1 00:00:00,000 --> 00:00:05,880 You are sideways to the interests of a state right now. 2 00:00:06,220 --> 00:00:08,780 There's like a reasonable chance that something is on your device. 3 00:00:09,120 --> 00:00:11,140 And the thing is, you won't know. 4 00:00:11,540 --> 00:00:16,760 Nothing you see, nothing you do, no flickering screen, no sudden drain of battery, 5 00:00:17,180 --> 00:00:20,800 no warning sign, no link to click, no attachment to open. 6 00:00:20,960 --> 00:00:21,680 You're just compromised. 7 00:00:22,060 --> 00:00:25,800 There's nothing behavioral that you can do to protect yourself. 8 00:00:25,800 --> 00:00:29,080 What scares me about this conversation as we apply it to the world of Bitcoin 9 00:00:29,080 --> 00:00:32,700 is that many different players in this ecosystem, I think, 10 00:00:33,420 --> 00:00:36,760 are going to discover many of those same incentive structures 11 00:00:36,760 --> 00:00:37,760 if they haven't already. 12 00:00:38,120 --> 00:00:39,760 What they're actually asking for 13 00:00:39,760 --> 00:00:41,700 is something that changes the structure of the internet. 14 00:00:41,880 --> 00:00:44,420 And you get a situation where you're going to need a passport to speak 15 00:00:44,420 --> 00:00:48,360 and a passport to post and a passport to listen. 16 00:00:48,720 --> 00:00:51,420 If you build systems that allow for control and access, 17 00:00:52,060 --> 00:00:53,640 the temptation is just too great. 18 00:00:56,640 --> 00:00:57,160 Welcome. 19 00:00:57,160 --> 00:00:59,960 It's very good to have you here, John. 20 00:01:00,280 --> 00:01:01,840 This is a show I'm really excited about. 21 00:01:02,000 --> 00:01:04,120 I do so many Bitcoin shows. 22 00:01:04,260 --> 00:01:04,800 I love Bitcoin. 23 00:01:04,920 --> 00:01:05,700 I love talking about it. 24 00:01:05,800 --> 00:01:09,000 But stepping outside the box into these tangential issues, 25 00:01:09,060 --> 00:01:10,820 and I do think this is tangential in a lot of ways, 26 00:01:11,340 --> 00:01:12,520 is always pretty refreshing. 27 00:01:12,740 --> 00:01:14,060 So I'm glad to do this one. 28 00:01:14,780 --> 00:01:15,940 We met a couple of years ago. 29 00:01:16,140 --> 00:01:16,400 We did. 30 00:01:17,300 --> 00:01:19,560 I've been kind of following your work loosely since then, 31 00:01:19,580 --> 00:01:21,380 and you're a very interesting person. 32 00:01:21,880 --> 00:01:25,140 So you were one of the team that in 2016, I believe, 33 00:01:25,360 --> 00:01:27,040 discovered Pegasus. 34 00:01:27,040 --> 00:01:28,540 or exposed Pegasus. 35 00:01:28,880 --> 00:01:29,040 Yeah. 36 00:01:29,580 --> 00:01:31,860 Do you want to start by maybe explaining 37 00:01:31,860 --> 00:01:33,140 what Pegasus actually is, 38 00:01:33,260 --> 00:01:35,040 and then what happened in 2016? 39 00:01:35,500 --> 00:01:38,600 So think about your phone in your pocket right now. 40 00:01:38,740 --> 00:01:41,960 It contains a large part of your external brain. 41 00:01:42,080 --> 00:01:43,120 It wasn't always so, right? 42 00:01:43,180 --> 00:01:44,540 It was only like 15 years ago 43 00:01:44,540 --> 00:01:46,380 that we didn't really have a pants computer 44 00:01:46,380 --> 00:01:47,440 that we carried around with us 45 00:01:47,440 --> 00:01:49,500 that contained all this sensitive information. 46 00:01:49,720 --> 00:01:52,780 Well, as mobile technology has proliferated, 47 00:01:53,260 --> 00:01:54,980 governmental desire for gaining access 48 00:01:54,980 --> 00:01:56,400 to that technology has exploded. 49 00:01:56,400 --> 00:02:02,760 And one of the many ways that governments do that is something that we call mercenary spyware. 50 00:02:03,060 --> 00:02:10,400 So this is the ability, silently, covertly, to infect your phone and turn it into a spy in your pocket. 51 00:02:10,600 --> 00:02:16,780 Activate the camera, the microphone, read your contacts, listen to your signal calls, read your encrypted messages, look at your photographs. 52 00:02:17,280 --> 00:02:20,140 Anything that you can do on your phone, it can do. 53 00:02:20,140 --> 00:02:25,180 And some things you can't, like silently making the phone a hot mic to bug a room, 54 00:02:25,500 --> 00:02:27,880 recording from the video, accessing your cloud accounts. 55 00:02:28,400 --> 00:02:30,220 Pegasus is one of those technologies. 56 00:02:30,600 --> 00:02:31,180 There are many. 57 00:02:32,060 --> 00:02:35,440 Pegasus is in many ways the most notorious and the most well-known, 58 00:02:36,200 --> 00:02:39,540 partly because of its market success and selling to lots of different governments, 59 00:02:40,000 --> 00:02:41,740 and because we keep finding it. 60 00:02:42,400 --> 00:02:45,480 And did that spyware, where did it come from? 61 00:02:45,480 --> 00:02:53,440 So Pegasus originates from a company called NSO Group, which flies different name flags, 62 00:02:53,560 --> 00:02:55,580 but we'll call them NSO Group for the purposes of this conversation. 63 00:02:56,060 --> 00:03:00,720 They're an Israeli company, and they took, I would say, a set of technologies and skills 64 00:03:00,720 --> 00:03:08,060 that came out of Unit 8200, which is the Israel sort of like NSA equivalent military entity, 65 00:03:08,300 --> 00:03:14,280 and other parts of Israel's military intelligence complex, and turned it into a profit-making 66 00:03:14,280 --> 00:03:21,760 product. People call Pegasus software, but it's, I think, more effective to think about it as a 67 00:03:21,760 --> 00:03:30,380 service. Basically, imagine you're a government. You've got a leader in his 80s, doesn't want to 68 00:03:30,380 --> 00:03:34,960 leave. You're worried about your governmental stability. There's a bubbling opposition somewhere. 69 00:03:35,400 --> 00:03:41,660 What are you going to do about this? Well, you want to monitor that opposition. So you go to 70 00:03:41,660 --> 00:03:43,920 NSO group and you say, listen, I like to buy Pegasus. 71 00:03:43,960 --> 00:03:44,980 I want to get on these people's phones. 72 00:03:45,360 --> 00:03:47,520 And the contract that you'll get, it's so interesting. 73 00:03:48,460 --> 00:03:50,920 It's like DRM for spyware. 74 00:03:51,100 --> 00:03:53,940 You get a number, not of seats, like with Microsoft Word, 75 00:03:54,000 --> 00:03:55,000 but concurrent infections. 76 00:03:55,360 --> 00:04:00,240 So you might have like a 20 concurrent infection contract. 77 00:04:00,920 --> 00:04:02,240 And then for the period of a year, 78 00:04:03,020 --> 00:04:04,760 NSO is going to basically guarantee you, look, 79 00:04:05,320 --> 00:04:07,920 for this year, we promise that we'll do our best 80 00:04:07,920 --> 00:04:09,140 to make sure that you can hack iPhones, 81 00:04:09,700 --> 00:04:11,060 that you can hack Androids. 82 00:04:11,060 --> 00:04:13,020 And then it's kind of up to you how you use that. 83 00:04:13,100 --> 00:04:16,460 Some governments that are just like afloat in cash 84 00:04:16,540 --> 00:04:19,940 will buy like 100 concurrent licenses, big numbers. 85 00:04:20,000 --> 00:04:22,500 Others that are like tightwads will get their 20. 86 00:04:22,580 --> 00:04:24,940 And then they will just grind on those licenses. 87 00:04:25,000 --> 00:04:26,900 It's like hack like 20 people in the morning, 88 00:04:26,980 --> 00:04:29,180 finish those infections, 20 people in the afternoon, 89 00:04:29,240 --> 00:04:30,680 do it again the next day, right? 90 00:04:30,740 --> 00:04:32,020 And when they infect a phone, 91 00:04:32,080 --> 00:04:34,120 can they essentially download everything they want 92 00:04:34,180 --> 00:04:35,860 from that phone and move on to the next one? 93 00:04:35,920 --> 00:04:39,220 They can. And in fact, there are these cases that we see. 94 00:04:39,220 --> 00:04:41,680 So when we do forensic analysis of devices, 95 00:04:41,680 --> 00:04:44,800 we can often see numbers of infections, right? 96 00:04:44,800 --> 00:04:46,820 So like on this date, your phone was infected. 97 00:04:46,820 --> 00:04:48,400 On this date, your phone was infected. 98 00:04:48,400 --> 00:04:50,440 And there are journalists, for example, 99 00:04:50,440 --> 00:04:52,900 who earn the ire of certain governments. 100 00:04:52,900 --> 00:04:57,400 Their phones might have had like 20, 30, 40 infections 101 00:04:57,400 --> 00:04:58,780 over the course of a year or two. 102 00:04:58,780 --> 00:05:00,580 So they're just checking in periodically, 103 00:05:00,580 --> 00:05:01,580 sweeping data, moving in. 104 00:05:01,580 --> 00:05:03,040 It's like your top up, right? 105 00:05:03,040 --> 00:05:04,920 You know, like the state's just gonna go poke by 106 00:05:04,920 --> 00:05:05,920 and look in your underwear drawer. 107 00:05:05,920 --> 00:05:07,540 You know, it's a Monday, let's go check it out. 108 00:05:07,540 --> 00:05:12,160 And this, like you said, this came out of an Israeli company, but they're selling this 109 00:05:12,160 --> 00:05:14,380 to basically every government around the world. 110 00:05:14,380 --> 00:05:15,380 Is that right? 111 00:05:15,380 --> 00:05:17,800 So there's a whole ecosystem of these players. 112 00:05:17,800 --> 00:05:21,600 And I think we can talk about NSO kind of like as a stand-in for a lot of them. 113 00:05:21,600 --> 00:05:28,540 There are certain restrictions that the Israeli government places on offensive technology sold 114 00:05:28,540 --> 00:05:29,540 from Israel. 115 00:05:29,540 --> 00:05:33,360 And so there's certain states that are not going to sell to like Iran, for example, or 116 00:05:33,360 --> 00:05:37,520 maybe Russia, because maybe the Israeli government sees a diplomatic risk in doing that deal. 117 00:05:37,520 --> 00:05:39,520 but they sell to a lot of governments. 118 00:05:39,520 --> 00:05:43,520 And the consequence of this has been the massive proliferation 119 00:05:43,520 --> 00:05:45,520 of this capability to governments 120 00:05:45,520 --> 00:05:48,520 that previously had no technical bounds. 121 00:05:48,520 --> 00:05:49,520 So think about it like this. 122 00:05:49,520 --> 00:05:51,520 You know Neapolitan ice cream? 123 00:05:51,520 --> 00:05:52,520 Of course. Strawberry, vanilla, chocolate. 124 00:05:52,520 --> 00:05:53,520 Do you like Neapolitan ice cream? 125 00:05:53,520 --> 00:05:54,520 No, I'm not really a fan. 126 00:05:54,520 --> 00:05:57,520 Me neither. But it's seared into my memory, 127 00:05:57,520 --> 00:05:58,520 because as a kid, I hated getting my hair cut. 128 00:05:58,520 --> 00:06:00,520 My mother cut my hair. And to try to distract me, 129 00:06:00,520 --> 00:06:02,520 she would put a bowl of ice cream in front of me. 130 00:06:02,520 --> 00:06:03,520 There's always Neapolitan. 131 00:06:03,520 --> 00:06:04,520 So when I think Neapolitan, I think of sort of hair 132 00:06:04,520 --> 00:06:07,520 in the ice cream, you know, tears, terrible things. 133 00:06:07,520 --> 00:06:08,640 I just missed the days of hackers. 134 00:06:08,640 --> 00:06:09,440 But let's- 135 00:06:09,440 --> 00:06:12,100 We're all getting there. 136 00:06:12,500 --> 00:06:14,340 So let's think about these three flavors. 137 00:06:14,660 --> 00:06:19,860 So strawberry, governments that have a deep STEM pipeline. 138 00:06:20,380 --> 00:06:21,800 They've got cryptographers. 139 00:06:21,940 --> 00:06:22,820 They've got mathematicians. 140 00:06:23,200 --> 00:06:27,280 They can develop their own technologies for doing this highly sophisticated hacking. 141 00:06:27,360 --> 00:06:28,100 They can develop exploits. 142 00:06:28,160 --> 00:06:28,540 They can do this. 143 00:06:28,840 --> 00:06:32,780 Then vanilla are governments that don't have that pipeline, that don't have those mature 144 00:06:32,780 --> 00:06:34,720 security services, but they've got a checkbook. 145 00:06:34,720 --> 00:06:37,540 Chocolate is like pariah states. 146 00:06:37,740 --> 00:06:38,780 Syria would have been an example, right? 147 00:06:38,880 --> 00:06:40,980 Where they can't necessarily go to the open market. 148 00:06:41,040 --> 00:06:41,800 They can't go to Israel and say, 149 00:06:41,860 --> 00:06:43,540 hey, we'd like to buy your best toy. 150 00:06:44,000 --> 00:06:46,740 And so they'll find other kind of clever cobbled together, 151 00:06:46,860 --> 00:06:48,800 my cousin knows computers, ways of doing hacking. 152 00:06:48,880 --> 00:06:49,760 But whatever the flavor, 153 00:06:50,800 --> 00:06:53,120 the root is like to your phone, to your webcam. 154 00:06:53,880 --> 00:06:56,580 And what's so interesting about this problem set 155 00:06:56,580 --> 00:06:58,700 is that when states, especially sort of like states 156 00:06:58,700 --> 00:07:00,800 that don't have a STEM pipeline, 157 00:07:01,100 --> 00:07:02,340 suddenly get this technology, 158 00:07:02,340 --> 00:07:05,320 they're like technically punching way above their weights. 159 00:07:05,720 --> 00:07:08,060 And dissidents, activists, and politicians 160 00:07:08,060 --> 00:07:09,100 are not ready for it, right? 161 00:07:09,120 --> 00:07:11,960 One day, their government had bumbling security service 162 00:07:11,960 --> 00:07:13,060 that couldn't get its act together 163 00:07:13,060 --> 00:07:14,500 and was shot through with corruption. 164 00:07:14,780 --> 00:07:16,540 The next day, right, like, you know, 165 00:07:16,580 --> 00:07:17,960 their local intelligence officer 166 00:07:17,960 --> 00:07:19,700 is like sitting on their phone. 167 00:07:20,300 --> 00:07:21,220 It's a crazy change. 168 00:07:21,820 --> 00:07:23,360 Okay, so who are the people 169 00:07:23,360 --> 00:07:25,700 that are abusing this technology the most? 170 00:07:25,800 --> 00:07:29,320 Like, is this the kind of behemoth countries 171 00:07:29,320 --> 00:07:31,660 like the USA, or is it the people 172 00:07:31,660 --> 00:07:33,560 who are trying to fight dissidents in their country, 173 00:07:33,640 --> 00:07:34,520 like authoritarian regimes 174 00:07:34,520 --> 00:07:35,680 trying to fight dissidents in their country. 175 00:07:35,780 --> 00:07:37,620 Yeah. The answer is like, yes. 176 00:07:37,800 --> 00:07:38,120 Everyone. 177 00:07:38,300 --> 00:07:41,100 And different countries have different trajectories 178 00:07:41,100 --> 00:07:41,800 with this technology. 179 00:07:41,800 --> 00:07:44,100 But I think a lot of people listening to this 180 00:07:44,100 --> 00:07:45,140 will have heard of Pegasus. 181 00:07:45,320 --> 00:07:46,520 And probably in the back of their mind, 182 00:07:46,800 --> 00:07:48,480 they associate it either with a prominent case, 183 00:07:48,540 --> 00:07:50,180 like the murder of Jamal Hashoggi, 184 00:07:50,520 --> 00:07:53,860 or with the idea of spyware being sold to dictators 185 00:07:53,860 --> 00:07:55,280 who then abuse it. 186 00:07:55,600 --> 00:08:00,500 The truth is there are two distinct piles of abuse cases. 187 00:08:01,220 --> 00:08:05,960 One set come from dictators who predictably use this technology to monitor their opposition, 188 00:08:06,220 --> 00:08:09,880 or like the then president of Panama, like monitoring his mistress too, and maybe his 189 00:08:09,880 --> 00:08:10,520 business rivals. 190 00:08:10,660 --> 00:08:11,300 Why not, right? 191 00:08:12,160 --> 00:08:18,140 The second category is democracies or democracies on paper, teetering on the edge of authoritarianism 192 00:08:18,140 --> 00:08:19,560 that acquire this technology. 193 00:08:19,560 --> 00:08:23,380 And the temptation to abuse it is enormous. 194 00:08:24,000 --> 00:08:24,600 Think about it. 195 00:08:24,640 --> 00:08:25,760 And think about what we know from history, right? 196 00:08:25,760 --> 00:08:28,680 When a state gets a secret surveillance power, 197 00:08:29,200 --> 00:08:30,980 they will often abuse it. 198 00:08:31,340 --> 00:08:32,380 It's a matter of time. 199 00:08:32,840 --> 00:08:36,060 And so what scares me about Pegasus 200 00:08:36,060 --> 00:08:37,680 and similar spyware is not just, 201 00:08:38,140 --> 00:08:41,760 oh man, the dictators of the world can flex their power 202 00:08:41,760 --> 00:08:45,340 and do so far across the constraints 203 00:08:45,340 --> 00:08:46,380 of their geography, right? 204 00:08:47,040 --> 00:08:49,360 But that democratic societies 205 00:08:49,360 --> 00:08:52,060 are also at risk from this technology. 206 00:08:52,400 --> 00:08:54,340 They're at risk because this temptation 207 00:08:54,340 --> 00:08:57,340 to have a Stasi-like capability is just way too big. 208 00:08:57,460 --> 00:08:58,120 Way too powerful. 209 00:08:58,420 --> 00:08:59,040 Way too powerful. 210 00:08:59,140 --> 00:09:03,040 And this is kind of a hard question, I think, to answer. 211 00:09:03,200 --> 00:09:06,620 Is like, where is the line in terms of state surveillance 212 00:09:06,620 --> 00:09:09,760 being not necessarily okay, but acceptable? 213 00:09:10,240 --> 00:09:13,240 Like nation states are going to try and monitor 214 00:09:13,240 --> 00:09:16,960 and track criminals and like terrorists, 215 00:09:17,160 --> 00:09:18,060 whoever that might be. 216 00:09:18,180 --> 00:09:19,980 But when does that creep over the line 217 00:09:19,980 --> 00:09:21,980 to be they're spying on all citizens 218 00:09:21,980 --> 00:09:23,840 just in case you're a terrorist or a criminal? 219 00:09:23,840 --> 00:09:24,240 Just in case. 220 00:09:24,340 --> 00:09:26,800 You're asking a really good question. 221 00:09:26,800 --> 00:09:32,240 Now, if you look at the marketing materials for NSO or similar categories of spyware, 222 00:09:32,240 --> 00:09:36,900 we've been doing work on this spyware for more than a decade. 223 00:09:36,900 --> 00:09:42,060 And what we find is that the marketing is, they call it lawful intercept software, right? 224 00:09:42,060 --> 00:09:46,380 The premise being, well, if a police service is doing it, it's lawful. 225 00:09:46,380 --> 00:09:51,740 The implication is, well, police need to be technologically enabled to chase bad actors 226 00:09:51,740 --> 00:09:53,900 down deep all the way to Hades, right? 227 00:09:53,900 --> 00:09:56,300 So it's an intuitive thing for people. 228 00:09:56,300 --> 00:10:01,300 The challenge with the technology is that it often arrives into countries that don't 229 00:10:01,300 --> 00:10:07,580 have anything like the legal oversight mechanisms, judicial mechanisms, warrant systems, to ensure 230 00:10:07,580 --> 00:10:11,340 that people in that country, like their rights, their choices about the kinds of power that 231 00:10:11,340 --> 00:10:14,480 they want to give their government are being respected. 232 00:10:14,480 --> 00:10:19,620 Moreover, because the industry is itself like just like an absolute morass and a pig maw 233 00:10:19,620 --> 00:10:23,920 of secrecy, people don't usually know 234 00:10:23,920 --> 00:10:25,380 when their governments are using this technology 235 00:10:25,380 --> 00:10:27,120 until we, my brilliant colleagues, 236 00:10:27,120 --> 00:10:29,460 other people who are working in our space, 237 00:10:29,460 --> 00:10:31,600 investigate and we find abuses. 238 00:10:31,600 --> 00:10:32,440 That's a problem. 239 00:10:32,440 --> 00:10:36,540 I believe firmly that citizens need to know 240 00:10:37,500 --> 00:10:40,960 the constraints, the limits on the power of the state. 241 00:10:40,960 --> 00:10:43,740 How long are the state's digital arms? 242 00:10:43,740 --> 00:10:47,140 And technology like Pegasus means that those arms 243 00:10:47,140 --> 00:10:49,600 are often way longer than people realize. 244 00:10:49,600 --> 00:10:51,260 with huge implications for their freedom. 245 00:10:51,940 --> 00:10:53,360 Bitcoin is absolutely ripping 246 00:10:53,360 --> 00:10:54,700 and in every bull market, 247 00:10:54,900 --> 00:10:56,560 there's always a new wave of investors 248 00:10:56,560 --> 00:10:58,420 and with it, a flood of new companies, 249 00:10:58,600 --> 00:10:59,800 new products and new promises. 250 00:11:00,360 --> 00:11:01,560 But if you've been around long enough, 251 00:11:01,620 --> 00:11:03,300 you've seen how this story ends for a lot of them. 252 00:11:03,720 --> 00:11:05,500 Some cut corners, take risks with your money 253 00:11:05,500 --> 00:11:06,540 or just disappear. 