privacy, turn it on,
have the experience of breathing a little bit of oxygen,
much more...
Not a super bowl, but like a much harder to hack device, right?
Like, and I can tell you that empirically, like a much harder to hack iPhone.
It's very cool.
And for the longest time, if you were an Android user and you asked me this question,
you've always asked me this question.
What's more secure?
Like Android or iPhone, right?
Everybody has their own view.
My colleagues will have different views.
But unfortunately, no, like, lockdown analog existed for Android.
That has just changed.
Google has rolled out advanced protection for Android,
which is like a version of lockdown mode.
It has some other really interesting features.
So where lockdown mode is partially working by preventing people outside of your contacts on FaceTime from calling you and other stuff that's sort of like Royal Road for attacks,
Android's Advanced Protection, as we understand, it has some other cool features like allowing you to securely put logs from your device into a secure protective crowd that you only you have access to.
which means that if you're an attacker and you hack this device, in theory, right,
like a log of that is being immutably kept somewhere, right, your private ledger.
And so even all the effort that they may do to try to clean up and hide later,
there may still be some evidence.
Now, this is like, for now, these are sort of in the realm of, like, hypothetical,
will this make it easier for defenders to find stuff?
But it definitely increases the risk factor for, because, like, if you're, like, a scammer,
it's a numbers game, right?
Like, if you're doing hacking a large number of people for crypto stuff, it's a numbers game.
And you're not using, like, a really fan, you're not paying pearls to do your hacking.
If you're using one of these sophisticated pieces of technology, getting caught is like game over.
It's really, really bad.
And it, like, all the customers fate share, right?
So if it stops working for, you know, Hungary, it's also going to stop.
The same exploit is going to stop working for everybody else.
They get caught and patched.
So they're always trying to hide.
It's like a cat and mouse thing.
Yeah, and the risks to them are much higher.
And so if you as a user can do things, or if developers can do things that are more likely to generate alerts or things that are hard to get rid of, then you've actually changed some of the cost calculus about whether it makes sense to hack a person or whether it will work.
The other cool thing about lockdown mode is it may break certain kinds of exploit effort in ways that a user would then see.
And so there's sort of dual layers of potential protection in some of these things.
None of these are silver bullets, but they're all very interesting.
Well, I am now a little more secure.
A little bit more.
I could literally talk to you all day, John.
This has been really good.
We are already quite late for dinner, so we should probably wrap this up, but there is one thing to do.
There is one thing to do.
Let's find out.
Do we need to turn the cameras off while we do this part?
Well, what we can do is I can go off scene for a minute.
Sure.
And do something?
Should we do that?
Yeah.
Am I lucky enough to be a part of the Pegasus crew?
So, Danny, do you consent to me telling you your results?
I absolutely concerned.
...odcast viewed by a bunch of people?
Yeah.
Okay.
So the good news is we didn't find signs of the kinds of things that we checked for.
I need to push harder.
The good news is probably that means.
there's a bunch of stuff that never happened on your device.
The caveats, of course, the things that we don't know to look for, right?
There are things that maybe we're not able to check for with this particular methodology.
So, you know, known unknowns, unknown unknowns.
But it's like the equivalent of getting like, you know, a strep rapid test,
COVID rapid test for your device.
I wish it were the case that there were some app that everybody could have access to
that would do a check at that level of fidelity and give you an answer.
The problem is, if that existed, it would stop working the next day.
Because they would know exactly how to get around it.
When you look at contracts from like mercenary surveillance providers, sometimes they get leaked.
You'll see like a document.
The document is like a list of like 30 antiviruses with a little like a green checkmark.
Like don't worry, not detected by any of this.
Right.
And so the challenge as researchers is always you want to check widely but not burn the ways.
the ways that you're checking.
And then you hope, and I can't, like, let's end on this thought.
So we've talked a lot about tech and a lot about privacy.
We haven't talked too much about victims as individuals.
But I'm going to tell you something really interesting.
That to me is maybe the most meaningful thing.
The real heroes in this story are the people that got targeted with spyware and that got checked.
Why?
Because they were the canaries in the coal mines.
that led to discoveries that have increased the security of that device
and every other device around us.
Billions of devices in the world have received security improvements
thanks to individuals, a Saudi woman driving activist,
a UAE-based human rights defender whose name is Ahmah Monsour,
who's now a prisoner of conscience.
individuals who bravely chose to get checked
and to consent to have their stuff shared,
these are the heroes in this story,
and we are all safer thanks to them and their participation.
In many ways, we're just the vehicles for those people.
And I really want to highlight this, like, I'm a researcher,
I work with a team of very smart people,
but the motor of our research is collaboration.
Nowhere more so than with regional and regional,
and local organizations around the world,
scrappy people who work with us
and do the legwork to get people checked
and to get people screened.
So to tie the buckle on this one,
it is a remarkable story of the script getting flipped
on these scary, powerful companies.
That what caused them to lose billions,
what caused them to have huge trouble,
in some cases to fold, was one humble
activist somewhere. That is amazing. You asked me earlier about hope and optimism. That's my optimism
motor. I mean, what an amazing way to close out this show. I mean, I'm very grateful for this
conversation. I've really enjoyed it. I think it's a really important message. Obviously,
a very different show for me, normally just talking about Bitcoin and macroeconomics. But I'm glad
you made the time to do this. So yeah, I appreciate it, John. Thank you. And I just want to thank everyone who has
contributed to our research, everyone who's collaborated, all the people who have helped us along
the way. Thank you to them. This has been awesome. Thanks, man. Let's go have dinner.
Good God.