254 00:11:07,040 --> 00:11:08,540 That's why when it comes to buying Bitcoin, 255 00:11:08,680 --> 00:11:10,440 the only exchange I recommend is River. 256 00:11:10,860 --> 00:11:13,340 They deeply care about doing things right for their clients 257 00:11:13,340 --> 00:11:14,860 and are built to last with security 258 00:11:14,860 --> 00:11:16,420 and transparency at their core. 259 00:11:17,080 --> 00:11:18,400 With River, you have peace of mind 260 00:11:18,400 --> 00:11:20,820 knowing all their Bitcoin is held in multi-sig cold storage, 261 00:11:21,120 --> 00:11:24,500 and it's the only Bitcoin-only exchange in the US with proof of reserves. 262 00:11:24,920 --> 00:11:26,980 There really is no better place to buy Bitcoin, 263 00:11:27,240 --> 00:11:31,060 so to open an account today, head over to river.com forward slash WBD 264 00:11:31,060 --> 00:11:33,480 and earn up to $100 in Bitcoin when you buy. 265 00:11:33,940 --> 00:11:36,500 That's river.com forward slash WBD. 266 00:11:36,880 --> 00:11:40,100 What if you could lower your tax bill and stack Bitcoin at the same time? 267 00:11:40,520 --> 00:11:42,600 Well, by mining Bitcoin with Blockware, you can. 268 00:11:43,080 --> 00:11:45,120 New tax guidelines from the Big Beautiful Bill 269 00:11:45,120 --> 00:11:49,740 allow American miners to write off 100% of the cost of their mining hardware in a single tax year. 270 00:11:50,060 --> 00:11:55,920 That's right, 100% write-off. If you have 100k in capital gains or income, you can purchase 100k 271 00:11:55,920 --> 00:12:01,200 of miners and offset it entirely. Blockware's mining as a service enables you to start mining 272 00:12:01,200 --> 00:12:05,660 Bitcoin right now without lifting a finger. Blockware handles everything from securing the 273 00:12:05,660 --> 00:12:10,840 miners to sourcing low-cost power to configuring the mining pool, they do it all. You get to stack 274 00:12:10,840 --> 00:12:16,640 Bitcoin at a discount every single day while also saving big come tax season. Get started today by 275 00:12:16,640 --> 00:12:22,220 going to mining.blockwaresolutions.com forward slash WBD and for every hosted miner purchased 276 00:12:22,220 --> 00:12:27,280 you get one week of free hosting and electricity. Of course none of this is tax advice, speak with 277 00:12:27,280 --> 00:12:33,700 Blockware to learn more at mining.blockwaresolutions.com forward slash WBD. This episode is brought to you 278 00:12:33,700 --> 00:12:39,400 by the massive legends Iron, the largest Nasdaq listed Bitcoin miner using 100% renewable energy. 279 00:12:39,400 --> 00:12:45,980 IREN are not just powering the Bitcoin network, they're also providing cutting-edge computing resources for AI, all backed by renewable energy. 280 00:12:46,440 --> 00:12:50,940 We've been working with their founders, Dan and Will, for quite some time now and have been really impressed with their values, 281 00:12:51,100 --> 00:12:54,720 especially their commitment to local communities and sustainable computing power. 282 00:12:55,200 --> 00:12:59,600 So whether you're interested in mining Bitcoin or harnessing AI compute power, IREN is setting the standard. 283 00:13:00,200 --> 00:13:04,080 Visit iren.com to learn more, which is I-R-E-N dot com. 284 00:13:04,080 --> 00:13:06,320 Can I, this is a little bit of a tangent, 285 00:13:06,460 --> 00:13:09,260 but I'm sure you followed the Tucker Carlson story. 286 00:13:09,420 --> 00:13:11,000 I don't know when this was, maybe like a year ago. 287 00:13:11,460 --> 00:13:13,880 I think it was when he was going out to Russia to interview Putin. 288 00:13:14,680 --> 00:13:17,460 And he claims that his signal account was hacked. 289 00:13:17,680 --> 00:13:19,620 I personally highly doubt that. 290 00:13:20,140 --> 00:13:23,860 I assumed at the time that that was actually that he had Pegasus on his phone. 291 00:13:24,460 --> 00:13:27,360 Do you know what the likely scenario that was? 292 00:13:27,680 --> 00:13:28,460 It's an interesting question. 293 00:13:28,460 --> 00:13:34,920 So one caveat, which is I can't speak about cases that my colleagues or I haven't looked at. 294 00:13:35,000 --> 00:13:36,480 I don't know what's going on there. 295 00:13:36,760 --> 00:13:43,420 But what I can tell you is governments everywhere have an appetite for using this kind of technology. 296 00:13:43,640 --> 00:13:48,180 And if there's one thing we know, it's that you, especially if you're a prominent person, 297 00:13:48,500 --> 00:13:50,920 may have multiple governments that are interested in you. 298 00:13:51,140 --> 00:13:57,000 So we talk about proliferation, like a term from the monitoring of the proliferation of arms. 299 00:13:57,000 --> 00:14:01,820 right? Like, it's a bad thing. Like, if sophisticated weapon systems go everywhere, 300 00:14:02,340 --> 00:14:06,760 conflicts are bloodier, and there are more of them. It's like an axiom. I think the same is 301 00:14:06,760 --> 00:14:12,060 true for sophisticated surveillance powers. And my view about cases like what Tucker Carlson 302 00:14:12,060 --> 00:14:18,460 claimed and others have said is that if you are sideways to the interests of a state right now, 303 00:14:19,140 --> 00:14:22,660 and that state is technologically enabled with this kind of powerful stuff, 304 00:14:22,660 --> 00:14:27,760 There's like a reasonable chance that something is on your device. And the thing is you won't know 305 00:14:28,480 --> 00:14:32,220 The absurdity of the scenario right now is there's no commercial tool you can buy 306 00:14:32,620 --> 00:14:36,600 That will protect you from this. There's no third-party app that you can put on your phone 307 00:14:36,600 --> 00:14:38,760 That will scan it and tell you with high confidence 308 00:14:39,580 --> 00:14:44,280 You're clean or you're not clean. And so you have a scenario where people are walking around 309 00:14:45,460 --> 00:14:47,460 With the awareness and sometimes without it 310 00:14:47,980 --> 00:14:50,580 Somebody could just be in my shit at any time 311 00:14:51,140 --> 00:14:56,580 That's dangerous. It's dangerous to thought. It's dangerous to the ties that bind us together 312 00:14:56,580 --> 00:15:01,940 our ability to safely share what we think our private explorations of knowledge and ideas on the internet and 313 00:15:02,200 --> 00:15:08,640 Ultimately, it leads to self-censorship and it's not like an abstraction. So the movie the dissident 314 00:15:09,140 --> 00:15:11,540 I'm not Brian Fogle really good movie 315 00:15:12,140 --> 00:15:17,420 That movie had a huge huge challenge getting picked up by American 316 00:15:17,420 --> 00:15:22,720 distributors. Vogel was just coming off an Oscar for another movie that he'd done. Why? Well, it 317 00:15:22,720 --> 00:15:29,460 did the story of Jamal Khashoggi getting hacked with Pegasus. Excuse me, people around Jamal 318 00:15:29,460 --> 00:15:34,260 Khashoggi getting hacked with Pegasus. We don't know the status of Jamal's phone because it's in 319 00:15:34,260 --> 00:15:38,940 the, says he like the Turkish authorities, but everybody around him seems to have been targeted. 320 00:15:39,060 --> 00:15:44,700 His wife, his fiance, his friends, his colleagues. Why didn't that movie get picked up? 321 00:15:44,700 --> 00:15:46,320 They don't want that guy now, then. 322 00:15:46,700 --> 00:15:50,020 Well, I think movie executives 323 00:15:50,020 --> 00:15:51,820 were themselves terrified 324 00:15:51,820 --> 00:15:53,820 by the story of Jeff Bezos, right? 325 00:15:53,860 --> 00:15:55,960 The idea that your business, too, 326 00:15:56,500 --> 00:15:57,940 could be rifled in by Saudi Arabia, 327 00:15:58,040 --> 00:15:59,900 even if you're sitting pretty in a studio 328 00:15:59,900 --> 00:16:01,500 in Southern California 329 00:16:01,500 --> 00:16:04,340 enjoying the Clement Breezes of Malibu, right? 330 00:16:04,920 --> 00:16:07,900 You still ran the risk of your personal world 331 00:16:07,900 --> 00:16:09,900 being dumped out on the, you know, 332 00:16:10,040 --> 00:16:11,440 shiny aluminum table 333 00:16:11,440 --> 00:16:13,900 of a dictator's security services 334 00:16:13,900 --> 00:16:16,400 halfway across the globe and then have that used against you. 335 00:16:17,120 --> 00:16:21,260 This stuff has huge global implications because of that idea that they can sort of project 336 00:16:21,260 --> 00:16:21,900 power. 337 00:16:21,980 --> 00:16:23,140 We talked about proliferation a second ago. 338 00:16:23,280 --> 00:16:29,540 Like we view the proliferation of ballistic missiles as generally a bad thing, right? 339 00:16:29,540 --> 00:16:32,860 Because of their range in part and because of the things that they can carry. 340 00:16:33,100 --> 00:16:36,040 Well, spyware has like infinite range, right? 341 00:16:36,160 --> 00:16:37,020 This is terrifying. 342 00:16:37,240 --> 00:16:41,560 It used to be that if you were a dissident, like in Egypt, for example, you could seek 343 00:16:41,560 --> 00:16:42,980 the protections of geography. 344 00:16:42,980 --> 00:16:45,680 You could, if you get out of that country, you could go somewhere. 345 00:16:45,680 --> 00:16:48,260 You go to the United States and you could be reasonably safe. 346 00:16:48,260 --> 00:16:57,860 You weren't going to have 15 Egyptian security officers in ill-fitting trench coats and polyester suits following you around in like, you know, Memphis, Tennessee. 347 00:16:57,860 --> 00:16:58,860 Yeah. 348 00:16:58,860 --> 00:16:59,860 Couldn't happen. 349 00:16:59,860 --> 00:17:01,800 That's not true anymore, right? 350 00:17:01,800 --> 00:17:05,660 You have this thought in the back of your mind, if you're a dissident, those- 351 00:17:05,660 --> 00:17:06,660 You can always be touched. 352 00:17:06,660 --> 00:17:08,660 They, and if not me, it's my spouse. 353 00:17:08,660 --> 00:17:09,720 It's my friends. 354 00:17:09,720 --> 00:17:12,560 It's the global village of people who I'm in touch with. 355 00:17:12,560 --> 00:17:14,320 That's a terrifying and dangerous reality. 356 00:17:14,320 --> 00:17:17,320 So in that reality, is the only solution, 357 00:17:17,320 --> 00:17:19,720 if you're like a high-flying tech executive, 358 00:17:19,720 --> 00:17:21,320 if you're like a politically exposed person, 359 00:17:21,320 --> 00:17:24,720 you're a journalist who's like writing about whatever, 360 00:17:24,720 --> 00:17:25,800 to just not have a phone? 361 00:17:27,640 --> 00:17:29,080 Except that's impractical. 362 00:17:29,080 --> 00:17:31,920 And so the reality is everybody's got a phone. 363 00:17:33,000 --> 00:17:36,280 Most people don't know like the status of their phone, 364 00:17:36,280 --> 00:17:37,880 but they think about it somewhere, 365 00:17:37,880 --> 00:17:40,280 whether it's a pebble in their mental shoe 366 00:17:40,280 --> 00:17:42,440 or a general sense of foreboding. 367 00:17:42,440 --> 00:17:46,360 So we check hundreds, thousands of people a year. 368 00:17:46,780 --> 00:17:53,200 We screen them for spyware like Pegasus, Paragons, Graphite, Predator, all kinds of things. 369 00:17:54,100 --> 00:17:58,420 Something really interesting happens when you check a person's phone for a spyware and you give them the result. 370 00:17:59,680 --> 00:18:05,600 I thought when I first started doing like large scale checks with my colleagues, you know, I have these incredibly big colleagues. 371 00:18:05,600 --> 00:18:11,360 And they, they, one of my colleagues, Bill, developed an amazing technique that we automate 372 00:18:11,360 --> 00:18:17,400 for checking phones for mercenary spiral, like Pegasus, Androids, iPhones. 373 00:18:17,400 --> 00:18:22,100 I thought, okay, the super majority of people we check are going to be negative. 374 00:18:22,100 --> 00:18:24,940 They're going to be clean for the things that we check for, according to what we know, right? 375 00:18:24,940 --> 00:18:27,140 Like it's very possible that there are things we don't know to look for. 376 00:18:27,140 --> 00:18:29,580 And I thought, well, people are going to feel like their time is wasted, right? 377 00:18:29,580 --> 00:18:30,580 I'm wasting people's time. 378 00:18:30,580 --> 00:18:31,840 I've convinced them to get checked, right? 379 00:18:31,840 --> 00:18:33,740 We got a line of people and I'm giving them, 380 00:18:34,700 --> 00:18:37,140 in my mindset, the bad news that they wasted their time. 381 00:18:38,100 --> 00:18:41,000 Most people like getting a result 382 00:18:41,000 --> 00:18:42,580 and they like getting a clear result 383 00:18:42,580 --> 00:18:43,780 because they have carried with them, 384 00:18:43,840 --> 00:18:44,940 whether they realize it or not, 385 00:18:45,260 --> 00:18:48,900 some baggage bubbling in the lower bits 386 00:18:48,900 --> 00:18:50,520 of their consciousness or way up front. 387 00:18:50,720 --> 00:18:53,520 And suddenly we can say, look, now you have knowledge. 388 00:18:53,580 --> 00:18:57,940 Now, the really crazy thing is I was equally afraid 389 00:18:57,940 --> 00:19:01,020 of having a scenario where I would have to tell person 390 00:19:01,020 --> 00:19:06,040 the bad news, which I do every year again and again and again, whether it's a phone call or 391 00:19:06,040 --> 00:19:10,300 it's an in-person conversation. I have to tell them, listen, you didn't know it at the time, 392 00:19:10,800 --> 00:19:14,420 but your digital world was not your own. There was somebody in bed with you when you were talking 393 00:19:14,420 --> 00:19:17,880 with your spouse. There was somebody in the room when you were taking a shit. There was somebody 394 00:19:17,880 --> 00:19:23,160 watching as you were thinking about your finances or your health or somebody looking at you as you 395 00:19:23,160 --> 00:19:28,160 were trying to understand the challenges of your adolescent kid, right? It is very traumatic to 396 00:19:28,160 --> 00:19:33,900 receive that news. But there was this one moment. So I was doing an investigation with my colleagues 397 00:19:33,900 --> 00:19:40,920 into the abuse of Pegasus spyware in Togo, small country in Africa. If Africa is like an ice cream 398 00:19:40,920 --> 00:19:44,560 cone with two balls, Togo is sort of on the second ball. It's kind of over here. Very, very small 399 00:19:44,560 --> 00:19:52,660 little notch of a country, French speaking. And I had to call up a bishop, a Catholic bishop, 400 00:19:52,660 --> 00:19:56,340 and let him know that he had been targeted with Pegasus. 401 00:19:56,740 --> 00:19:58,400 I'd never called a bishop before. 402 00:19:59,440 --> 00:20:00,540 What's that conversation like? 403 00:20:00,580 --> 00:20:03,720 So I call him up, introduce myself. 404 00:20:04,580 --> 00:20:05,500 I give him this result. 405 00:20:05,860 --> 00:20:07,440 It's this sort of long pause. 406 00:20:07,860 --> 00:20:09,980 And I don't know what to do with myself in this moment, 407 00:20:10,160 --> 00:20:10,600 feeling everything. 408 00:20:11,720 --> 00:20:12,960 And then he thanks me. 409 00:20:13,620 --> 00:20:16,800 And he says, I'll never forget what he says. 410 00:20:16,800 --> 00:20:21,540 He says, thank you for bringing me this truth 411 00:20:21,540 --> 00:20:26,340 in a dictatorship, we don't have a lot of it. 412 00:20:26,780 --> 00:20:29,840 And it's like being in a place without a lot of oxygen. 413 00:20:30,200 --> 00:20:32,340 You just gave me a breath of truth. 414 00:20:32,560 --> 00:20:34,280 You gave me a breath of oxygen. 415 00:20:34,900 --> 00:20:35,540 Thank you. 416 00:20:37,000 --> 00:20:38,020 That's super powerful. 417 00:20:38,560 --> 00:20:40,680 It's funny, when you sort of started that, 418 00:20:40,720 --> 00:20:41,940 I thought you were going to say something different. 419 00:20:42,060 --> 00:20:43,160 I thought you were going to say, 420 00:20:43,480 --> 00:20:46,200 when people receive the result and it's negative, 421 00:20:46,460 --> 00:20:47,420 they would be disappointed 422 00:20:47,420 --> 00:20:50,120 in the sense that maybe I'm not pushing hard enough. 423 00:20:50,120 --> 00:20:51,580 Like I thought they would be watching me. 424 00:20:51,820 --> 00:20:52,580 Some people are. 425 00:20:52,940 --> 00:20:53,620 And there's like a category. 426 00:20:53,620 --> 00:20:54,280 I think I would be. 427 00:20:55,200 --> 00:20:56,620 If I should find out. 428 00:20:57,020 --> 00:20:57,420 Should we? 429 00:20:57,880 --> 00:20:58,540 Can you find out? 430 00:20:58,740 --> 00:21:00,420 So maybe I would love to do that. 431 00:21:00,460 --> 00:21:01,020 Can we do it now? 432 00:21:01,220 --> 00:21:02,060 We can do it right now. 433 00:21:02,120 --> 00:21:02,800 How long does it take? 434 00:21:04,580 --> 00:21:05,720 10 minutes, 15 minutes. 435 00:21:05,940 --> 00:21:06,500 Let's do it. 436 00:21:06,780 --> 00:21:07,300 Should we do it? 437 00:21:07,500 --> 00:21:08,360 Should we break and do it? 438 00:21:08,400 --> 00:21:08,880 And then we can see what happens. 439 00:21:08,880 --> 00:21:09,540 Here's what we're going to do. 440 00:21:09,920 --> 00:21:10,860 We're going to check you 441 00:21:10,860 --> 00:21:13,200 and we're going to have to turn these things off. 442 00:21:13,300 --> 00:21:13,460 Yeah. 443 00:21:13,580 --> 00:21:15,540 Is that because what you do is... 444 00:21:15,540 --> 00:21:16,900 So the challenge, 445 00:21:16,900 --> 00:21:21,700 It's like doing a rapid test for like, I don't know, strep throat. 446 00:21:21,700 --> 00:21:26,500 The difference is that like strep can read all the scientific papers, right? 447 00:21:26,500 --> 00:21:29,080 It would be as if strep was like looking at how the test works. 448 00:21:29,080 --> 00:21:31,000 It's like, all right, I got to change myself a little bit, right? 449 00:21:31,000 --> 00:21:35,920 So there's some chance that somebody from NSO, hi guys, is watching this conversation, 450 00:21:35,920 --> 00:21:41,260 hoping that I will emit a little signal that lets them know the ways that we're checking. 451 00:21:41,260 --> 00:21:42,940 So we should turn things off for a minute. 452 00:21:42,940 --> 00:21:48,200 So we can do a check, have the process bubbling along, and then maybe a little bit later, get 453 00:21:48,200 --> 00:21:49,200 your result. 454 00:21:49,200 --> 00:21:50,200 All right, let's do it. 455 00:21:50,200 --> 00:21:51,200 Let's break it. 456 00:21:51,200 --> 00:21:52,200 All right. 457 00:21:52,200 --> 00:21:53,200 So we were in- 458 00:21:53,200 --> 00:21:54,200 The audio works- 459 00:21:54,200 --> 00:21:55,200 You've got your thing running away. 460 00:21:55,200 --> 00:21:56,200 We're going to find out- 461 00:21:56,200 --> 00:21:57,200 Chugging along. 462 00:21:57,200 --> 00:21:58,200 If Pegasus is on my phone. 463 00:21:58,200 --> 00:21:59,200 Answers are about ready. 464 00:21:59,200 --> 00:22:03,200 I seriously doubt I have Pegasus on my phone, but I'm excited to find out. 465 00:22:03,200 --> 00:22:06,320 I don't think I'm the kind of person that anyone would want to target. 466 00:22:06,320 --> 00:22:10,160 Let me just do the weirdest thing and be the one asking you a question for a second, which 467 00:22:10,160 --> 00:22:13,460 which is I think part of the value of this 468 00:22:13,540 --> 00:22:16,660 for people who are watching this is most of us go around every day 469 00:22:16,740 --> 00:22:19,040 without the knowledge of what's going on in our phone. 470 00:22:19,100 --> 00:22:22,640 Yeah. And maybe they're wondering right now, 471 00:22:22,700 --> 00:22:24,100 like, is Pegasus on my phone? 472 00:22:24,180 --> 00:22:25,800 And if you're watching this, 473 00:22:25,880 --> 00:22:27,380 like take a minute to think about what you're feeling, 474 00:22:27,440 --> 00:22:29,840 but what are you feeling right now as you're thinking about this? 475 00:22:29,920 --> 00:22:30,920 Like, what has this triggered in you? 476 00:22:30,980 --> 00:22:33,580 Honestly, I think I'm probably treating it quite flippantly 477 00:22:33,660 --> 00:22:35,780 because I'm very confident it's not going to be on there. 478 00:22:35,860 --> 00:22:37,860 Like, I don't think I'm interesting enough to anyone 479 00:22:37,920 --> 00:22:39,160 for it to be on there. 480 00:22:39,160 --> 00:22:42,000 But that might turn out to be a really naive take. 481 00:22:42,080 --> 00:22:44,360 But maybe that comes down to, like, 482 00:22:44,440 --> 00:22:46,120 who are the people being targeted? 483 00:22:46,200 --> 00:22:49,800 Like, would it ever be just like a relatively, 484 00:22:49,880 --> 00:22:51,000 like, just a normal person? 485 00:22:51,080 --> 00:22:52,920 Absolutely. And I've talked to a lot of them. 486 00:22:53,880 --> 00:22:54,840 Here's the thing. 487 00:22:54,920 --> 00:22:58,520 So it's like dating in your 20s in reverse. 488 00:22:58,600 --> 00:23:11,682 So when I was in my 20s trying to date I was often saying it not you it me Spyware the other way around It not me it you You are as interesting and as likely to be targeted 489 00:23:11,682 --> 00:23:14,023 as the most interesting person that you know. 490 00:23:14,723 --> 00:23:15,402 Why is that? 491 00:23:16,142 --> 00:23:17,682 Well, think about it like this. 492 00:23:18,142 --> 00:23:20,523 If I'm a government and I want to catch you 493 00:23:20,523 --> 00:23:21,763 in unguarded moments, I want to know 494 00:23:21,763 --> 00:23:22,902 what you think potentially, right? 495 00:23:22,963 --> 00:23:24,303 I've got a set of questions about you. 496 00:23:25,223 --> 00:23:29,642 Maybe you're being careful, but are you forcing, 497 00:23:29,642 --> 00:23:31,842 Are you enforcing that carefulness on everyone around you? 498 00:23:31,842 --> 00:23:32,943 No, it's impossible. 499 00:23:32,943 --> 00:23:35,642 And so we would call this off-center targeting. 500 00:23:35,642 --> 00:23:38,142 It may be that you are at your most unguarded 501 00:23:38,142 --> 00:23:40,063 when talking to the people around you. 502 00:23:40,063 --> 00:23:41,822 I think that would probably be true to almost everyone. 503 00:23:41,822 --> 00:23:42,963 Exactly. 504 00:23:42,963 --> 00:23:45,783 Because we exist in communities and in groups. 505 00:23:45,783 --> 00:23:48,822 One of the biggest challenges that I think people have 506 00:23:48,822 --> 00:23:51,463 when they get interested in privacy and safety 507 00:23:51,463 --> 00:23:54,002 is they think about it in this frame of my phone. 508 00:23:54,002 --> 00:23:56,362 How locked down is my phone? 509 00:23:56,362 --> 00:23:58,303 But every conversation happens with another person 510 00:23:58,303 --> 00:24:01,223 or a group of people, how locked down are they, right? 511 00:24:01,342 --> 00:24:04,943 You can't really ask them to be as obsessively locked down 512 00:24:04,943 --> 00:24:08,002 as, you know, the Bitcoin core woman who's got, 513 00:24:08,063 --> 00:24:09,842 you know, she's got graphene and she's like only, 514 00:24:10,023 --> 00:24:11,382 you know, she's compiling everything herself 515 00:24:11,382 --> 00:24:12,742 and she's verifying all the builds, right? 516 00:24:12,783 --> 00:24:15,983 Like that's not reasonable for most people. 517 00:24:15,983 --> 00:24:19,963 And the economics of spyware benefits from that fact. 518 00:24:20,283 --> 00:24:23,422 There's a second category of risk from this technology, 519 00:24:23,422 --> 00:24:29,422 which is it keeps showing up being used by actors that didn't develop it. 520 00:24:30,063 --> 00:24:35,182 What do I mean? So twice now that we know about, thanks to some research from Google's 521 00:24:35,822 --> 00:24:42,622 like threat analysis team, um, exploits, which are the techniques used to put spyware on a device. 522 00:24:42,622 --> 00:24:45,502 Yeah. So very sophisticated exploits. We call them this case like zero click, 523 00:24:45,502 --> 00:24:49,582 which means that there's no interaction required by the victim. It's just like one minute you're 524 00:24:49,582 --> 00:24:52,703 you're chugging along, the next minute your phone is hacked. 525 00:24:52,703 --> 00:24:54,862 Oh, so I had the complete misunderstanding about this. 526 00:24:54,862 --> 00:24:55,862 Oh, let's talk about this. 527 00:24:55,862 --> 00:24:59,822 Because I thought this was coming from, like, dubious emails 528 00:24:59,822 --> 00:25:01,023 that you accidentally click away, 529 00:25:01,023 --> 00:25:03,023 and that's how Pegasus actually got on your phone. 530 00:25:03,023 --> 00:25:04,422 Let's pull back for a second. 531 00:25:04,422 --> 00:25:06,983 So back in the day, it did. 532 00:25:06,983 --> 00:25:09,223 Back in the day, the way that you would infect somebody 533 00:25:09,223 --> 00:25:11,342 with Pegasus, typically, was by sending them a text message. 534 00:25:11,342 --> 00:25:13,263 So in the earliest days, our earliest investigations, 535 00:25:13,263 --> 00:25:16,862 the biggest one that we did, me and a group of my colleagues 536 00:25:16,862 --> 00:25:20,182 and then collaborators at three different Mexican civil society organizations, 537 00:25:20,283 --> 00:25:22,902 organizations working with dissidents and journalists, 538 00:25:23,523 --> 00:25:26,783 organizations working with the families of people who've been disappeared by cartels. 539 00:25:28,043 --> 00:25:34,422 We found that the Mexican government had been an extensive abuser of Pegasus spyware. 540 00:25:34,922 --> 00:25:35,742 How did they infect people? 541 00:25:35,842 --> 00:25:37,002 Well, they would send them text messages. 542 00:25:37,142 --> 00:25:40,162 Well, if you're sending a person a text message and you're a hacker, 543 00:25:40,162 --> 00:25:43,182 you really want them to click, and you're a government, you know a lot about them. 544 00:25:43,662 --> 00:25:45,902 So the messages would be like hyper-personalized. 545 00:25:46,862 --> 00:25:48,763 Maybe it's like, hey, your name just showed up in a news article. 546 00:25:48,842 --> 00:25:49,543 Check this out, right? 547 00:25:50,063 --> 00:25:53,602 Or a message appearing to come from the phone company about your phone balance. 548 00:25:53,642 --> 00:25:54,322 You're running out, right? 549 00:25:54,862 --> 00:26:00,162 Or, hey, name, your daughter, correctly name, just got in a traffic accident. 550 00:26:00,283 --> 00:26:02,182 I'm just letting you know she's in this hospital. 551 00:26:02,322 --> 00:26:04,263 Here's the map point to it, right? 552 00:26:04,342 --> 00:26:05,242 That shit happened. 553 00:26:05,582 --> 00:26:10,902 Or, yo, name, I just saw your wife having sex with somebody. 554 00:26:11,303 --> 00:26:12,382 You're not going to believe this. 555 00:26:12,502 --> 00:26:13,463 Here's the video, right? 556 00:26:13,463 --> 00:26:17,502 very personalized, very deeply enmeshed. 557 00:26:17,502 --> 00:26:19,882 That was true for years. 558 00:26:19,882 --> 00:26:21,783 And for years, the way that we would find Pegasus 559 00:26:21,783 --> 00:26:23,723 was actually by looking for the targeting, right? 560 00:26:23,882 --> 00:26:26,263 Now, when they would infect a phone successfully, 561 00:26:26,263 --> 00:26:27,582 they would often delete the message. 562 00:26:28,203 --> 00:26:29,402 But the infections didn't always work. 563 00:26:29,642 --> 00:26:31,123 They weren't always careful about it. 564 00:26:31,182 --> 00:26:33,382 And so we would find kind of like, you know, 565 00:26:33,742 --> 00:26:36,402 yeah, you find like the burglar 566 00:26:36,402 --> 00:26:38,842 has left his skeleton key in the door, right? 567 00:26:38,842 --> 00:26:43,842 But starting in like the end of the 19, 568 00:26:44,023 --> 00:26:44,763 the end of the teens, 569 00:26:45,682 --> 00:26:48,223 NSO started selling zero click capability. 570 00:26:48,362 --> 00:26:50,742 So this means you're just chugging along 571 00:26:50,742 --> 00:26:52,882 and then your phone is compromised. 572 00:26:53,362 --> 00:26:55,763 Nothing you see, nothing you do, 573 00:26:55,922 --> 00:26:58,703 no flickering screen, no sudden drain of battery, 574 00:26:59,002 --> 00:27:01,002 no warning sign, no link to click, 575 00:27:01,123 --> 00:27:02,723 no attachment to open. 576 00:27:02,882 --> 00:27:03,602 You're just compromised. 577 00:27:03,882 --> 00:27:05,402 And do we know how they actually do that? 578 00:27:05,543 --> 00:27:07,303 We do because we keep catching them 579 00:27:07,303 --> 00:27:09,482 despite their claims about being untraceable. 580 00:27:09,943 --> 00:27:13,642 So in 2019, we worked on a very big case 581 00:27:13,642 --> 00:27:17,322 where NSO was providing a technology 582 00:27:17,322 --> 00:27:19,223 that allowed for hacking people through WhatsApp. 583 00:27:20,162 --> 00:27:22,362 In this case, it was through like a missed video call. 584 00:27:23,263 --> 00:27:26,563 And the first case that we really came across 585 00:27:26,563 --> 00:27:31,063 was a lawyer who was representing other Pegasus victims. 586 00:27:32,002 --> 00:27:35,563 And he was like having these weird... 587 00:27:35,563 --> 00:27:41,602 half dreams where he would like wake up in the middle of the night and there'd be like a notification 588 00:27:41,602 --> 00:27:47,063 on his phone, like missed call. And he'd be like, all right, I'll like figure it out in the morning. 589 00:27:47,842 --> 00:27:52,723 And then he'd wake up and the notification would be gone. And he probably thought, you know, 590 00:27:52,842 --> 00:27:57,742 maybe I'm going bananas, right? Like I've got to, you know, tone down the ambient dose here. 591 00:27:58,822 --> 00:28:04,362 It turned out that NSO had acquired a very sophisticated exploit and done a lot of development 592 00:28:04,362 --> 00:28:10,703 to work on it. And this allowed them to use WhatsApp as the means of entry onto the device. 593 00:28:10,742 --> 00:28:15,023 And then they would put the spyware onto the device. So what they figured out was like, you 594 00:28:15,023 --> 00:28:18,982 know, when a phone connects to another phone on a WhatsApp call, right, there's a bunch of stuff 595 00:28:18,982 --> 00:28:22,763 happening. It's like a handshake, like a modem tone for those who are that old. You could put 596 00:28:22,763 --> 00:28:28,543 all kinds of other stuff into that communication that would be the leading wedge of infecting a 597 00:28:28,543 --> 00:28:48,822 And what we've seen time and time again is that companies like NSO and others look to popular chat programs, iMessage, WhatsApp, FaceTime, Calendar Sync things that have a sort of a cloud component and a discovery component where devices are a little vulnerable with each other, right? 598 00:28:48,822 --> 00:28:49,703 They're exposing something. 599 00:28:49,783 --> 00:28:50,482 They've got to do something. 600 00:28:50,563 --> 00:28:53,382 They've got to pass an avatar of the caller to the other phone. 601 00:28:53,382 --> 00:28:56,362 They've got to do something during that call sequence 602 00:28:56,362 --> 00:28:58,543 that they can then target for developing 603 00:28:58,543 --> 00:29:01,043 sophisticated means to put spyware on a device. 604 00:29:01,102 --> 00:29:04,223 But it means that there's nothing behavioral 605 00:29:04,223 --> 00:29:06,402 that you can do to protect yourself, 606 00:29:06,543 --> 00:29:08,963 which is a bananas reality. 607 00:29:09,162 --> 00:29:10,822 And it's why this stuff is so concerning. 608 00:29:11,023 --> 00:29:13,203 It really is like push button. 609 00:29:13,402 --> 00:29:15,362 I'm in your closet, in your underwear drawer, 610 00:29:15,463 --> 00:29:16,123 in your business. 611 00:29:16,502 --> 00:29:16,662 Yeah. 612 00:29:16,902 --> 00:29:18,623 So, I mean, that's terrifying. 613 00:29:19,502 --> 00:29:22,023 And you have checked hundreds, thousands, 614 00:29:22,023 --> 00:29:23,182 however many devices. 615 00:29:24,362 --> 00:29:27,182 Have you ever been targeted by any of these things? 616 00:29:27,723 --> 00:29:31,682 So there's sort of an interesting thing that's going on. 617 00:29:31,763 --> 00:29:33,563 Because you must be a massive thorn in their side. 618 00:29:33,723 --> 00:29:34,642 They'll know about you for sure. 619 00:29:34,822 --> 00:29:35,982 Yes, we're more than a pebble in this shoe. 620 00:29:36,102 --> 00:29:37,842 Me and my very talented colleagues. 621 00:29:37,963 --> 00:29:38,523 I'm going to tell you a story. 622 00:29:40,402 --> 00:29:45,303 2019, a colleague of mine, Bahar, 623 00:29:46,402 --> 00:29:49,502 gets a guy reaching out to him and is like, 624 00:29:49,502 --> 00:29:53,862 hey, I would like your help coming up with a project 625 00:29:53,862 --> 00:29:57,842 to provide financial solutions to unbanked refugees, 626 00:29:58,203 --> 00:29:59,902 which is a noble idea. 627 00:30:00,902 --> 00:30:03,882 Bahar, refugee from Syria himself, was interested. 628 00:30:04,023 --> 00:30:04,943 So he takes a meeting with this guy, 629 00:30:05,642 --> 00:30:07,623 goes to a fancy hotel to have a meal. 630 00:30:08,303 --> 00:30:10,002 But in the course of that conversation, 631 00:30:10,082 --> 00:30:11,922 the guy starts asking some really weird questions. 632 00:30:13,263 --> 00:30:14,263 What's your father's name? 633 00:30:14,303 --> 00:30:15,162 What's your mother's name? 634 00:30:15,223 --> 00:30:16,602 Tell me about your religion, right? 635 00:30:16,602 --> 00:30:19,303 All this like weird, no investors asking those questions. 636 00:30:19,502 --> 00:30:25,642 Bahar's backstory is that he had been imprisoned and tortured by the Syrian regime before he successfully fled 637 00:30:26,002 --> 00:30:33,543 He knew what it was like talking to an intelligence operative. He smelled it. He could feel it. And so he listened 638 00:30:34,203 --> 00:30:39,002 excused himself and called me and said John, I think I was just in a meeting with his wife 639 00:30:39,422 --> 00:30:45,682 So we immediately started digging into this guy's identity and we discovered he was a ghost the name 640 00:30:45,682 --> 00:30:49,402 It wasn't real, profile picture, the company. 641 00:30:49,803 --> 00:30:51,482 None of these things seemed to really exist. 642 00:30:52,342 --> 00:30:53,703 So who had targeted my colleague? 643 00:30:53,943 --> 00:30:58,662 Well, we were about ready to have a story published about this. 644 00:30:59,303 --> 00:31:02,422 The thinking was, you've got to protect others from whatever this is. 645 00:31:02,602 --> 00:31:07,943 It's going to be a story, like a blind story, like researcher targeted by unknown person. 646 00:31:08,342 --> 00:31:10,902 And then I think it was the day that the story was going to get published. 647 00:31:11,002 --> 00:31:12,023 I get an email in my inbox. 648 00:31:12,023 --> 00:31:19,123 And it's like, John, you've used this technology to do aerial mapping, which was something I was doing for PhD research a long time ago. 649 00:31:19,523 --> 00:31:21,422 I am an investor in Africa. 650 00:31:21,742 --> 00:31:25,602 I'd like to use your technology, which was kite aerial photography, which was cool before drones, right? 651 00:31:25,922 --> 00:31:28,263 I like to use this technology to map my, like, big investment. 652 00:31:28,382 --> 00:31:29,203 Would you like to have a meeting? 653 00:31:29,263 --> 00:31:30,203 I was like, shit, okay. 654 00:31:30,582 --> 00:31:31,563 You know who else is being targeted? 655 00:31:31,723 --> 00:31:32,223 It's me. 656 00:31:32,623 --> 00:31:33,582 Maybe there's something you can do about this. 657 00:31:33,662 --> 00:31:36,023 Let's run this back on these people and figure out who they are. 658 00:31:36,662 --> 00:31:38,763 So we played along. 659 00:31:39,563 --> 00:31:42,123 We arranged the meeting and we went to it. 660 00:31:42,682 --> 00:31:43,182 You want to hear what happened? 661 00:31:43,383 --> 00:31:44,682 Of course I want to hear what happened. 662 00:31:44,883 --> 00:31:49,203 So I'm not a spy and I don't know how spies think, 663 00:31:49,623 --> 00:31:54,482 but I've read a few books and I realized I had to, 664 00:31:54,662 --> 00:31:55,763 along with my talented colleagues 665 00:31:55,763 --> 00:31:57,842 and help from some journalists, think like one 666 00:31:57,842 --> 00:32:01,543 and had to be a version of myself 667 00:32:01,543 --> 00:32:02,722 that would be compelling to this person. 668 00:32:02,982 --> 00:32:04,643 I can't give up the game, right? 669 00:32:04,722 --> 00:32:06,082 Like, I'm like an academic. 670 00:32:06,242 --> 00:32:07,602 How am I supposed to deal with this scenario? 671 00:32:07,763 --> 00:32:08,523 Like, I'm not made for this. 672 00:32:08,763 --> 00:32:11,462 made like a necktie camera. 673 00:32:11,643 --> 00:32:13,602 Because I was like, I can't go buy something, right? 674 00:32:13,602 --> 00:32:15,043 Because like, he'll recognize it, right? 675 00:32:15,043 --> 00:32:16,222 If I have like a spy pen or something, 676 00:32:16,283 --> 00:32:17,002 I got to record this. 677 00:32:17,242 --> 00:32:19,143 So I ended up working with a group of journalists 678 00:32:19,143 --> 00:32:19,982 from the Associated Press. 679 00:32:20,602 --> 00:32:22,842 And we're like, okay, let's play this along 680 00:32:22,842 --> 00:32:23,523 and have a meeting. 681 00:32:24,023 --> 00:32:24,742 So we did. 682 00:32:25,203 --> 00:32:28,523 The Peninsula Hotel, Swank Hotel in New York City. 683 00:32:28,822 --> 00:32:29,763 Come to this meeting. 684 00:32:30,383 --> 00:32:32,203 And there's this guy, the investor, right? 685 00:32:32,643 --> 00:32:35,862 And you'd made your own tie camera. 686 00:32:35,862 --> 00:32:40,862 I had modified a nanny cam 687 00:32:41,502 --> 00:32:43,543 into a necktie that I bought. 688 00:32:43,543 --> 00:32:44,703 I love that. 689 00:32:44,703 --> 00:32:46,783 Because I was like, well, I have to make my own thing. 690 00:32:46,783 --> 00:32:48,682 But the problem, the hilariousness of this is, 691 00:32:48,682 --> 00:32:53,422 I broke, on the taxi ride over, I broke the camera. 692 00:32:53,422 --> 00:32:56,182 I separated it from the hole that I had made in the necktie. 693 00:32:56,182 --> 00:33:00,222 Luckily, I was bringing a group of journalists with me 694 00:33:00,222 --> 00:33:01,063 to the restaurant. 695 00:33:01,063 --> 00:33:03,722 They were already gonna be there covertly monitoring. 696 00:33:03,722 --> 00:33:04,783 We were gonna be recording. 697 00:33:04,783 --> 00:33:05,962 I had like recorders on my body. 698 00:33:06,123 --> 00:33:07,482 So we were able to capture this whole meeting. 699 00:33:07,563 --> 00:33:08,783 The transcript's online, if anybody's curious. 700 00:33:10,082 --> 00:33:11,063 So we go to this meeting, 701 00:33:11,523 --> 00:33:14,563 and it's an hour of like get to know you 702 00:33:14,563 --> 00:33:15,563 and this and that. 703 00:33:15,842 --> 00:33:18,543 But the guy, a little bit like pieces of bad driving, 704 00:33:19,002 --> 00:33:21,563 keeps deviating from the kind of like friendly 705 00:33:21,563 --> 00:33:22,462 get to know you thing 706 00:33:22,462 --> 00:33:24,422 into a couple of different conversational paths. 707 00:33:24,943 --> 00:33:26,162 The first thing that he does, 708 00:33:26,222 --> 00:33:27,462 his first conversational gambit, 709 00:33:27,662 --> 00:33:29,143 is to try to get me to say something racist, 710 00:33:29,523 --> 00:33:30,482 which is bananas. 711 00:33:30,623 --> 00:33:31,803 Almost like the first thing out of his mouth 712 00:33:31,803 --> 00:33:33,883 is to try to goad me into saying something 713 00:33:33,883 --> 00:33:35,703 really racist and offensive 714 00:33:35,703 --> 00:33:37,482 about how Africans speak French. 715 00:33:37,523 --> 00:33:38,082 I'm not going to say it. 716 00:33:38,402 --> 00:33:39,123 Racist and offensive. 717 00:33:39,462 --> 00:33:40,242 And I'm thinking like, 718 00:33:40,342 --> 00:33:41,803 okay, I have to like play it cool. 719 00:33:42,123 --> 00:33:44,102 Can't, you know, play into this thing. 720 00:33:44,443 --> 00:33:46,462 But like, wow, this guy is clearly thinking like, 721 00:33:46,742 --> 00:33:48,822 he wants this conversation at any given moment. 722 00:33:48,822 --> 00:33:49,623 If it has to stop, 723 00:33:49,783 --> 00:33:51,123 he wants to have his stuff, right? 724 00:33:51,322 --> 00:33:52,303 He'll be recording me too. 725 00:33:52,303 --> 00:33:53,543 Oh, he was trying to get it really early 726 00:33:53,543 --> 00:33:54,242 in the conversation. 727 00:33:54,443 --> 00:33:55,162 Yeah, I mean, like, you know, 728 00:33:55,242 --> 00:33:56,383 you get your first bit early 729 00:33:56,383 --> 00:33:58,063 and then you try to develop more things, right? 730 00:33:58,063 --> 00:34:00,383 So, and the hilarious part is 731 00:34:00,383 --> 00:34:02,883 the guy was so, in his own way, 732 00:34:02,883 --> 00:34:06,763 like bumbling, he had index cards in front of him. 733 00:34:06,763 --> 00:34:10,883 And there were three colors, green, yellow, and red. 734 00:34:10,883 --> 00:34:13,602 And when he was asking me mundane questions, 735 00:34:13,602 --> 00:34:16,262 he was like working from the green index cards. 736 00:34:16,262 --> 00:34:18,402 And it was like, so tell me more about this. 737 00:34:18,402 --> 00:34:20,863 And then he'd like cut in with a yellow card, right? 738 00:34:20,863 --> 00:34:22,863 And then like, you know, into the red cards. 739 00:34:22,863 --> 00:34:24,363 And the red cards, like the stuff 740 00:34:24,363 --> 00:34:25,563 that he was trying to ask about 741 00:34:25,563 --> 00:34:27,782 was he was trying to discredit our work. 742 00:34:27,782 --> 00:34:30,402 And when he wasn't trying to do that, 743 00:34:30,402 --> 00:34:33,163 he was trying to find that information about our work 744 00:34:33,163 --> 00:34:34,902 on like the case of Jamal Khashoggi. 745 00:34:34,902 --> 00:34:37,402 He was trying to get sensitive information about the lab. 746 00:34:37,402 --> 00:34:39,402 And I would sort of like have to give him 747 00:34:39,402 --> 00:34:40,902 little conversational gambits. 748 00:34:40,902 --> 00:34:42,742 Like I'd be like, well, you know, 749 00:34:42,742 --> 00:34:43,902 how does the life of that? 750 00:34:43,902 --> 00:34:45,902 Well, you know, we've got a lot of drama. 751 00:34:45,902 --> 00:34:46,902 Oh, drama, he tells me. 752 00:34:46,902 --> 00:34:48,902 I love drama, tell me more, right? 753 00:34:48,902 --> 00:34:50,902 And then I have to sort of chase Lee, pull it back. 754 00:34:50,902 --> 00:34:54,902 So we played along like this for an hour and like a half. 755 00:34:54,902 --> 00:34:55,902 The whole time he's been encouraging me, 756 00:34:55,902 --> 00:34:57,902 alcoholic, try the cognac, right? 757 00:34:57,902 --> 00:34:59,902 Like I don't drink, which he didn't know. 758 00:34:59,902 --> 00:35:02,143 which he didn't know, definitely put him at a disadvantage. 759 00:35:02,663 --> 00:35:05,663 And eventually I get like a frantic text message 760 00:35:05,663 --> 00:35:07,282 from the journalists who I'm like studiously 761 00:35:07,282 --> 00:35:08,502 trying not to look at, right? 762 00:35:08,563 --> 00:35:09,482 He hasn't noticed either. 763 00:35:10,823 --> 00:35:12,422 They're like, our batteries are running low. 764 00:35:12,602 --> 00:35:14,942 Like we've got to wind this thing up. 765 00:35:15,502 --> 00:35:16,582 And what I didn't know at the time was 766 00:35:16,582 --> 00:35:18,282 they were like on a journalist budget 767 00:35:18,282 --> 00:35:19,762 and all they could afford at that restaurant 768 00:35:19,762 --> 00:35:20,863 was like one fish cocktail. 769 00:35:20,982 --> 00:35:23,043 So like two guys sitting at a booth behind me, 770 00:35:23,282 --> 00:35:24,402 like eating a fish cocktail. 771 00:35:24,582 --> 00:35:24,982 For two hours. 772 00:35:25,082 --> 00:35:26,643 Like an hour and a half, right? 773 00:35:27,123 --> 00:35:28,082 Sipping their ice water. 774 00:35:28,082 --> 00:35:34,002 So we wrap it up. I try to distract him and I get him looking out the window. I'm like, you know, 775 00:35:34,143 --> 00:35:39,422 kites in Africa. Like, well, if you just look out the window over here, right. And he then turns 776 00:35:39,422 --> 00:35:44,902 back to discover a journalist and a cameraman, like in his face. And of course it's like game 777 00:35:44,902 --> 00:35:49,543 over for this guy, right. It's panic. He like, the journalist is like, so what are you doing? 778 00:35:49,582 --> 00:35:53,422 He's like, I know what I'm doing. Right. And then he sort of panics. He asks, you know, 779 00:35:53,422 --> 00:35:54,762 did you get permission to film this? 780 00:35:55,623 --> 00:35:58,163 And then he like almost knocks over a chair 781 00:35:58,163 --> 00:35:59,762 in his haste to leave the restaurant, 782 00:36:00,762 --> 00:36:02,422 but he'd forgotten to pay the bill. 783 00:36:03,102 --> 00:36:05,683 So the guy has to turn on his heel, 784 00:36:06,123 --> 00:36:07,402 come back into the restaurant, 785 00:36:07,602 --> 00:36:10,422 followed by a reporter, a cameraman, 786 00:36:10,962 --> 00:36:13,323 me with my GoPro, all peppering him 787 00:36:13,323 --> 00:36:14,843 that I've pulled out of my pocket, right? 788 00:36:15,023 --> 00:36:16,183 All peppering him with questions like, 789 00:36:16,402 --> 00:36:16,982 who are you? 790 00:36:17,123 --> 00:36:18,563 Do you work for, you know, the Black, 791 00:36:18,722 --> 00:36:19,802 this organization called Black Q, 792 00:36:19,843 --> 00:36:20,602 which we'll talk about in a second. 793 00:36:21,623 --> 00:36:22,683 And so the poor guy's like, 794 00:36:22,683 --> 00:36:28,183 to pay the bill. And then he hides in a back room in the restaurant, closes the door. And it's like, 795 00:36:28,222 --> 00:36:33,143 okay, we've done as much as we can here. Like we can't pester this guy further. What we didn't know, 796 00:36:33,523 --> 00:36:40,002 but learned shortly thereafter from the news reporting was that the guy was an ex-Israeli 797 00:36:40,002 --> 00:36:47,883 intelligence official and that he was working for Black Cube, which is a private intelligence firm 798 00:36:47,883 --> 00:36:49,722 that a little bit like NSO performs 799 00:36:49,722 --> 00:36:51,922 like being like super competent, super secretive, right? 800 00:36:53,363 --> 00:36:56,363 And we know this in part because 801 00:36:56,363 --> 00:36:58,183 one of the private investigators 802 00:36:58,183 --> 00:37:00,163 that his team had subcontracted, 803 00:37:00,203 --> 00:37:01,602 who was also, we learned later, 804 00:37:01,703 --> 00:37:02,802 running surveillance on the meeting, 805 00:37:03,462 --> 00:37:06,363 became a whistleblower. 806 00:37:07,143 --> 00:37:08,363 Told his story. 807 00:37:09,102 --> 00:37:10,762 And eventually becomes somebody I know 808 00:37:10,762 --> 00:37:12,582 and has like told me the whole story. 809 00:37:12,582 --> 00:37:13,823 It's also in publications. 810 00:37:14,163 --> 00:37:15,282 It's in a book by Rondon Farrow. 811 00:37:16,123 --> 00:37:17,302 This stuff is all public knowledge now, 812 00:37:17,302 --> 00:37:19,643 which is why I can say it without fearing a defamation lawsuit. 813 00:37:19,742 --> 00:37:20,742 And is that video online? 814 00:37:20,922 --> 00:37:21,563 It is. 815 00:37:21,582 --> 00:37:23,023 Can I put it in this interview? 816 00:37:23,063 --> 00:37:23,782 You have my permission. 817 00:37:23,982 --> 00:37:25,063 Perfect. Let's go. 818 00:37:25,942 --> 00:37:30,183 I witnessed a foreign private intelligence agency 819 00:37:30,183 --> 00:37:34,143 running around New York City as if it's some spy playground. 820 00:37:34,683 --> 00:37:37,203 If I'm getting the geolocation of your cell phone 821 00:37:37,203 --> 00:37:39,902 and you're not willingly providing that, 822 00:37:40,002 --> 00:37:42,043 then we're breaking some laws somewhere, right? 823 00:37:44,663 --> 00:37:46,843 I'm a licensed private investigator. 824 00:37:47,302 --> 00:37:51,782 He was a subcontractor for a private intelligence firm called Black Cube. 825 00:37:52,323 --> 00:37:57,442 Black Cube is an organization that's a mercenary in the spy business. 826 00:37:57,742 --> 00:38:00,722 An elite Israeli private intelligence agency. 827 00:38:00,722 --> 00:38:05,402 Harvey Weinstein hired Black Cube to help him investigate his enemies, 828 00:38:05,663 --> 00:38:10,163 the women who were accusing him of rape, and the journalists investigating the situation, 829 00:38:10,722 --> 00:38:16,203 especially Ronan Farrow and Jody Cantor, who both won the Pulitzer Prize for their reporting on Weinstein. 830 00:38:17,302 --> 00:38:20,643 I didn't know who the client was. There was always a mystery. 831 00:38:20,902 --> 00:38:25,002 We're going to follow Jody Cantor, a New York Times reporter. 832 00:38:25,203 --> 00:38:28,143 And he explained to me that we're interested in her sources. 833 00:38:28,442 --> 00:38:32,242 Here's a heads up. We're going to follow another reporter, Ronan Farrow. 834 00:38:33,383 --> 00:38:37,663 Harvey Weinstein had sources. He had rats in all of the media. 835 00:38:38,343 --> 00:38:40,563 Specifically had us do surveillance. 836 00:38:41,082 --> 00:38:44,922 He told me that they're going to use the geolocation feature 837 00:38:44,922 --> 00:38:47,323 to find out where Ronan is. 838 00:38:47,823 --> 00:38:50,343 Ronan's phone was in this area 839 00:38:50,343 --> 00:38:53,602 between, you know, for at least a two-hour time period. 840 00:38:54,063 --> 00:38:58,163 The point of this tracking is to kill the story, 841 00:38:58,482 --> 00:38:59,623 to suppress journalism. 842 00:39:00,323 --> 00:39:02,563 Once Igor figured out what he was doing, 843 00:39:03,102 --> 00:39:05,902 that he was helping Harvey Weinstein, 844 00:39:06,123 --> 00:39:07,703 he had real concerns about that. 845 00:39:08,063 --> 00:39:11,123 I felt like we're doing something that's very unpatriotic 846 00:39:11,123 --> 00:39:14,222 by following journalists to find out who their sources are. 847 00:39:14,222 --> 00:39:18,762 sort of independently decided he was going to come forward with this. 848 00:39:19,343 --> 00:39:22,102 I called Ronald Farrow and I said, 849 00:39:22,242 --> 00:39:25,482 I thought I got to tell him that he's being followed, that he was followed. 850 00:39:25,823 --> 00:39:30,363 I was in the crosshairs of, frankly, an insane international espionage operation. 851 00:39:30,502 --> 00:39:34,402 Black Cube wanted to give him a polygraph exam to see if he was, 852 00:39:34,722 --> 00:39:36,623 for instance, working with Ronald Farrow, which he was. 853 00:39:37,102 --> 00:39:40,143 And I totally freaked out. I didn't know what to do. 854 00:39:40,143 --> 00:39:45,523 That whole Weinstein case was done under my license. 855 00:39:46,523 --> 00:39:48,203 You know, I'm the one who should be scared. 856 00:39:48,683 --> 00:39:52,163 If you're already self-custody of Bitcoin, you know the deal with hardware wallets. 857 00:39:52,422 --> 00:39:57,123 Complex setups, clumsy interfaces, and a seed phrase that can be lost, stolen, or forgotten. 858 00:39:57,663 --> 00:39:58,902 Well, BitKey fixes that. 859 00:39:59,402 --> 00:40:03,282 BitKey is a multi-sig hardware wallet built by the team behind Square and Cash App. 860 00:40:03,502 --> 00:40:07,223 It packs a cryptographic recovery system and built-in inheritance feature 861 00:40:07,223 --> 00:40:10,962 into an intuitive, easy-to-use wallet with no seed phrase to sweat over. 862 00:40:11,543 --> 00:40:14,523 It's simple, secure self-custody without the stress. 863 00:40:14,962 --> 00:40:17,402 And time named BitKey one of the best inventions of 2024. 864 00:40:18,203 --> 00:40:21,663 Get 20% off at bitkey.world when you use code WBD. 865 00:40:22,023 --> 00:40:26,223 That's B-I-T-K-E-Y dot world and use code WBD. 866 00:40:26,643 --> 00:40:29,302 One of the things that keeps me up at night is the idea of a critical error 867 00:40:29,302 --> 00:40:30,582 with my Bitcoin cold storage. 868 00:40:31,163 --> 00:40:32,582 This is where AnchorWatch comes in. 869 00:40:32,982 --> 00:40:36,043 With AnchorWatch, your Bitcoin is insured with your own A-plus rated 870 00:40:36,043 --> 00:40:40,363 Lloyds of London insurance policy, and all Bitcoin is held in their time-locked multi-sig 871 00:40:40,363 --> 00:40:44,723 vaults. So you have the peace of mind knowing your Bitcoin is fully insured while not giving up 872 00:40:44,723 --> 00:40:49,043 custody. So whether you're worried about inheritance planning, wrench attacks, natural disasters, 873 00:40:49,043 --> 00:40:53,703 or just your own mistakes, you're fully protected by AnchorWatch. Rates for fully insured custody 874 00:40:53,703 --> 00:40:58,442 start as low as 0.55% and are available for individual and commercial customers located in 875 00:40:58,442 --> 00:41:03,223 the US. Speak to AnchorWatch today for a quote and for more details about your security options 876 00:41:03,223 --> 00:41:08,982 and coverage. Visit anchorwatch.com today. That is anchorwatch.com. Do you wish you could access 877 00:41:08,982 --> 00:41:13,863 cash without selling your Bitcoin? Well, Ledin makes that possible. Ledin are the global leader 878 00:41:13,863 --> 00:41:18,643 in Bitcoin-backed lending, and since 2018, they've issued over $9 billion in loans with a perfect 879 00:41:18,643 --> 00:41:23,683 record of protecting client assets. With Ledin, you get full custody loans with no credit checks, 880 00:41:23,843 --> 00:41:28,002 no monthly repayments, just easy access to dollars without selling a single sat. 881 00:41:28,723 --> 00:41:33,402 As of July 1st, Ledin is Bitcoin only, meaning they exclusively offer Bitcoin-backed loans 882 00:41:33,402 --> 00:41:36,703 with all collateral held by Ledin directly or their funding partners. 883 00:41:37,123 --> 00:41:39,183 Your Bitcoin is never lent out to generate interest. 884 00:41:39,623 --> 00:41:42,863 I recently took out a loan with Ledin and the whole process couldn't have been easier. 885 00:41:43,163 --> 00:41:45,442 It took me less than 15 minutes to go through the application 886 00:41:45,442 --> 00:41:47,882 and in just a few hours I had the dollars in my account. 887 00:41:48,102 --> 00:41:48,982 It was super smooth. 888 00:41:49,223 --> 00:41:51,683 So if you need cash but you don't want to sell Bitcoin, 889 00:41:51,863 --> 00:41:57,102 head over to ledin.io forward slash WBD and you'll get 0.25% off your first loan. 890 00:41:57,102 --> 00:42:01,102 That's ledn.io forward slash WBD. 891 00:42:01,563 --> 00:42:03,043 That's a wild story. 892 00:42:03,762 --> 00:42:04,563 It took a while. 893 00:42:04,843 --> 00:42:07,163 Feel free to cut as much of this out as you'd like. 894 00:42:07,323 --> 00:42:08,282 I don't want to cut any of that out. 895 00:42:08,323 --> 00:42:08,703 That was brilliant. 896 00:42:09,262 --> 00:42:09,922 The footage is there. 897 00:42:10,163 --> 00:42:11,582 So this is 2019. 898 00:42:12,382 --> 00:42:14,002 Obviously, long time has passed since then. 899 00:42:15,023 --> 00:42:20,123 I'm sure you are pretty considered about how you travel the world, 900 00:42:20,242 --> 00:42:21,782 how you live your life. 901 00:42:21,863 --> 00:42:22,343 Yeah, that's right. 902 00:42:22,482 --> 00:42:23,902 Has there been anything since then? 903 00:42:23,902 --> 00:42:30,663 So I don't want to say too much about more recent things, but we're obviously extremely vigilant to this. 904 00:42:31,063 --> 00:42:33,543 But there is another kind of protection. 905 00:42:35,282 --> 00:42:44,882 Before 2021, the only problem that companies like NSO had was like researchers like us blowing the whistle. 906 00:42:45,422 --> 00:42:47,823 Since that time, a bunch of things have happened. 907 00:42:48,043 --> 00:42:50,802 NSO got itself sanctioned by the U.S. government. 908 00:42:50,802 --> 00:42:53,282 Suddenly, we weren't its only problem. 909 00:42:53,282 --> 00:42:59,363 And there's now what I like to call an accountability ecosystem of like dozens of organizations that do legal work 910 00:42:59,363 --> 00:43:02,123 That do advocacy that do research that do technical work 911 00:43:02,683 --> 00:43:07,223 also all investigating the mercenary spyware world and so whereas 912 00:43:08,082 --> 00:43:13,183 Some years ago we might have been like a narrow point of failure. We now have a protection in this 913 00:43:13,962 --> 00:43:18,502 Amazing kind of network because suddenly like take one out. There are others 914 00:43:19,183 --> 00:43:21,962 Sorry remind me the name of the company in Israel 915 00:43:21,962 --> 00:43:23,962 Black Cube, not at all a shady name. 916 00:43:23,962 --> 00:43:25,962 No, sorry, the one that developed Pegasus. 917 00:43:25,962 --> 00:43:26,962 NSO Group. 918 00:43:26,962 --> 00:43:27,962 The NSO Group. 919 00:43:27,962 --> 00:43:30,962 So you're saying they were sanctioned by the US, 920 00:43:30,962 --> 00:43:32,962 but haven't, you sent me an article a few days ago. 921 00:43:32,962 --> 00:43:33,962 I did. 922 00:43:33,962 --> 00:43:35,962 Haven't they just renewed a contract with them or something? 923 00:43:35,962 --> 00:43:36,962 Let's talk about that. 924 00:43:36,962 --> 00:43:38,962 Yeah, let's. You tell me what's going on. 925 00:43:38,962 --> 00:43:42,962 So for like, so I started working on this topic 926 00:43:42,962 --> 00:43:45,962 in like 2011, 2012, long ago. 927 00:43:45,962 --> 00:43:47,962 Did a detour work to Google for a bit, 928 00:43:47,962 --> 00:43:49,962 came back into civil society full time. 929 00:43:49,962 --> 00:43:56,962 During that time, a relatively small group of people, some very brilliant colleagues of mine, 930 00:43:57,163 --> 00:44:01,663 our director, Ron Deibert, we have been shouting, and it feels like shouting into the wind 931 00:44:01,663 --> 00:44:08,323 about this problem set. And it hasn't, it hadn't really had the impact that we wanted, 932 00:44:08,323 --> 00:44:11,482 which is conferring some kind of like major protection. 933 00:44:14,082 --> 00:44:19,262 Partly because a lot of governments like the existence of this industry, 934 00:44:19,262 --> 00:44:21,782 or at least their security services do. 935 00:44:21,882 --> 00:44:23,703 Because just like arms dealers, right? 936 00:44:23,742 --> 00:44:24,262 They're useful. 937 00:44:25,123 --> 00:44:28,002 If a government, you know, would come to like the US 938 00:44:28,002 --> 00:44:29,962 or I don't know, Germany and be like, 939 00:44:30,043 --> 00:44:33,323 hey, we want to cooperate with you. 940 00:44:33,422 --> 00:44:35,002 Like, can you give us your sexy tools? 941 00:44:35,102 --> 00:44:36,343 And of course the US is like, no, no, no. 942 00:44:36,502 --> 00:44:37,082 We can't do that. 943 00:44:37,163 --> 00:44:38,942 But we know a guy, right? 944 00:44:39,203 --> 00:44:39,962 We'll put you in touch. 945 00:44:40,363 --> 00:44:41,563 And maybe they'll do it, right? 946 00:44:41,982 --> 00:44:45,623 And Israel managed to use spyware. 947 00:44:45,623 --> 00:44:48,282 So Haaretz, the Israeli publication, 948 00:44:48,282 --> 00:44:50,262 use the term spyware diplomacy, right? 949 00:44:50,402 --> 00:44:52,343 A lot of governments want this stuff. 950 00:44:52,422 --> 00:44:53,343 Seems like an oxymoron. 951 00:44:53,402 --> 00:44:55,802 And for the most part, 952 00:44:56,462 --> 00:45:00,402 like the security voices had the ear of politicians. 953 00:45:00,582 --> 00:45:02,023 And what they were sort of saying to politicians, 954 00:45:02,143 --> 00:45:03,002 lawmakers was like, look, 955 00:45:03,742 --> 00:45:05,302 we're doing secret spooky business. 956 00:45:06,502 --> 00:45:09,663 It's in the net interest of us and our country 957 00:45:09,663 --> 00:45:11,863 that things stay secret and spooky. 958 00:45:12,723 --> 00:45:14,223 But something happens. 959 00:45:14,382 --> 00:45:16,802 And this is not at all a big surprise. 960 00:45:16,802 --> 00:45:19,043 So if you take a pie chart, 961 00:45:19,762 --> 00:45:21,942 take a core sample of who's being hacked 962 00:45:21,942 --> 00:45:24,143 with Pegasus on a Wednesday, right? 963 00:45:24,582 --> 00:45:25,762 Well, who's in that pie? 964 00:45:26,442 --> 00:45:28,323 Obviously, they're the cases that we work on 965 00:45:28,323 --> 00:45:30,123 in our mandate, activists, dissidents, 966 00:45:30,323 --> 00:45:32,422 journalists, political voices, artists, 967 00:45:33,523 --> 00:45:34,482 truth-tellers, whistleblowers. 968 00:45:34,982 --> 00:45:37,023 But a major slice of the pie, 969 00:45:37,082 --> 00:45:38,223 maybe the biggest slice of the pie, 970 00:45:38,863 --> 00:45:40,363 is government on government. 971 00:45:40,802 --> 00:45:42,223 Of course it is, right? 972 00:45:42,363 --> 00:45:43,523 If you're a government, 973 00:45:43,663 --> 00:45:44,902 even if you acquire this technology, 974 00:45:44,902 --> 00:45:45,563 which is marketed, 975 00:45:45,563 --> 00:45:50,123 So, like, the marketing frame and the justificatory frame of these companies is like, we're here 976 00:45:50,123 --> 00:45:52,363 to help you solve serious crime and track terrorists. 977 00:45:52,982 --> 00:45:57,942 But the open secret is that this is an espionage technology, and the primary business that 978 00:45:57,942 --> 00:45:59,742 governments make with this is hacking other governments. 979 00:45:59,882 --> 00:46:02,082 Now, governments are going to hack. 980 00:46:02,183 --> 00:46:03,323 They're going to hack each other, right? 981 00:46:03,523 --> 00:46:04,663 And I guess it's almost like- 982 00:46:04,663 --> 00:46:17,325 I don play a violin for those governments but it pisses governments off if they discovered it The major inflection point was the U government realizing that their diplomatic personnel 983 00:46:17,325 --> 00:46:19,965 were getting hacked in spades, 984 00:46:20,125 --> 00:46:21,445 and not just the U.S. government. 985 00:46:21,925 --> 00:46:23,905 We made the phone call to the U.K. government to be like, 986 00:46:23,965 --> 00:46:25,385 by the way, we found evidence of an infection 987 00:46:25,385 --> 00:46:27,925 on the networks of number 10 Downing Street, right? 988 00:46:28,925 --> 00:46:32,265 And suddenly it became clear that government's willingness 989 00:46:32,265 --> 00:46:35,525 to just totally ignore the problem as a problem 990 00:46:35,525 --> 00:46:37,025 and treat it as like a secret thing 991 00:46:37,025 --> 00:46:39,625 was going to have consequences for them too. 992 00:46:39,785 --> 00:46:41,185 Yeah, because if someone has it, 993 00:46:41,265 --> 00:46:42,145 they may as well have it too. 994 00:46:42,525 --> 00:46:47,345 And basically, it's like any other game theoretic problem, right? 995 00:46:47,425 --> 00:46:49,545 Like you can only, in this case, 996 00:46:49,645 --> 00:46:52,985 like you can only allow this industry to proliferate so far 997 00:46:52,985 --> 00:46:56,585 before the pee in the pool begins to fill the rest of the pool, right? 998 00:46:56,625 --> 00:46:57,965 Like before we're all swimming in it. 999 00:46:58,085 --> 00:47:01,365 And suddenly governments were seeing a security 1000 00:47:01,365 --> 00:47:04,745 and a national security problem, not just a benefit. 1001 00:47:04,745 --> 00:47:08,285 And that was like the major inflection moment. 1002 00:47:08,545 --> 00:47:09,905 Now, the question that you asked me was like, 1003 00:47:10,065 --> 00:47:11,085 so fast forward to today, 1004 00:47:11,205 --> 00:47:13,505 like what's with this news about like the US government 1005 00:47:13,505 --> 00:47:14,805 doing business with spyware companies? 1006 00:47:14,965 --> 00:47:17,465 Well, during the past administration, 1007 00:47:18,005 --> 00:47:22,665 there was, I think, a very strong, clear-eyed awareness 1008 00:47:22,665 --> 00:47:25,225 of the national security risks 1009 00:47:25,225 --> 00:47:27,345 that the proliferation of this technology posed. 1010 00:47:27,445 --> 00:47:29,785 And the truth is like America's got pretty good, 1011 00:47:29,865 --> 00:47:30,925 you know, this from Ed Snowden and others. 1012 00:47:31,125 --> 00:47:33,065 America's got pretty good skills, right? 1013 00:47:33,065 --> 00:47:35,565 Like in theory, America doesn't need the existence 1014 00:47:35,565 --> 00:47:37,025 of these mercenary players the way that like, 1015 00:47:37,085 --> 00:47:37,865 if you're Togo, you might, 1016 00:47:37,965 --> 00:47:38,925 because you're not going to develop that in-house. 1017 00:47:39,425 --> 00:47:41,365 And so it's not entirely surprising to me 1018 00:47:41,365 --> 00:47:43,865 that the U.S. would have seen this problem set 1019 00:47:43,865 --> 00:47:46,245 as like, okay, this is not in our interest 1020 00:47:46,245 --> 00:47:48,025 to have NSO being a cowboy, 1021 00:47:48,465 --> 00:47:49,745 selling this technology to all these governments 1022 00:47:49,745 --> 00:47:50,565 who are going to hack us, right? 1023 00:47:50,565 --> 00:47:51,305 Like, we don't like this. 1024 00:47:51,845 --> 00:47:54,785 And moreover, right, it's going to misalign 1025 00:47:54,785 --> 00:47:56,745 with within the foreign policy objectives 1026 00:47:56,745 --> 00:47:57,245 of the United States. 1027 00:47:57,245 --> 00:47:58,625 Like the U.S. doesn't want, you know, 1028 00:47:58,745 --> 00:48:02,065 democracy activists having all of the work 1029 00:48:02,065 --> 00:48:02,865 that they've done eroded. 1030 00:48:03,065 --> 00:48:04,605 What has changed? 1031 00:48:04,725 --> 00:48:08,325 Well, if you're a spyware company, what's the big prize? 1032 00:48:08,405 --> 00:48:09,645 What's the market prize for you? 1033 00:48:09,905 --> 00:48:11,445 It's not selling to dictatorships. 1034 00:48:12,245 --> 00:48:13,305 Selling to the US government. 1035 00:48:13,445 --> 00:48:14,485 Selling to the US government. 1036 00:48:15,785 --> 00:48:20,505 Biggest possible client and a big brother of protection, right? 1037 00:48:20,685 --> 00:48:25,605 How do you deal with the fact that you're pushing right at the edges of the law, right? 1038 00:48:25,625 --> 00:48:29,345 You're buying exploits potentially from like Chinese hacking groups that are also linked 1039 00:48:29,345 --> 00:48:29,845 to the Chinese government. 1040 00:48:29,845 --> 00:48:33,265 or maybe you're connected to really shady characters. 1041 00:48:33,425 --> 00:48:35,545 Maybe you're doing cross-jurisdictional business 1042 00:48:35,545 --> 00:48:37,765 that could be considered like money laundering, 1043 00:48:37,865 --> 00:48:38,525 structuring, right? 1044 00:48:38,625 --> 00:48:39,705 You're living in the grays. 1045 00:48:39,925 --> 00:48:40,585 You need protection. 1046 00:48:41,265 --> 00:48:47,205 And so NSO Group and others have paid untold amounts of money 1047 00:48:47,205 --> 00:48:50,305 to lobbyists, to formers in government, 1048 00:48:50,505 --> 00:48:53,185 to try to convince parts of the US government, 1049 00:48:53,345 --> 00:48:54,745 like put their arm around them and be like, 1050 00:48:54,785 --> 00:48:55,965 listen, we're friends, right? 1051 00:48:56,025 --> 00:48:56,825 Buy our stuff. 1052 00:48:57,285 --> 00:48:59,685 Well, it didn't really work out that way for NSO. 1053 00:48:59,845 --> 00:49:01,405 because of this sanction. 1054 00:49:01,405 --> 00:49:04,085 But in 2019, something else happened. 1055 00:49:04,085 --> 00:49:06,225 A company called Paragon, another P, right, 1056 00:49:06,225 --> 00:49:08,645 was founded also in Israel 1057 00:49:08,645 --> 00:49:10,825 with some American venture capital backing. 1058 00:49:10,825 --> 00:49:12,825 Two founders or co-founders- 1059 00:49:12,825 --> 00:49:15,065 Was this Palantir backing? 1060 00:49:15,065 --> 00:49:20,065 It was like, there's a whole ecosystem of private equity 1061 00:49:20,465 --> 00:49:24,245 that I think kind of enjoys the sexiness 1062 00:49:24,245 --> 00:49:26,705 of like pushing at edgy surveillance things. 1063 00:49:26,705 --> 00:49:28,065 Like they kind of like it, right? 1064 00:49:28,065 --> 00:49:33,405 It's like Walter Mitty, but for like espionage and surveillance. 1065 00:49:33,405 --> 00:49:37,505 So who are Paragon's like, you know, among the co-founders and co-founding board members? 1066 00:49:38,465 --> 00:49:44,445 Former Israeli prime minister, Hu Barak, Ehud Shornason, former head of unit 8200. 1067 00:49:46,145 --> 00:49:47,045 Big names. 1068 00:49:47,425 --> 00:49:49,885 And their whole pitch was, we're going to be stealthier than NSO. 1069 00:49:50,025 --> 00:49:50,885 Like, we're not going to get caught. 1070 00:49:50,945 --> 00:49:53,285 Unlike those NSO people who keep getting caught by Citizen Lab, right? 1071 00:49:53,325 --> 00:49:57,165 Like, government, are you tired of getting your shit discovered again and again and again, 1072 00:49:57,165 --> 00:50:01,465 hundreds of times, right? Like, don't worry. We've got a cooler, a lighter touch technology. And by 1073 00:50:01,465 --> 00:50:05,765 the way, that means it's less invasive, more likely to comply with your laws. And we're ethical, 1074 00:50:06,105 --> 00:50:12,385 right? By our ethical mercenary spyware. So Paragon made a big push with that narrative 1075 00:50:12,385 --> 00:50:17,785 during the era when NSO was in the biggest reputational soup and their fortunes and 1076 00:50:17,785 --> 00:50:25,105 valuation were falling. Like NSO's debt lost like 80 cents on the dollar after a string of things, 1077 00:50:25,105 --> 00:50:26,285 including U.S. government action. 1078 00:50:26,445 --> 00:50:28,205 Like, all of the advocacy work that had happened 1079 00:50:28,205 --> 00:50:29,385 didn't much touch it. 1080 00:50:29,785 --> 00:50:31,965 Entity listing, having it publicly disclosed 1081 00:50:31,965 --> 00:50:32,705 that they hacked the U.S. government, 1082 00:50:32,825 --> 00:50:33,785 that was, like, game over, right? 1083 00:50:33,865 --> 00:50:35,445 And, like, people lost money. 1084 00:50:36,705 --> 00:50:38,585 Now, Paragon's narrative is, like, 1085 00:50:39,145 --> 00:50:40,585 we're the solution to this, right? 1086 00:50:40,605 --> 00:50:41,745 All the good stuff, none of the bad. 1087 00:50:41,905 --> 00:50:45,365 And that narrative sort of worked, I think, 1088 00:50:45,405 --> 00:50:46,325 on the U.S. government, 1089 00:50:46,405 --> 00:50:48,305 because a part of the government wanted to believe 1090 00:50:48,305 --> 00:50:49,865 that there was, like, a way for this industry to exist 1091 00:50:49,865 --> 00:50:52,205 and be shaped towards better. 1092 00:50:53,745 --> 00:50:54,425 What happens? 1093 00:50:54,425 --> 00:51:10,465 Well, towards the end of the Biden era, somehow, somewhere in the Department of Homeland Security and ICE, Immigration and Customs Enforcement, there is a deal done with Paragon, which is like mana from heaven for Paragon, presumably, right? 1094 00:51:10,545 --> 00:51:13,725 Like, okay, we get our kind of wedge in. 1095 00:51:15,185 --> 00:51:23,785 And by that time, the US government had an executive order on spyware that required review for national security, counterintelligence, human rights issues. 1096 00:51:23,785 --> 00:51:29,845 So when the US government learns about this, they're like, okay, stop work order on this contract. 1097 00:51:29,965 --> 00:51:31,505 We're going to have to seriously review this. 1098 00:51:31,565 --> 00:51:34,105 Now, we've talked about security problems. 1099 00:51:34,285 --> 00:51:35,565 We've talked about human rights abuses. 1100 00:51:35,565 --> 00:51:44,305 But there's also this counterintelligence problem, which is like, if you're using spyware developed by foreign developers, well, that's a huge problem, right? 1101 00:51:44,665 --> 00:51:50,305 The US Air Force would not field a Chinese stealth fighter for obvious reasons, right? 1102 00:51:50,325 --> 00:51:52,685 There might not be a Chinese spy sitting in the backseat. 1103 00:51:52,685 --> 00:51:59,245 Similarly with spyware, if you're using technology developed by somebody else, you have to assume 1104 00:51:59,245 --> 00:52:02,585 that at minimum, they have a special insight in maybe how to find it. 1105 00:52:02,645 --> 00:52:06,605 But there's, of course, more, which is if that company is plugged into the US government, 1106 00:52:06,685 --> 00:52:07,865 there's going to be information flowing back and forth. 1107 00:52:08,925 --> 00:52:14,125 Even more concerningly, they're selling to multiple governments, which means that multiple 1108 00:52:14,125 --> 00:52:18,725 governments may have a special insight into the things that the US government is doing 1109 00:52:18,725 --> 00:52:21,605 with its spyro deployment, 1110 00:52:21,725 --> 00:52:23,165 with this Paragon spyro called Graphite. 1111 00:52:23,525 --> 00:52:26,325 Now, all of those seem like pretty strong reasons 1112 00:52:26,325 --> 00:52:29,605 to do like a scorched earth counterintelligence assessment. 1113 00:52:29,845 --> 00:52:31,785 And it seemed like Paragon was like, you know, 1114 00:52:31,865 --> 00:52:34,265 wallowing in this, but then something changed. 1115 00:52:34,345 --> 00:52:36,685 We just got an announcement that the stop work order 1116 00:52:36,685 --> 00:52:41,425 was lifted on that Paragon Graphite contract with ICE. 1117 00:52:43,265 --> 00:52:45,345 We don't know this because they told us. 1118 00:52:45,425 --> 00:52:47,245 We know this because a journalist named Jack Paulson 1119 00:52:47,245 --> 00:52:50,725 spotted the stop work order lift 1120 00:52:50,725 --> 00:52:52,745 in the federal contracting database. 1121 00:52:52,745 --> 00:52:56,145 Now, the real question here is, 1122 00:52:56,345 --> 00:52:57,925 is this kind of technology, 1123 00:52:58,825 --> 00:53:02,685 like, does it align with values 1124 00:53:02,685 --> 00:53:03,705 that Americans would recognize? 1125 00:53:04,245 --> 00:53:07,325 Is it dangerous to American values? 1126 00:53:07,405 --> 00:53:09,465 Do Americans believe that there should be this, 1127 00:53:09,545 --> 00:53:11,465 like, secret, unaccountable, 1128 00:53:11,645 --> 00:53:13,405 hidden surveillance technology? 1129 00:53:13,485 --> 00:53:14,365 I think many Americans, 1130 00:53:14,965 --> 00:53:16,185 if they kind of had it laid out, 1131 00:53:16,185 --> 00:53:17,905 would be like, this feels dangerous. 1132 00:53:18,425 --> 00:53:20,285 This feels like it doesn't align with the Constitution 1133 00:53:20,285 --> 00:53:21,005 as I understand it. 1134 00:53:21,905 --> 00:53:25,685 And so, obviously, we've spent the vast majority of this 1135 00:53:25,685 --> 00:53:27,425 now talking about Pegasus and Paragon. 1136 00:53:28,145 --> 00:53:32,265 Can we take it a little further into sort of general state 1137 00:53:32,265 --> 00:53:33,025 of surveillance? 1138 00:53:34,685 --> 00:53:36,485 Because the question I would have is, 1139 00:53:36,665 --> 00:53:40,245 how do you view the new technologies, 1140 00:53:40,385 --> 00:53:43,065 things like AI, in terms of surveillance? 1141 00:53:43,065 --> 00:53:47,345 I'm fucking terrified. 1142 00:53:48,105 --> 00:53:50,785 Let's start with the thing that I know best, which is my little world. 1143 00:53:51,145 --> 00:53:53,405 Me and my colleagues tracking spyware and serial and stuff. 1144 00:53:54,545 --> 00:53:54,925 Well, okay. 1145 00:53:55,065 --> 00:53:59,065 So if you hack a person's phone, you're doing it because you want data from that phone, right? 1146 00:53:59,065 --> 00:54:00,685 Maybe you're doing that top up that we were talking about earlier. 1147 00:54:01,365 --> 00:54:03,045 You need to move a bunch of data from the phone. 1148 00:54:03,885 --> 00:54:05,805 And then you're going to go analyze it somewhere else, right? 1149 00:54:05,965 --> 00:54:11,345 So it would be like, I've got to, you know, photocopy every page of every document in your 1150 00:54:11,345 --> 00:54:15,945 house, and then I've got to somehow sneak that bag out of the window, right? 1151 00:54:16,525 --> 00:54:23,765 Well, with the arrival of on-device AI and sort of private enclave cloud AI, I think there's 1152 00:54:23,765 --> 00:54:28,305 a real possibility that now an attacker just needs to talk to that AI and be like, hey, 1153 00:54:28,665 --> 00:54:33,805 go find every instance of this word, or go find only the communications with this person, 1154 00:54:34,225 --> 00:54:37,285 go find only the videos featuring this person's voice. 1155 00:54:37,285 --> 00:54:40,325 And suddenly, instead of having to export 1156 00:54:40,325 --> 00:54:41,905 like a couple hundred megabytes of stuff, 1157 00:54:41,945 --> 00:54:45,345 which might be detectable by some vigilant network monitors, 1158 00:54:45,905 --> 00:54:47,885 I'm taking like, I'm sipping like 12 kilobytes, 1159 00:54:48,005 --> 00:54:48,965 right, tiny little information. 1160 00:54:49,405 --> 00:54:51,765 Or I could just say like, hey, I sit on there and monitor 1161 00:54:51,765 --> 00:54:54,785 and let me know when Danny reaches out 1162 00:54:54,785 --> 00:54:55,705 and talks to this person. 1163 00:54:56,185 --> 00:54:58,705 So I think it has immediate potential 1164 00:54:58,705 --> 00:55:03,345 to change how difficult it is to move stuff 1165 00:55:03,345 --> 00:55:05,105 and how easy it is to remain undetected. 1166 00:55:05,385 --> 00:55:07,185 I think that's kind of only the beginning. 1167 00:55:07,285 --> 00:55:09,925 processing the information, understanding it, 1168 00:55:10,065 --> 00:55:11,325 it's going to get worse from there. 1169 00:55:11,505 --> 00:55:13,245 We can pull out the lens a little bit further 1170 00:55:13,245 --> 00:55:14,345 out of spyware as well. 1171 00:55:15,885 --> 00:55:17,865 One of the great challenges that you have 1172 00:55:17,865 --> 00:55:18,765 if you sell spyware 1173 00:55:18,765 --> 00:55:21,005 is like having reliable working exploits, right? 1174 00:55:21,025 --> 00:55:21,825 You've got to have these. 1175 00:55:21,845 --> 00:55:24,165 And these are like, they cost millions of dollars. 1176 00:55:24,265 --> 00:55:26,405 They're highly sophisticated code at this point, right? 1177 00:55:26,685 --> 00:55:28,465 Part of the consequences of our work 1178 00:55:28,465 --> 00:55:29,665 and efforts by Apple and others 1179 00:55:29,665 --> 00:55:30,625 has been to drive up the cost. 1180 00:55:30,625 --> 00:55:34,245 Now, exploit discovery involves a lot of work. 1181 00:55:34,685 --> 00:55:36,925 Some of that work can be done, I think, by AI. 1182 00:55:37,285 --> 00:55:40,085 Sure, you can use it for defense as well and finding stuff, but like balance- 1183 00:55:40,085 --> 00:55:42,685 Because it's just great at passing massive amounts of data, is that- 1184 00:55:42,685 --> 00:55:45,845 It is really good and at trying lots of things in lots of different ways. 1185 00:55:45,845 --> 00:55:48,925 And that's intersecting with other realities about the abilities of virtualized, different 1186 00:55:48,925 --> 00:55:50,365 kinds of cell phone operating systems. 1187 00:55:50,365 --> 00:55:53,365 So just there's a real danger there. 1188 00:55:53,365 --> 00:55:57,365 And there's a danger that the problem expands out from the kinds of very sophisticated spyware 1189 00:55:57,365 --> 00:56:00,605 that we find and we're working on it and we're talking about here. 1190 00:56:00,605 --> 00:56:08,145 The second kind of like layer of this problem set as I see it is with tech, it's like everything 1191 00:56:08,145 --> 00:56:09,425 new is actually old. 1192 00:56:10,165 --> 00:56:15,965 And people now, many of them have invited a new chat window into their lives where they 1193 00:56:15,965 --> 00:56:19,085 talk to somebody else's computer and that computer gives them answers. 1194 00:56:19,085 --> 00:56:23,785 Now we could talk for a long time about the sort of concerns about what that means for 1195 00:56:23,785 --> 00:56:26,065 like the safety of your cognition, right? 1196 00:56:26,065 --> 00:56:29,105 Your ability to really know what you feel and know which thoughts are yours. 1197 00:56:29,105 --> 00:56:32,385 and are you going to get one-shotted by a system designed to butter you up and keep you chatting 1198 00:56:32,385 --> 00:56:38,785 with it? But the other component of this is that those systems are also getting a unique visibility 1199 00:56:38,785 --> 00:56:44,385 into people's lives and thoughts and the things that they're doing. It's a huge data flow. 1200 00:56:44,385 --> 00:56:48,065 Totally. And that is like back to your analogy of that, like the burglar in the house, 1201 00:56:48,065 --> 00:56:51,985 it's almost like you're passing the burglar, whatever it is in your house out the window. 1202 00:56:53,025 --> 00:56:57,425 So the first point you made there is interesting. I've not heard that. The second point was really 1203 00:56:57,425 --> 00:57:02,465 the thing that I have been thinking about in the sense of, like, are we just giving up all this 1204 00:57:02,465 --> 00:57:06,705 massive amounts of personal information to corporates? And do we go into a world of sort 1205 00:57:06,705 --> 00:57:11,105 of corporate surveillance, the corporate panopticon? We're there. We live in a world of corporate 1206 00:57:11,105 --> 00:57:17,745 surveillance. And what is absolutely infuriating is that the corporate surveillance machinery was 1207 00:57:17,745 --> 00:57:23,745 designed to sell you stuff, to better understand behavior, to better sell advertisements to sell 1208 00:57:23,745 --> 00:57:30,525 you stuff, right? Like, turtles all the way down. But of course, that whole machinery is like catnip 1209 00:57:30,525 --> 00:57:35,045 for an intelligence service. Ten years ago, if you wanted massive data collection people, 1210 00:57:35,185 --> 00:57:38,785 you had to build that system. Now, you go to advertising exchanges, you get that data, 1211 00:57:38,925 --> 00:57:43,605 you get that analytic data, like, you want to know where people are, right? Like, all of that 1212 00:57:43,605 --> 00:57:49,845 data flow that was once also the purview only of the states that built it is now available to 1213 00:57:49,845 --> 00:57:54,285 anybody that can pay for it. And that means that many of the legal protections that were like sort 1214 00:57:54,285 --> 00:58:00,865 of carefully honed in any given like country about what governments can collect, how they can collect 1215 00:58:00,865 --> 00:58:05,085 it, how they can retain it, who has to review it. Like none of that matters if you can just go use 1216 00:58:05,085 --> 00:58:10,325 your credit card and get like, you know, 80% of the places that Danny went with his phone from like 1217 00:58:10,325 --> 00:58:16,045 a shady, you know, third party data broker. Right. And even more scary, a bunch of those data brokers 1218 00:58:16,045 --> 00:58:19,105 will sell to like China or other adversarial regimes. 1219 00:58:19,225 --> 00:58:20,325 And so if you're a government now, 1220 00:58:20,505 --> 00:58:22,925 you don't just have to worry about like foreign spies 1221 00:58:22,925 --> 00:58:23,825 following your shit. 1222 00:58:24,245 --> 00:58:25,285 You've got to think that like, 1223 00:58:25,605 --> 00:58:27,165 you're actually like all of your people, 1224 00:58:27,265 --> 00:58:28,785 all of your actions, like it's super legible. 1225 00:58:29,805 --> 00:58:33,185 That extends all the way down to you and me, 1226 00:58:33,245 --> 00:58:34,545 but it's fiendishly difficult. 1227 00:58:34,625 --> 00:58:36,945 Like with spyware, okay, I find spyware on your phone, right? 1228 00:58:36,945 --> 00:58:38,365 You're gonna get your answer later in the conversation. 1229 00:58:39,325 --> 00:58:40,645 Maybe we can figure out who did it. 1230 00:58:40,925 --> 00:58:43,565 And maybe we can trace some lines to that. 1231 00:58:43,565 --> 00:58:48,625 But with data brokers, like, how would you know that it was data broker X? 1232 00:58:48,705 --> 00:58:55,285 Like, what is the chain of the six intermediaries through which your data flowed that eventually resulted in it being used against you? 1233 00:58:55,385 --> 00:58:57,125 That's just a black bag of who knows what. 1234 00:58:57,245 --> 00:58:58,865 It's a black bag of badness. 1235 00:58:59,065 --> 00:59:06,005 And what we have created is like, it's just like a million honeypots for a thousand bears. 1236 00:59:06,545 --> 00:59:10,465 All of them just stuffed with every possible kind of personal data. 1237 00:59:10,465 --> 00:59:16,845 And I am deeply personally angry that so many very talented people built these systems designed 1238 00:59:16,845 --> 00:59:22,205 to monetize behavior without thinking for a second that they were creating a parallel 1239 00:59:22,205 --> 00:59:27,305 structure of control, a parallel structure of monitoring that is now with us. 1240 00:59:27,425 --> 00:59:32,605 Now, if you take that, I would say, increasingly mature structure, and you bolt it into the 1241 00:59:32,605 --> 00:59:39,845 world of AI and the new ways that AI chat systems are understanding people, you start 1242 00:59:39,845 --> 00:59:44,405 fusing that data, you get an absolutely terrifying degree of understanding of people. 1243 00:59:44,865 --> 00:59:48,685 What scares me, like pulling out from the sort of initial privacy question, like your 1244 00:59:48,685 --> 00:59:49,945 stuff is being exposed, is this. 1245 00:59:50,845 --> 00:59:56,605 I believe in the core of my being that there's a category of questions that governments should 1246 00:59:56,605 --> 00:59:59,365 never be permitted to ask about their population. 1247 01:00:00,085 --> 01:00:01,365 I 100% agree. 1248 01:00:01,505 --> 01:00:02,665 They should never be permitted. 1249 01:00:03,245 --> 01:00:08,405 And unfortunately, in too many societies, friction was the only thing preventing that 1250 01:00:08,405 --> 01:00:08,845 from happening. 1251 01:00:08,845 --> 01:00:13,005 your data, data about you has less friction 1252 01:00:13,005 --> 01:00:15,605 than you trying to make a financial transaction. 1253 01:00:15,705 --> 01:00:17,005 That's bananas, right? 1254 01:00:18,425 --> 01:00:20,165 So when it comes to this, 1255 01:00:20,225 --> 01:00:21,505 like big tech corporate surveillance, 1256 01:00:21,805 --> 01:00:23,565 what do you put it down to? 1257 01:00:23,625 --> 01:00:25,585 Like the people running these businesses, 1258 01:00:25,885 --> 01:00:27,445 like is it, are they evil? 1259 01:00:27,725 --> 01:00:28,485 Is it ignorance? 1260 01:00:28,765 --> 01:00:31,845 Is it just profit-driven, ignore the consequences? 1261 01:00:32,085 --> 01:00:33,085 Like what is it? 1262 01:00:33,205 --> 01:00:35,885 Cash rules everything around me, cream, right? 1263 01:00:35,985 --> 01:00:37,085 Like you look at each, 1264 01:00:37,085 --> 01:00:38,005 Shout out to that. 1265 01:00:38,565 --> 01:00:42,565 Every organization that is trying to do stuff 1266 01:00:42,565 --> 01:00:44,825 and that winds up collecting data at some point 1267 01:00:44,825 --> 01:00:46,065 is going to have this conversation. 1268 01:00:46,245 --> 01:00:48,325 Oh man, we could have another revenue stream. 1269 01:00:48,525 --> 01:00:50,505 Like, oh, we're helping people solve this problem. 1270 01:00:50,685 --> 01:00:52,345 We're connecting different bank accounts, right? 1271 01:00:52,365 --> 01:00:54,685 Like Plaid, we're connecting this bank to that bank. 1272 01:00:54,805 --> 01:00:56,645 We're helping you get your check deposited, right? 1273 01:00:56,985 --> 01:00:59,225 So it's like, oh man, we have a second parallel 1274 01:00:59,225 --> 01:01:00,585 monetizable flow of data. 1275 01:01:00,645 --> 01:01:02,125 Our shareholders are going to love this. 1276 01:01:02,805 --> 01:01:06,105 A version of that is repeated over and over again 1277 01:01:06,105 --> 01:01:07,285 in company after company. 1278 01:01:07,445 --> 01:01:11,005 And it isn't necessarily framed as privacy violating. 1279 01:01:11,425 --> 01:01:14,405 It can be framed as helping prevent fraud, right? 1280 01:01:14,745 --> 01:01:16,125 Transaction analytics, right? 1281 01:01:16,185 --> 01:01:17,385 Quality of experience. 1282 01:01:17,505 --> 01:01:18,865 These things are always put that way. 1283 01:01:18,985 --> 01:01:20,505 They're always in the same way 1284 01:01:20,505 --> 01:01:22,445 that the online safety stuff is framed 1285 01:01:22,445 --> 01:01:23,785 at like age assurance, right? 1286 01:01:23,785 --> 01:01:24,585 Like saving the children. 1287 01:01:24,585 --> 01:01:28,505 And I think a lot of good, well-meaning people, 1288 01:01:28,665 --> 01:01:30,705 good-hearted people got themselves 1289 01:01:30,705 --> 01:01:32,445 into corporate structures where they built 1290 01:01:32,445 --> 01:01:39,225 like 85% of the privacy-destroying chainsaw. 1291 01:01:40,345 --> 01:01:43,045 And then suddenly they started seeing a chain getting attached to it, 1292 01:01:43,065 --> 01:01:44,085 and they're like, oh, fuck, right? 1293 01:01:44,385 --> 01:01:47,145 And many of them left, or they became disillusioned. 1294 01:01:47,185 --> 01:01:49,045 Some of them volunteer and work at Citizen Lab, right? 1295 01:01:50,685 --> 01:01:53,665 But we got here through the God-Prophet 1296 01:01:53,665 --> 01:01:57,945 and through a million KPIs. 1297 01:01:58,565 --> 01:02:00,325 What scares me about this conversation 1298 01:02:00,325 --> 01:02:01,865 is we apply it to the world of Bitcoin, 1299 01:02:01,865 --> 01:02:04,705 is that many different players in this ecosystem, 1300 01:02:04,705 --> 01:02:07,185 I think, are going to discover 1301 01:02:07,185 --> 01:02:09,505 many of those same incentive structures 1302 01:02:09,505 --> 01:02:10,525 if they haven't already. 1303 01:02:11,045 --> 01:02:12,945 And it's going to be happening everywhere 1304 01:02:12,945 --> 01:02:14,225 a little bit all at once. 1305 01:02:14,285 --> 01:02:16,325 It's like arsenic poisoning by eating a lot 1306 01:02:16,325 --> 01:02:17,405 of a certain kind of food, right? 1307 01:02:17,745 --> 01:02:19,305 No one bite is the bad one, 1308 01:02:19,365 --> 01:02:20,665 but the sum total is trouble. 1309 01:02:21,365 --> 01:02:23,605 And I'm really curious what you mean about that. 1310 01:02:23,665 --> 01:02:26,025 Is that the fact that there's kind of like 1311 01:02:26,025 --> 01:02:28,905 KYC choke points anywhere you want to go and buy Bitcoin? 1312 01:02:28,905 --> 01:02:34,885 Is it the fact that like anyone now working on privacy software has to fear going to jail? 1313 01:02:35,045 --> 01:02:40,645 And like if Bitcoin can't have any privacy tools on top of it, like does that then become another sort of surveillance panopticon? 1314 01:02:41,345 --> 01:02:56,145 The thing about surveillance panoptica, right, is that I think there is something structural right now that means that like a version of this thing is going to keep repeating itself in every business structure. 1315 01:02:56,145 --> 01:03:04,865 It's kind of like there is a certain crystalline structure that protects privacy, but there 1316 01:03:04,865 --> 01:03:06,145 are other versions of that. 1317 01:03:07,325 --> 01:03:12,345 And if those crystals are introduced, suddenly and over time, the crystalline structure pivots 1318 01:03:12,345 --> 01:03:17,065 and suddenly it becomes not just like, you know, potentially resistant to privacy and 1319 01:03:17,065 --> 01:03:21,465 rights, but actually like the fastest rails to violate those things. 1320 01:03:21,525 --> 01:03:24,145 What got me into this whole world, I was doing something totally different. 1321 01:03:24,145 --> 01:03:26,405 and the Arab Spring happened 1322 01:03:26,405 --> 01:03:29,105 and I saw governments trying to suppress speech. 1323 01:03:29,965 --> 01:03:33,085 So I got into this by building projects 1324 01:03:33,085 --> 01:03:35,425 to get information out during internet shutdowns 1325 01:03:35,425 --> 01:03:37,425 in Egypt and then in Libya. 1326 01:03:37,705 --> 01:03:40,285 And the big personal excitement that I experienced was, 1327 01:03:40,445 --> 01:03:46,645 oh my God, technology has ended the historic asymmetry 1328 01:03:46,645 --> 01:03:48,465 between people and the powerful 1329 01:03:48,465 --> 01:03:50,165 and the ability to push information out. 1330 01:03:50,845 --> 01:03:52,345 Holy cow, right? 1331 01:03:52,345 --> 01:03:59,305 Suddenly, you don't need to take over a TV station to have a protest movement and to tell people in your country what's going on. 1332 01:03:59,485 --> 01:04:04,245 You don't need to persuade a foreign journalist to talk about your story or get your quote. 1333 01:04:04,465 --> 01:04:05,645 You can broadcast it. 1334 01:04:06,165 --> 01:04:17,545 But what social media platforms had not done, they had not reduced the historic and abiding asymmetries between people and governments of power and of risk and of resources. 1335 01:04:17,545 --> 01:04:23,085 And the other shoes started dropping even during the Arab Spring as countries realized, uh-uh. 1336 01:04:23,225 --> 01:04:27,525 The solution is not to turn off all the tech to do internet shutdowns the way that Egypt and Libya did. 1337 01:04:27,825 --> 01:04:30,365 The solution is to do what Syria and so many others did. 1338 01:04:30,685 --> 01:04:33,125 Keep the tech on, but start surveilling, right? 1339 01:04:33,285 --> 01:04:39,665 Give people the feeling of the freedom to express and then slowly find and pick people off. 1340 01:04:40,385 --> 01:04:43,365 Versions of that keep happening all around us. 1341 01:04:43,365 --> 01:04:47,305 The craziest thing about that as well is I think when people hear these stories, 1342 01:04:47,305 --> 01:04:49,865 you assume that that's going to be the stuff that China's doing. 1343 01:04:49,945 --> 01:04:51,145 And I'm sure China are doing it. 1344 01:04:51,225 --> 01:04:53,785 But it's also happening in the UK now. 1345 01:04:54,025 --> 01:04:55,345 It's happening across Europe. 1346 01:04:55,625 --> 01:04:58,505 The online safety act that passed in the UK is terrifying. 1347 01:04:59,165 --> 01:05:00,705 And again, as you said earlier, 1348 01:05:00,825 --> 01:05:03,065 it's framed in this way that it's to protect kids online. 1349 01:05:04,185 --> 01:05:06,065 And there'll be a lot of people 1350 01:05:06,065 --> 01:05:08,645 who don't pay close attention to this, 1351 01:05:08,705 --> 01:05:09,725 that will just believe that narrative 1352 01:05:09,725 --> 01:05:11,925 and think that that's just a good thing by default. 1353 01:05:12,645 --> 01:05:15,685 But maybe you can talk to the actual risks to stuff like this. 1354 01:05:15,685 --> 01:05:17,485 don't listen to what they're telling you. 1355 01:05:17,845 --> 01:05:20,245 What they're telling you is 1356 01:05:20,245 --> 01:05:23,465 you need to protect kids online. 1357 01:05:23,785 --> 01:05:26,285 And you and me and everybody else, 1358 01:05:26,745 --> 01:05:27,705 opinion polls show, right? 1359 01:05:27,765 --> 01:05:30,285 Like seven out of 10 people do believe 1360 01:05:30,285 --> 01:05:34,425 that kids online face risks 1361 01:05:34,425 --> 01:05:37,285 and have some appetite for a better solution. 1362 01:05:37,905 --> 01:05:40,465 I think a lot of people for different reasons 1363 01:05:40,465 --> 01:05:42,025 have some version of that belief. 1364 01:05:43,405 --> 01:05:45,605 So where do you go with that? 1365 01:05:45,685 --> 01:05:53,185 Well, parents often want a big red button that they can press that will just make the bad stuff go away from their kids online. 1366 01:05:54,385 --> 01:06:03,705 Unfortunately, politicians for whom everything is a nail with their big sledgehammer are like, okay, we have a solution. 1367 01:06:04,485 --> 01:06:05,885 Let's just put a bouncer at the door. 1368 01:06:06,105 --> 01:06:06,845 How intuitive? 1369 01:06:07,045 --> 01:06:08,185 He just wants to look at your ID. 1370 01:06:08,305 --> 01:06:09,245 You just flash him your ID. 1371 01:06:09,805 --> 01:06:11,765 That is the bouncer fallacy. 1372 01:06:11,765 --> 01:06:15,725 What they're actually asking for is something that changes the structure of the internet. 1373 01:06:15,925 --> 01:06:21,845 What they're saying is, you want to go to the club, you show your bouncer your ID, he makes 1374 01:06:21,845 --> 01:06:22,685 a copy of it. 1375 01:06:23,125 --> 01:06:24,705 Maybe he's also going to check your bank account. 1376 01:06:25,085 --> 01:06:31,025 And then everybody you interact with is also going to receive a copy of your ID. 1377 01:06:31,245 --> 01:06:32,265 Where are they going to store it? 1378 01:06:32,285 --> 01:06:33,845 In their sheds out back. 1379 01:06:34,285 --> 01:06:40,185 You're creating a situation where people are suddenly forced, law-abiding people who just 1380 01:06:40,185 --> 01:06:45,065 to interact with the internet, to dox themselves, to KYC for speech. 1381 01:06:45,605 --> 01:06:50,285 And I firmly believe bad things come from this model. 1382 01:06:50,345 --> 01:06:52,945 And in fact, the model has already got problems. 1383 01:06:53,225 --> 01:06:56,325 So the Washington Post, Drew Harwell, this journalist in the Washington Post, 1384 01:06:56,385 --> 01:06:57,665 this really cool bit of data analysis. 1385 01:06:58,185 --> 01:07:03,025 He looked at web traffic to adult platforms 1386 01:07:03,025 --> 01:07:08,445 after the Online Safety Act had its switch turned on. 1387 01:07:08,445 --> 01:07:10,545 What did he find? 1388 01:07:11,485 --> 01:07:12,305 Did you find this? 1389 01:07:12,685 --> 01:07:14,305 I've not seen this, so I'm going to try and guess. 1390 01:07:14,825 --> 01:07:16,105 What happens? 1391 01:07:17,245 --> 01:07:19,185 Let's say there are two categories of online platforms. 1392 01:07:19,385 --> 01:07:21,705 There are rule-abiding platforms 1393 01:07:21,705 --> 01:07:25,565 and there are platforms that don't care. 1394 01:07:26,165 --> 01:07:28,005 What happens to the traffic of those two platforms? 1395 01:07:28,165 --> 01:07:29,045 They go to the ones that don't care. 1396 01:07:29,605 --> 01:07:31,985 And even the people going to the rule-abiding platforms, 1397 01:07:32,125 --> 01:07:35,005 I would assume traffic seemingly drops from those countries, 1398 01:07:35,105 --> 01:07:37,445 but really people are using VPNs and ways to get into them anyway. 1399 01:07:37,445 --> 01:07:48,485 The harder the government squeezes on the internet, the faster and more effectively people get around it, which is why we talked a minute ago about opinion polls. 1400 01:07:48,765 --> 01:07:54,485 Do you know there's another number in UK opinion polls about the Online Safety Act, which is most people don't think it's going to work. 1401 01:07:54,625 --> 01:07:58,405 Like only like 30-some percentage of Brits actually think that this thing will work. 1402 01:07:58,545 --> 01:07:59,505 So it's a paradox. 1403 01:08:00,045 --> 01:08:00,985 Most people want something. 1404 01:08:01,305 --> 01:08:02,285 Most people know it won't work. 1405 01:08:02,285 --> 01:08:09,665 Well, that's a great example of a scenario that highlights really that like the answers 1406 01:08:09,665 --> 01:08:11,085 being provided are wrong. 1407 01:08:11,205 --> 01:08:14,185 I can't think, because like you don't have to have an expert tell you that it won't work. 1408 01:08:14,245 --> 01:08:15,105 So what happened? 1409 01:08:15,485 --> 01:08:22,485 It drove traffic in mass to 3X the traffic of platforms that didn't comply, which there 1410 01:08:22,485 --> 01:08:24,725 will always be because they will be outside of the jurisdiction. 1411 01:08:25,485 --> 01:08:28,645 And almost certainly, not only did that, was that traffic would have otherwise gone to 1412 01:08:28,645 --> 01:08:30,925 complying platforms, suppressed their traffic. 1413 01:08:30,925 --> 01:08:33,685 And like you say, it drove people to use VPNs 1414 01:08:33,685 --> 01:08:35,165 and led to this sort of absurd scenario 1415 01:08:35,165 --> 01:08:37,605 of a British official going online and being like, 1416 01:08:37,785 --> 01:08:39,345 can we all please not use a VPN, 1417 01:08:39,505 --> 01:08:42,265 which is the best viral marketing for VPNs 1418 01:08:42,265 --> 01:08:43,465 I've ever seen in my life. 1419 01:08:43,545 --> 01:08:46,185 100% and VPNs went to like the top of every app store chart. 1420 01:08:46,745 --> 01:08:50,145 And like really the sort of second order consequence of that 1421 01:08:50,145 --> 01:08:52,645 is people just have better online privacy as a result, 1422 01:08:52,765 --> 01:08:54,405 regardless of what websites they're trying to access. 1423 01:08:54,405 --> 01:08:58,585 For now, but follow the follow-up. 1424 01:08:58,965 --> 01:08:59,805 What's going to happen? 1425 01:08:59,805 --> 01:09:05,305 Well, what scares me about the Online Safety Act and the versions of it that we see in 1426 01:09:05,305 --> 01:09:09,805 the United States, in specific US states that are doing their own like age verification- 1427 01:09:09,805 --> 01:09:10,805 Florida have something similar, I think. 1428 01:09:10,805 --> 01:09:27,068 You got a bunch of different US states like dozens have done something on this And whether it like ID or scan your face or age gating right Like there are elements of the same thing Well you told that this is about protecting kids from harm 1429 01:09:27,388 --> 01:09:30,248 But if you look at the definitions, they're often really vague. 1430 01:09:30,508 --> 01:09:32,208 Like the harmful stuff, pretty vaguely defined, 1431 01:09:32,408 --> 01:09:35,988 which gives governments a huge amount of ability 1432 01:09:35,988 --> 01:09:38,868 to define things into censorship. 1433 01:09:39,308 --> 01:09:40,868 But it goes further, right? 1434 01:09:40,868 --> 01:09:45,508 what problem do big platforms face in this scenario? 1435 01:09:45,988 --> 01:09:48,167 Well, the Online Safety Act has this feature 1436 01:09:48,167 --> 01:09:51,108 where some clever boffins sat down 1437 01:09:51,108 --> 01:09:52,288 and they're like, okay, you know what? 1438 01:09:52,568 --> 01:09:56,588 We're going to solve the free speech problem too. 1439 01:09:57,108 --> 01:09:59,167 So the Online Safety Act has penalties 1440 01:09:59,167 --> 01:10:00,568 if you show people, 1441 01:10:01,188 --> 01:10:03,548 you show kids bad content, 1442 01:10:03,768 --> 01:10:05,448 legal but harmful content, 1443 01:10:05,667 --> 01:10:07,768 but it also has penalties in theory 1444 01:10:07,768 --> 01:10:08,727 if you over-censor. 1445 01:10:08,727 --> 01:10:11,788 But here's the truth, right? 1446 01:10:11,848 --> 01:10:16,508 Like, if you tell a major online platform, we're going to dock 10% of your global revenue 1447 01:10:16,508 --> 01:10:24,188 if you mess this up and show somebody something harmful, they're not going to call a constitutional 1448 01:10:24,188 --> 01:10:27,688 lawyer to be like, how can we push right up to the edge of this? 1449 01:10:27,888 --> 01:10:29,788 They're going to just start over-complying. 1450 01:10:29,888 --> 01:10:31,328 So Alec Muffet- 1451 01:10:31,328 --> 01:10:31,908 Well, but that was- 1452 01:10:31,908 --> 01:10:35,928 Sorry to interrupt, but that was the cool thing about what 4chan did. 1453 01:10:35,928 --> 01:10:38,848 because they basically said, just fuck you. 1454 01:10:39,028 --> 01:10:40,028 Like, we're an American company. 1455 01:10:40,128 --> 01:10:42,308 You can't impart this law on us. 1456 01:10:42,488 --> 01:10:42,648 Yeah. 1457 01:10:42,988 --> 01:10:47,588 Well, so the British government has faced off comes with this problem, 1458 01:10:47,727 --> 01:10:49,468 which is like, what do you do? 1459 01:10:49,468 --> 01:10:52,028 Like, you know what the analogy is like? 1460 01:10:52,108 --> 01:10:54,548 It's kind of like the analogy to taking your shoes off 1461 01:10:54,548 --> 01:10:57,227 and like, you know, putting your liquids in a little bag. 1462 01:10:57,548 --> 01:10:59,008 Like, it's security theater. 1463 01:10:59,268 --> 01:11:00,448 It's safety theater. 1464 01:11:00,608 --> 01:11:02,768 And the problem is what ends up happening is 1465 01:11:02,768 --> 01:11:06,408 the rules that result in the mass transfer of personal data, 1466 01:11:07,268 --> 01:11:11,448 the mass, like, secret census of online desire 1467 01:11:11,448 --> 01:11:13,268 that is being created and given to governments, 1468 01:11:13,608 --> 01:11:14,948 that stuff is going to stick around 1469 01:11:14,948 --> 01:11:16,628 even as everyone's going to know it doesn't work, right? 1470 01:11:16,748 --> 01:11:18,588 It always ratchets like this. 1471 01:11:18,628 --> 01:11:21,428 Getting back to this question for a second 1472 01:11:21,428 --> 01:11:22,828 of, like, the implications. 1473 01:11:23,008 --> 01:11:24,727 So Alec Muffet, who writes thoughtfully 1474 01:11:24,727 --> 01:11:26,088 about age verification stuff, 1475 01:11:26,488 --> 01:11:29,508 is, like, platforms historically, 1476 01:11:29,588 --> 01:11:31,148 the way that they've sort of categorized content 1477 01:11:31,148 --> 01:11:34,188 is kind of like may contain peanuts, right? 1478 01:11:34,227 --> 01:11:36,167 Like could be harmful, but like what's harmful? 1479 01:11:36,268 --> 01:11:39,428 It's like might be something that would bother people 1480 01:11:39,428 --> 01:11:40,608 if they view it in their office, right? 1481 01:11:40,667 --> 01:11:41,568 NSFW, right? 1482 01:11:42,308 --> 01:11:45,888 They're not designed to do these sort of careful categorizations 1483 01:11:45,888 --> 01:11:49,428 of each kind of speech in ways that maximally protect 1484 01:11:49,428 --> 01:11:50,167 people's freedom of speech. 1485 01:11:50,308 --> 01:11:52,808 So of course, platforms warn to do this. 1486 01:11:53,008 --> 01:11:54,328 They're gonna over-categorize. 1487 01:11:54,508 --> 01:11:56,727 They're gonna apply this sledgehammer. 1488 01:11:56,768 --> 01:11:58,368 It's not a scalpel, it's a big sledgehammer. 1489 01:11:58,368 --> 01:12:06,748 And the end result is people seeking health information, people collecting flags, people struggling with depression, people want help quitting smoking. 1490 01:12:07,227 --> 01:12:09,088 All their communities are going to get turned off, too. 1491 01:12:09,227 --> 01:12:15,888 And you get a situation where you're going to need a passport to speak and a passport to post and a passport to listen. 1492 01:12:16,328 --> 01:12:17,708 That is bananas. 1493 01:12:17,868 --> 01:12:26,288 And as it doesn't work, the other thing that I think governments are going to do is they're going to say, OK, well, we can't solve the problem of these noncompliance. 1494 01:12:26,908 --> 01:12:27,167 Right? 1495 01:12:27,167 --> 01:12:28,388 So what do we do? 1496 01:12:29,548 --> 01:12:31,368 We need a great British firewall. 1497 01:12:31,928 --> 01:12:34,448 We need to start blocking at the gateway to our little island. 1498 01:12:35,328 --> 01:12:39,188 We need to start blocking VPNs because just too many bad things are happening with these technologies. 1499 01:12:39,408 --> 01:12:41,788 A lot of people are going to quickly draw that conclusion. 1500 01:12:42,328 --> 01:12:46,188 And if they start implementing it, it's not just going to be lessons learned from China. 1501 01:12:46,448 --> 01:12:52,428 It's going to be like parallel evolution of some of the same structures of control. 1502 01:12:53,227 --> 01:12:55,888 And let me tell you my big suspicion. 1503 01:12:55,888 --> 01:13:02,108 I don't think that everybody who promotes these things is a prude. 1504 01:13:02,648 --> 01:13:06,667 I think many of them, many lawmakers, are exercised by concerns, legitimate concerns about children. 1505 01:13:07,888 --> 01:13:09,308 We can talk about maybe better ways to address this. 1506 01:13:09,348 --> 01:13:16,048 But in the U.S., some of the groups that are bankrolling this stuff, they just want to end things that they don't like. 1507 01:13:16,448 --> 01:13:22,148 They want to stop people from viewing adult content, but also other kinds of content that they deem societally harmful. 1508 01:13:22,248 --> 01:13:22,808 Well, what is that? 1509 01:13:22,808 --> 01:13:28,108 That's a bunch of prudish, often religiously driven censors trying to censor everybody. 1510 01:13:28,308 --> 01:13:29,568 This is very bad. 1511 01:13:29,648 --> 01:13:30,688 It doesn't belong in democracies. 1512 01:13:32,128 --> 01:13:35,868 And so what are the things that people can actually... 1513 01:13:35,868 --> 01:13:40,368 In fact, before I ask that question, because the part of this that we've not necessarily 1514 01:13:40,368 --> 01:13:44,008 spoken about yet is the risk to end-to-end encryption. 1515 01:13:44,608 --> 01:13:49,727 So I don't know the exact state of this as of right now, but I know as part of this act, 1516 01:13:49,727 --> 01:13:52,688 they were trying to have a backdoor 1517 01:13:52,768 --> 01:13:54,208 that they were trying to call not a backdoor. 1518 01:13:54,288 --> 01:13:56,128 In the sense that if you're using the Signal Protocol 1519 01:13:56,208 --> 01:13:58,768 to communicate, they wanted, I believe, 1520 01:13:58,848 --> 01:14:01,328 to verify a message before it was sent on device 1521 01:14:01,408 --> 01:14:03,168 to make sure it didn't contain anything harmful 1522 01:14:03,248 --> 01:14:05,328 or hate speech or however they deem it 1523 01:14:05,408 --> 01:14:06,608 before you actually send that message. 1524 01:14:06,688 --> 01:14:09,648 So that is not end-to-end encryption. 1525 01:14:09,727 --> 01:14:12,208 If you have to premise what you're saying 1526 01:14:12,288 --> 01:14:15,008 with this is not a backdoor, it's a backdoor. 1527 01:14:15,648 --> 01:14:16,448 Yeah. 1528 01:14:16,528 --> 01:14:19,248 So client-side scanning is this concept 1529 01:14:19,248 --> 01:14:24,768 that people might send harmful things that the state can't control across the platform. 1530 01:14:24,768 --> 01:14:29,727 So how do you deal with that? Well, you push a bunch of rule sets to a device, 1531 01:14:30,688 --> 01:14:35,168 and that device is then going to censor the stuff, prevent it from going, and maybe also 1532 01:14:35,168 --> 01:14:37,727 send a little notification to the powers that be that you tried to send it. 1533 01:14:38,608 --> 01:14:42,128 China has also experimented with and implemented all sorts of versions of this in chat apps. 1534 01:14:43,168 --> 01:14:46,848 A bunch of Chinese chat apps will have rule sets that they download of words you can't share. 1535 01:14:46,848 --> 01:14:53,348 right? So UK treading where others perhaps have treaded before. The problem with that system 1536 01:14:53,348 --> 01:15:00,988 is that even if it is implemented for the purposes of blocking content that you or I might regard as 1537 01:15:00,988 --> 01:15:04,968 morally reprehensible and is harmful in its creation and in its sharing, 1538 01:15:07,188 --> 01:15:11,788 all the government needs to do once it has that system in place is to push some new rules to that 1539 01:15:11,788 --> 01:15:17,988 system. And suddenly it is an on-the-device speech monitoring system, right? I can just tell it, 1540 01:15:18,028 --> 01:15:21,628 well, actually, you know what else bothers me is a certain kind of flag. You know what else bothers 1541 01:15:21,628 --> 01:15:26,628 me is like a certain kind of meme, right? China does this, right? Winnie the Pooh memes, got to 1542 01:15:26,628 --> 01:15:32,088 block them. And- Starmer memes will be banned next. You got to protect the children from those 1543 01:15:32,088 --> 01:15:38,848 memes. This is a serious business. And the problem with that kind of structure, and this is like, 1544 01:15:38,848 --> 01:15:44,408 Look, I've only worked on this issue and related privacy issues for 14 years. 1545 01:15:44,727 --> 01:15:47,748 That's a pretty small slice of time. 1546 01:15:48,188 --> 01:15:52,308 Our director, Ron Debert, brilliant guy who founded the Citizen Lab back around 2000, 1547 01:15:52,768 --> 01:15:55,188 looking way into the future when he founded us. 1548 01:15:55,628 --> 01:16:00,448 We remain reliably independent of government and corporate pressure and funding. 1549 01:16:02,688 --> 01:16:05,548 The view is, and I think he would tell you this. 1550 01:16:05,548 --> 01:16:06,408 I don't want to speak for him, but he would tell you this. 1551 01:16:06,408 --> 01:16:09,628 is if you build systems that allow for control and access, 1552 01:16:10,268 --> 01:16:11,868 the temptation is just too great. 1553 01:16:11,868 --> 01:16:14,408 And everything that we know 1554 01:16:14,408 --> 01:16:17,048 from every other surveillance technology, 1555 01:16:17,128 --> 01:16:18,368 in fact, every historical example 1556 01:16:18,368 --> 01:16:21,928 of secret surveillance capabilities created 1557 01:16:21,928 --> 01:16:23,308 is that they get abused. 1558 01:16:23,668 --> 01:16:26,727 Nowhere more so than when the state is pretty confident 1559 01:16:26,727 --> 01:16:28,808 that they can surveil without the citizens 1560 01:16:28,808 --> 01:16:29,708 knowing that it's happening. 1561 01:16:30,408 --> 01:16:33,088 I think it's almost analogous to the idea 1562 01:16:33,088 --> 01:16:34,528 that is talked about a lot in Bitcoin. 1563 01:16:34,528 --> 01:16:38,528 that if you give the state the ability to press a big red button and print more money, 1564 01:16:38,528 --> 01:16:42,288 that's too powerful for them not to press. And it's the same thing here. 1565 01:16:42,288 --> 01:16:45,248 ED HARRISON- Like, during the entire Cold War, 1566 01:16:45,248 --> 01:16:50,848 people lived in fear of a big red button. We don't want to be in a position where people have to fear 1567 01:16:51,727 --> 01:16:55,568 the pressing of a big red button, either for them specifically, because it's something they said, 1568 01:16:55,568 --> 01:17:01,168 did, thought, or shared privately or in public, or for speech generally. And I think what we've 1569 01:17:01,168 --> 01:17:06,608 learned from the excesses of the past few years is that platforms are really bad at playing a role 1570 01:17:06,608 --> 01:17:11,808 of speech police. They don't want to be speech police either. And like, it's going to sound 1571 01:17:11,808 --> 01:17:17,248 controversial, but like this stuff harms platforms too. They're not designed for this. They shouldn't 1572 01:17:17,248 --> 01:17:20,848 be asked to do it. Now, the Island Safety Act has like, you know, categories of platform, 1573 01:17:20,848 --> 01:17:23,568 three different tiers, depending on how big the platform is, how big the user base is, 1574 01:17:23,568 --> 01:17:30,128 how big the potential for harm is. But ultimately this stuff harms innovators too. And it harms 1575 01:17:30,128 --> 01:17:32,088 people that are trying to run communities that are helpful. 1576 01:17:33,588 --> 01:17:36,168 And I think fundamentally, like, it creates a... 1577 01:17:36,168 --> 01:17:38,428 Like, you don't want a scenario 1578 01:17:38,428 --> 01:17:44,048 where the people overseeing the speech world 1579 01:17:44,048 --> 01:17:47,128 are the equivalent of the teacher monitoring the detention room 1580 01:17:47,128 --> 01:17:48,727 to make sure that people aren't talking to each other. 1581 01:17:48,808 --> 01:17:49,468 And that's where we're headed. 1582 01:17:49,948 --> 01:17:52,368 It's funny, like, we talked earlier about the risk 1583 01:17:52,368 --> 01:17:54,828 of these megacorporations just harvesting data 1584 01:17:54,828 --> 01:17:56,048 and doing corporate surveillance. 1585 01:17:56,368 --> 01:17:59,688 But in some ways, are they the potential answer to this? 1586 01:17:59,688 --> 01:18:02,768 in the sense that if Meta and Apple, 1587 01:18:03,408 --> 01:18:04,868 I mean, Signal have already said, 1588 01:18:05,028 --> 01:18:06,248 if the UK implement these laws, 1589 01:18:06,288 --> 01:18:06,968 they're just going to pull out. 1590 01:18:07,268 --> 01:18:08,488 But there's so much more weight 1591 01:18:08,488 --> 01:18:10,308 behind a company like Apple and Meta doing that. 1592 01:18:10,528 --> 01:18:12,148 Do you think that is one of the ways 1593 01:18:12,148 --> 01:18:13,688 that we can actually fight this? 1594 01:18:14,708 --> 01:18:17,808 I am a pragmatist in a lot of ways. 1595 01:18:18,108 --> 01:18:20,128 And I think that we benefit 1596 01:18:20,128 --> 01:18:22,668 when there are certain alliances 1597 01:18:22,668 --> 01:18:27,448 or alignments with interests 1598 01:18:27,448 --> 01:18:29,108 that might otherwise be strange bedfellows. 1599 01:18:29,108 --> 01:18:32,948 right? Like it's kind of remarkable that there was like a national security and human rights 1600 01:18:32,948 --> 01:18:38,328 problem with mercenary spyware. But those things change when political realities change. 1601 01:18:38,808 --> 01:18:44,508 Those things change when realities change for platforms. It wouldn't take much for a big 1602 01:18:44,508 --> 01:18:50,408 platform to not be an ally. And I think when it comes to our privacy, like we have been massively 1603 01:18:50,408 --> 01:18:54,727 victimized by most of the platforms that we've brought into our world, right? As the Russian 1604 01:18:54,727 --> 01:18:59,328 saying goes, the only free cheese is in the mousetrap. And we are just getting every day, 1605 01:18:59,408 --> 01:19:03,288 the mousetrap is just hammering us harder than, you know, like a self-flagellating, 1606 01:19:03,388 --> 01:19:08,088 you know, medieval attempt to get rid of the plague. And what I see though, is that like 1607 01:19:08,088 --> 01:19:16,348 where there's potential is decentralization, systems with less permission, systems that have 1608 01:19:16,348 --> 01:19:20,828 a robustness and that aren't susceptible to somebody sitting down with their leadership and 1609 01:19:20,828 --> 01:19:25,468 being like, hey, look, your other product line, which is providing services to our government, 1610 01:19:25,568 --> 01:19:28,988 whether it's a cloud service, whether it's a messaging platform, whether it's an AI platform, 1611 01:19:29,328 --> 01:19:31,988 you want to keep those contracts? We're going to need certain things from you. 1612 01:19:32,688 --> 01:19:39,288 The problem is many big companies are big enough and shareholder driven enough that they cannot 1613 01:19:39,288 --> 01:19:43,808 really be trusted as allies in the long term. In the same way that most politicians really can't 1614 01:19:43,808 --> 01:19:50,068 be trusted as allies in the long term. So I've, again, met you a few times throughout the years. 1615 01:19:50,068 --> 01:19:51,828 You're a very positive person. 1616 01:19:52,148 --> 01:19:55,227 And despite that this has been one giant black pill, 1617 01:19:56,308 --> 01:19:58,388 where is the kind of hope here? 1618 01:19:58,468 --> 01:20:02,048 Because I know you, Citizen Lab, are at Oslo Freedom Forum. 1619 01:20:02,748 --> 01:20:04,408 You've been to these HRF events. 1620 01:20:04,788 --> 01:20:07,568 Is the answer in Freedom Tech, things like Noster 1621 01:20:07,568 --> 01:20:09,748 and these new platforms that are being built? 1622 01:20:11,388 --> 01:20:18,288 I think like being in a really stifling speech submarine, 1623 01:20:18,288 --> 01:20:23,688 right like a big breath of oxygen goes a long way I believe that certain kinds of 1624 01:20:23,688 --> 01:20:27,588 freedom tech is that breath of oxygen and I think when people start breathing 1625 01:20:27,588 --> 01:20:33,888 it they feel the difference I am most optimistic both of the growth of some 1626 01:20:33,888 --> 01:20:38,628 of those technologies and also of what happens when they get mainlined into 1627 01:20:38,628 --> 01:20:45,227 popular things that get used by everybody when encryption for like think 1628 01:20:45,227 --> 01:20:47,068 Think about it like this. 1629 01:20:47,068 --> 01:20:50,748 My personal view, one of the biggest developments 1630 01:20:50,748 --> 01:21:00,408 in like the 20 teens was when Google decided to turn HTTPS 1631 01:21:00,408 --> 01:21:02,988 encryption on for all of their user base. 1632 01:21:02,988 --> 01:21:05,668 Because suddenly government went from literally reading 1633 01:21:05,668 --> 01:21:09,668 all of your emails to having to try to figure out a new way. 1634 01:21:09,668 --> 01:21:13,088 But being knocked out, a switch was flipped. 1635 01:21:13,088 --> 01:21:15,168 I'm a great believer in that kind of switch. 1636 01:21:15,588 --> 01:21:18,068 Well, what was one of the other big switches 1637 01:21:18,068 --> 01:21:19,028 that was flipped in the teens? 1638 01:21:20,668 --> 01:21:25,448 I would say WhatsApp implementing end-to-end encryption, right? 1639 01:21:25,608 --> 01:21:26,688 Even if they did it kind of shitty? 1640 01:21:27,468 --> 01:21:29,688 The implementation of end-to-end encryption that they did 1641 01:21:29,688 --> 01:21:32,148 is using the same ciphers that Signal uses. 1642 01:21:32,328 --> 01:21:34,568 My issue with it, and tell me if I'm wrong here, 1643 01:21:34,628 --> 01:21:38,008 is if someone has cloud backup on their chats, 1644 01:21:38,008 --> 01:21:39,748 does that not remove the end-to-end encryption 1645 01:21:39,748 --> 01:21:41,048 for everyone who's communicating with them? 1646 01:21:41,048 --> 01:21:51,628 Indeed, the great challenge with many of the most popular devices and platforms is around backup and encrypted backup. 1647 01:21:51,928 --> 01:21:58,108 And it is extremely meaningful to me that WhatsApp now provides backup encryption. 1648 01:21:58,608 --> 01:22:00,008 Okay, I didn't realize I'd done that. 1649 01:22:00,068 --> 01:22:02,748 Apple provides backup encryption for iCloud. 1650 01:22:02,748 --> 01:22:09,748 Because it used to be the case that I think part of why states were so comfortable with iPhones being pretty solidly encrypted 1651 01:22:09,748 --> 01:22:13,727 was that they could just go get iCloud stuff on the back end. 1652 01:22:14,928 --> 01:22:20,808 I see the efforts that big players make often to incorporate these technologies. 1653 01:22:21,208 --> 01:22:23,328 There's often a bit of a workaround somewhere in there. 1654 01:22:23,768 --> 01:22:27,788 And I think that that is partly because it's hard to do everything at once. 1655 01:22:27,788 --> 01:22:31,508 Sometimes, pragmatically, it ends up functioning a little bit like a pressure release valve 1656 01:22:31,508 --> 01:22:32,727 for governmental pressure. 1657 01:22:33,088 --> 01:22:37,608 But nevertheless, on balance, it still massively increases privacy. 1658 01:22:37,708 --> 01:22:44,088 Because, for example, let's go back to a time period where people had WhatsApp encryption 1659 01:22:44,088 --> 01:22:46,188 but were backing up to Google Drive. 1660 01:22:46,568 --> 01:22:48,788 If the state wanted the contents of your Google Drive, they'd have to go to Google. 1661 01:22:49,068 --> 01:22:50,968 They would have to prepare a judicial request. 1662 01:22:51,528 --> 01:22:52,248 They'd come to Google. 1663 01:22:52,548 --> 01:22:55,608 Google would review it, decide whether or not it appeared to comply with rules. 1664 01:22:55,608 --> 01:22:57,628 They would sort of look at the case, and then they would respond. 1665 01:22:57,788 --> 01:23:00,088 That's a huge layer of friction and oversight. 1666 01:23:00,268 --> 01:23:01,188 That's people in the middle. 1667 01:23:02,048 --> 01:23:04,048 The truth before that was there was nobody in the middle. 1668 01:23:04,128 --> 01:23:05,388 The state could just monitor from the wire. 1669 01:23:05,888 --> 01:23:10,568 And so there's still tremendous net benefit with friction, 1670 01:23:10,688 --> 01:23:11,468 but it's incomplete. 1671 01:23:11,768 --> 01:23:14,388 So this is like, don't let perfect be the enemy of good kind of thing. 1672 01:23:14,388 --> 01:23:16,628 And the problem that we have as a community 1673 01:23:16,628 --> 01:23:22,268 is we have to be very clear about what wins look like, 1674 01:23:22,348 --> 01:23:25,448 but just as clear about the fact that we're incrementing. 1675 01:23:25,448 --> 01:23:28,868 And one of the problems, again and again, 1676 01:23:29,208 --> 01:23:31,668 is the sort of heroic individual model 1677 01:23:31,668 --> 01:23:32,948 of privacy and security, 1678 01:23:33,168 --> 01:23:35,048 where someone is like, you know what? 1679 01:23:35,248 --> 01:23:37,208 This tech, this encrypted messenger 1680 01:23:37,208 --> 01:23:39,268 is the only one that I really trust. 1681 01:23:39,428 --> 01:23:41,388 And you have to come to me and use my thing 1682 01:23:41,388 --> 01:23:42,227 if you want to be. 1683 01:23:42,227 --> 01:23:42,868 I'm guilty of that. 1684 01:23:43,128 --> 01:23:46,528 And honestly, it's like being with 1685 01:23:46,528 --> 01:23:52,328 the most insufferable privacy vegan 1686 01:23:52,328 --> 01:23:53,648 you've ever met. 1687 01:23:53,808 --> 01:23:55,168 Oh, no, I did that with my family. 1688 01:23:55,168 --> 01:23:57,788 I said, if they want pictures of my daughter, then they have to be on Signal. 1689 01:23:58,008 --> 01:23:59,908 Well, Signal is a good balance. 1690 01:24:00,328 --> 01:24:03,248 I think that there's a lot of room for incrementing, right? 1691 01:24:03,268 --> 01:24:04,388 And for creating network effects. 1692 01:24:04,428 --> 01:24:07,328 I think it's a totally legit thing to do as a son or a daughter to be like, 1693 01:24:07,568 --> 01:24:11,248 mom and dad, I would love to send you pictures of my family, 1694 01:24:11,428 --> 01:24:13,768 but it's going to have to be with some encryption, right? 1695 01:24:14,088 --> 01:24:15,388 That is healthy. 1696 01:24:15,868 --> 01:24:20,368 What's unhealthy is when people are like, I reject all popular platforms 1697 01:24:20,368 --> 01:24:22,548 and only do this one thing. 1698 01:24:22,548 --> 01:24:26,548 Because the problem is the enemy of political organizing, right? 1699 01:24:26,548 --> 01:24:27,488 What do we care about in society? 1700 01:24:27,848 --> 01:24:32,168 People talking, communicating, sharing ideas, inter-exchange, inter-cambio, right? 1701 01:24:32,588 --> 01:24:37,468 That stuff, for it to work, requires that there not be too much entry cost friction. 1702 01:24:37,988 --> 01:24:43,488 And so what I worry about is that the privacy world, and it's like, you know, understandable 1703 01:24:43,488 --> 01:24:50,048 but most exhausting, winds up shitting on everything other than the orthodox perfection. 1704 01:24:50,048 --> 01:24:56,028 But the truth is, so often, they're not really doing the perfection thing themselves all the time either. 1705 01:24:56,668 --> 01:24:58,308 It's just a bit of a performance. 1706 01:24:58,568 --> 01:25:01,948 It's hard, and your friends aren't going to be there talking with you. 1707 01:25:02,088 --> 01:25:09,768 So I feel like if we're looking at the problem set, and this is my pragmatic frame, and others might disagree, 1708 01:25:10,448 --> 01:25:14,828 there's a huge value in large-scale big increments. 1709 01:25:14,828 --> 01:25:21,788 and there's huge danger in large-scale friction reduction in surveillance. 1710 01:25:22,628 --> 01:25:26,348 Those two things are kind of, in many cases, like the biggest fights. 1711 01:25:26,788 --> 01:25:29,868 What I'm excited about is at these ends, 1712 01:25:30,008 --> 01:25:34,128 there are developers and others working to develop tools to their standards, right? 1713 01:25:34,288 --> 01:25:35,668 Let a lot of flowers grow. 1714 01:25:35,988 --> 01:25:36,848 Some of those are going to work. 1715 01:25:36,928 --> 01:25:38,088 Some of those are going to become really popular. 1716 01:25:38,208 --> 01:25:39,408 They're going to be network effects like Signal. 1717 01:25:39,868 --> 01:25:41,227 Others are not. 1718 01:25:41,227 --> 01:25:48,388 The trick is, so we were talking earlier about like, who's going to get targeted by Pegasus? 1719 01:25:48,908 --> 01:25:49,988 Here's the truth of the matter. 1720 01:25:50,568 --> 01:25:52,908 We don't know who tomorrow's targets are going to be. 1721 01:25:53,508 --> 01:25:58,268 They don't know themselves because they may not have made a choice that puts them into 1722 01:25:58,268 --> 01:26:01,308 the like target line of a government. 1723 01:26:02,568 --> 01:26:06,508 They have not yet decided to step out and speak their truth or speak up against something 1724 01:26:06,508 --> 01:26:10,488 that they see is wrong or share a thought that bothers somebody. 1725 01:26:10,488 --> 01:26:12,128 They don't know, and we don't know who they are. 1726 01:26:12,928 --> 01:26:14,948 We have to be designing our technology 1727 01:26:14,948 --> 01:26:18,448 so that those people will have, 1728 01:26:18,768 --> 01:26:19,888 already on their devices, 1729 01:26:20,428 --> 01:26:22,348 tech that has like 80% of the way there 1730 01:26:22,348 --> 01:26:24,208 and then can have some small changes. 1731 01:26:24,268 --> 01:26:26,768 Because once a person has made that choice, 1732 01:26:27,107 --> 01:26:28,488 it's too late to sit them down and be like, 1733 01:26:28,528 --> 01:26:29,828 okay, you need to behave like a total spy. 1734 01:26:29,928 --> 01:26:31,408 You got to use all this sophisticated technology. 1735 01:26:31,607 --> 01:26:33,008 And none of your friends are there, right? 1736 01:26:33,028 --> 01:26:35,048 Like they raised their voice and they were dangerous 1737 01:26:35,048 --> 01:26:36,668 because they raised their voice and people listened. 1738 01:26:36,868 --> 01:26:38,928 You can't suddenly tell them to turn off their voice 1739 01:26:38,928 --> 01:26:40,628 for the sake of being safer online. 1740 01:26:40,828 --> 01:26:43,288 You have to work with them and balance with them, 1741 01:26:43,348 --> 01:26:45,808 which means that a little bit like trimming a bonsai, 1742 01:26:45,928 --> 01:26:49,308 if you trim the branches and you trim the roots 1743 01:26:49,308 --> 01:26:51,288 and you bend it and you water it all at the same time, 1744 01:26:51,328 --> 01:26:51,808 you kill it. 1745 01:26:51,968 --> 01:26:53,088 You do one thing at a time. 1746 01:26:53,268 --> 01:26:56,008 And the same is true for user behavior with security. 1747 01:26:56,128 --> 01:26:58,488 So I'm a huge believer that user experience 1748 01:26:58,488 --> 01:27:01,268 and ease of entry, which means no scolding, 1749 01:27:01,727 --> 01:27:04,388 has to be as friction-free as possible. 1750 01:27:04,468 --> 01:27:05,908 It's more consequential in many ways 1751 01:27:05,908 --> 01:27:11,408 that a popular app has an on-ramp for a privacy and freedom technology 1752 01:27:11,408 --> 01:27:13,868 than that there exists somewhere 1753 01:27:13,868 --> 01:27:17,248 carefully honed, polished pearl of perfection. 1754 01:27:17,448 --> 01:27:18,708 And that is why Signal is perfect. 1755 01:27:18,908 --> 01:27:21,488 In my opinion, I think it's the best messaging app 1756 01:27:21,488 --> 01:27:23,868 because it just feels like anything else. 1757 01:27:24,188 --> 01:27:26,788 And you know you have the additional security and privacy. 1758 01:27:26,788 --> 01:27:29,208 Can I make two suggestions to your viewers 1759 01:27:29,208 --> 01:27:31,088 about how to use Signal in a little bit more of a secure way? 1760 01:27:31,168 --> 01:27:31,488 Absolutely. 1761 01:27:31,908 --> 01:27:34,448 Okay. So here's what you need to do. 1762 01:27:34,448 --> 01:27:37,848 Go into your signal settings and check out privacy. 1763 01:27:38,368 --> 01:27:39,448 I'm going to do this as you said. 1764 01:27:40,088 --> 01:27:41,088 Let's do this. 1765 01:27:41,148 --> 01:27:41,588 Let's see how I do. 1766 01:27:42,368 --> 01:27:43,988 Go into signal settings and privacy. 1767 01:27:44,188 --> 01:27:44,388 Yeah. 1768 01:27:44,648 --> 01:27:44,908 Okay. 1769 01:27:46,428 --> 01:27:46,868 Yep. 1770 01:27:47,088 --> 01:27:47,908 Now choose advanced. 1771 01:27:49,808 --> 01:27:51,708 And tell me what you see on there. 1772 01:27:52,588 --> 01:27:53,848 Sensorship circumvention. 1773 01:27:54,148 --> 01:27:54,508 What else? 1774 01:27:55,128 --> 01:27:59,168 Proxy, always relay calls, show status icon, allow from anyone. 1775 01:27:59,408 --> 01:27:59,668 Okay. 1776 01:27:59,888 --> 01:28:02,828 What I want you to do is turn on always relay calls. 1777 01:28:03,068 --> 01:28:03,388 On. 1778 01:28:03,388 --> 01:28:04,168 It's already on. 1779 01:28:04,448 --> 01:28:04,828 Good man. 1780 01:28:05,768 --> 01:28:06,868 Do you know what it's doing for you? 1781 01:28:07,168 --> 01:28:07,788 I don't. 1782 01:28:08,227 --> 01:28:13,188 So when I call you on signal, I install signal, you install signal, we just make a call like 1783 01:28:13,188 --> 01:28:13,368 that. 1784 01:28:13,648 --> 01:28:15,208 It's a peer-to-peer communication, right? 1785 01:28:15,328 --> 01:28:18,908 Which means that our devices are talking to each other across the network, which means 1786 01:28:18,908 --> 01:28:21,308 that the network may know that we're having a signal call. 1787 01:28:21,888 --> 01:28:24,048 They can't hear what we're talking about. 1788 01:28:24,107 --> 01:28:25,148 They can't see what we're messaging about. 1789 01:28:25,148 --> 01:28:28,068 But the fact of that call is known to various parts of the network. 1790 01:28:28,908 --> 01:28:31,227 That is a really interesting piece of metadata. 1791 01:28:31,227 --> 01:28:36,607 Call Relay bumps your call through servers that signal controls. 1792 01:28:37,148 --> 01:28:40,748 It's still encrypted, but that means that the network now in this place that we're sitting, 1793 01:28:41,168 --> 01:28:43,708 all that the network knows is that you're having a call that looks like a signal call. 1794 01:28:44,068 --> 01:28:46,848 They can't see the IP address of your correspondent, 1795 01:28:47,148 --> 01:28:50,208 and your correspondent can't see your IP address either. 1796 01:28:50,568 --> 01:28:51,548 Major improvement. 1797 01:28:52,107 --> 01:28:53,648 Now, I want you to go to your WhatsApp. 1798 01:28:54,248 --> 01:28:54,408 Okay. 1799 01:28:56,607 --> 01:28:58,668 Is that the only setting in there that's the... 1800 01:28:58,668 --> 01:29:01,068 No, actually, should we do another signal setting change? 1801 01:29:01,068 --> 01:29:06,668 OK, so the other thing that I want you to do is I want you to turn on disappearing messages 1802 01:29:06,668 --> 01:29:07,328 by default. 1803 01:29:07,948 --> 01:29:09,548 He's already on at four weeks. 1804 01:29:09,588 --> 01:29:09,828 Great. 1805 01:29:10,348 --> 01:29:10,988 Here's why. 1806 01:29:11,308 --> 01:29:15,708 Remember, we were talking earlier about how governments do top ups with surveillance, 1807 01:29:15,968 --> 01:29:16,107 right? 1808 01:29:16,188 --> 01:29:19,088 They're like, you know, they're a little penny pinching with their surveillance technology. 1809 01:29:19,528 --> 01:29:22,607 Same holds true for all kinds of other hacking. 1810 01:29:23,028 --> 01:29:28,227 If your device doesn't have old chats on it, a hacker can't get them either. 1811 01:29:28,908 --> 01:29:32,607 Disappearing messages at four weeks is a great default mechanism. 1812 01:29:32,768 --> 01:29:34,227 Set it once and don't think about it more 1813 01:29:34,227 --> 01:29:38,788 so that your phone is not carrying five years of your life's worth of interesting conversations. 1814 01:29:38,888 --> 01:29:41,727 I do turn off on some of my chats, though, because I want to have the history. 1815 01:29:41,727 --> 01:29:42,088 Exactly. 1816 01:29:42,488 --> 01:29:47,107 And the model should be turn it off as needed, not turn it on when paranoid. 1817 01:29:47,328 --> 01:29:47,488 Yeah. 1818 01:29:47,568 --> 01:29:48,988 You should be default concerned. 1819 01:29:49,248 --> 01:29:49,508 Okay. 1820 01:29:49,727 --> 01:29:50,128 WhatsApp. 1821 01:29:50,508 --> 01:29:51,208 Let's go to our WhatsApp. 1822 01:29:51,548 --> 01:29:53,528 This one will be worse because I don't use WhatsApp very much. 1823 01:29:53,628 --> 01:29:53,808 Okay. 1824 01:29:53,908 --> 01:29:55,288 So I probably never played with the settings. 1825 01:29:55,528 --> 01:29:56,888 I want you to do exactly the same thing. 1826 01:29:56,888 --> 01:29:57,628 Go to privacy. 1827 01:29:57,968 --> 01:29:58,168 Okay. 1828 01:29:58,227 --> 01:29:59,628 And go to, I think it's advanced. 1829 01:30:00,588 --> 01:30:00,848 Yep. 1830 01:30:01,328 --> 01:30:03,948 And do you see protect my IP address and calls? 1831 01:30:04,048 --> 01:30:04,968 That's off on this one. 1832 01:30:05,028 --> 01:30:05,928 You turn that bad boy on. 1833 01:30:06,008 --> 01:30:06,227 Okay. 1834 01:30:06,448 --> 01:30:06,968 Same deal. 1835 01:30:07,468 --> 01:30:11,468 Now, people should understand there are structural privacy difference. 1836 01:30:11,548 --> 01:30:13,727 And obviously, turn on disappearing messages by default on WhatsApp too. 1837 01:30:13,727 --> 01:30:14,648 Yeah, I think you have it already. 1838 01:30:15,107 --> 01:30:15,227 Okay. 1839 01:30:15,808 --> 01:30:19,828 People need to understand there are structural differences in the privacy that you have when 1840 01:30:19,828 --> 01:30:21,148 you use different kinds of platforms. 1841 01:30:21,148 --> 01:30:27,788 So, Meta will know more about you as a WhatsApp user than Signal will know about you as a 1842 01:30:27,788 --> 01:30:28,788 So act accordingly. 1843 01:30:28,788 --> 01:30:35,548 But what I like about both of these settings is, especially with Signal, you're now way 1844 01:30:35,548 --> 01:30:38,227 more secure and you're more private. 1845 01:30:38,227 --> 01:30:39,568 This is really important. 1846 01:30:39,568 --> 01:30:41,488 And it took like 30 seconds, right? 1847 01:30:41,488 --> 01:30:45,288 Should we talk about another thing that people should do? 1848 01:30:45,288 --> 01:30:46,288 Please. 1849 01:30:46,288 --> 01:30:47,288 OK. 1850 01:30:47,288 --> 01:30:48,288 What kind of phone is that? 1851 01:30:48,288 --> 01:30:49,288 iPhone or Android? 1852 01:30:49,288 --> 01:30:50,288 Are you comfortable saying it on the iPhone? 1853 01:30:50,288 --> 01:30:51,288 iPhone. 1854 01:30:51,288 --> 01:30:52,288 OK. 1855 01:30:52,288 --> 01:30:53,288 Have you ever heard of lockdown mode? 1856 01:30:53,288 --> 01:30:54,288 Yes. 1857 01:30:54,288 --> 01:30:55,988 I actually saw a thread on Twitter. 1858 01:30:55,988 --> 01:30:57,288 I think I might have done this. 1859 01:30:57,748 --> 01:30:58,268 Let's see. 1860 01:30:58,408 --> 01:30:59,008 Lockdown mode. 1861 01:31:01,168 --> 01:31:03,088 So go to privacy and security. 1862 01:31:03,227 --> 01:31:03,568 Got it. 1863 01:31:03,748 --> 01:31:04,488 Go all the way to the bottom. 1864 01:31:04,568 --> 01:31:05,208 You should see lockdown mode. 1865 01:31:05,248 --> 01:31:05,368 Yeah. 1866 01:31:07,068 --> 01:31:07,768 It's not on. 1867 01:31:07,948 --> 01:31:08,148 Okay. 1868 01:31:08,368 --> 01:31:10,107 So let's talk about what lockdown mode is. 1869 01:31:10,107 --> 01:31:14,428 So in 2021, November 2021 was a shitty month for NSO Group. 1870 01:31:14,568 --> 01:31:17,508 Not only did they get dinged by being put on the entity list by the U.S. 1871 01:31:17,548 --> 01:31:21,188 Commerce Department, but Apple also notified a whole bunch of people that 1872 01:31:21,188 --> 01:31:24,148 had been hacked through Apple services with Pegasus. 1873 01:31:24,148 --> 01:31:27,048 and they sued. 1874 01:31:28,328 --> 01:31:30,908 Very bad situation for NSO. 1875 01:31:32,048 --> 01:31:36,688 Apple also began the process of rolling out lockdown mode. 1876 01:31:36,727 --> 01:31:37,528 Well, what's lockdown mode? 1877 01:31:37,888 --> 01:31:40,968 There are ways of taking a regular device 1878 01:31:40,968 --> 01:31:45,727 and turning it into a much more secure, hard-to-hack device. 1879 01:31:46,227 --> 01:31:47,428 They come with some trade-offs. 1880 01:31:48,428 --> 01:31:53,408 Apple watched how NSO Group and other governmental actors 1881 01:31:53,408 --> 01:31:57,088 we're hacking people's phones through Apple services 1882 01:31:57,088 --> 01:31:59,408 and through different settings, default settings. 1883 01:31:59,408 --> 01:32:01,948 And it was like, okay, we can come up with a list 1884 01:32:01,948 --> 01:32:06,948 of changes that you can make that price out whole categories, 1885 01:32:06,948 --> 01:32:08,528 right, rice fields worth of attacks. 1886 01:32:08,528 --> 01:32:09,448 How cool is that? 1887 01:32:09,448 --> 01:32:11,628 The thing is, some of those things will introduce 1888 01:32:11,628 --> 01:32:13,068 a bit of user friction. 1889 01:32:13,068 --> 01:32:16,168 What we don't want, and I'm now guessing, 1890 01:32:16,168 --> 01:32:17,968 because I don't know the internals of Apple's thinking here, 1891 01:32:17,968 --> 01:32:21,607 but if I'm Apple, what I don't want is to suddenly push out 1892 01:32:21,607 --> 01:32:23,188 a high security setting to everybody, 1893 01:32:23,236 --> 01:32:25,216 And then people have like a bad experience of friction 1894 01:32:25,216 --> 01:32:26,456 and their next purchase is an Android. 1895 01:32:26,576 --> 01:32:27,176 We don't want that. 1896 01:32:27,296 --> 01:32:28,316 And is the friction here, 1897 01:32:28,356 --> 01:32:29,976 you have to save your private keys for it? 1898 01:32:30,416 --> 01:32:30,696 No. 1899 01:32:31,176 --> 01:32:32,956 The lockdown, if you... 1900 01:32:32,956 --> 01:32:33,716 So go to turn it on. 1901 01:32:34,156 --> 01:32:34,436 Okay. 1902 01:32:35,956 --> 01:32:37,336 And what does the first screen show you? 1903 01:32:38,936 --> 01:32:39,876 Turn on lock, McDermott. 1904 01:32:39,996 --> 01:32:40,716 Turn on and restart. 1905 01:32:41,016 --> 01:32:41,896 So click on that. 1906 01:32:42,016 --> 01:32:42,196 Okay. 1907 01:32:42,936 --> 01:32:44,976 We need some elevator music while this happens. 1908 01:32:46,676 --> 01:32:47,536 Okay, let's see. 1909 01:32:47,956 --> 01:32:49,096 Oh, did we restart? 1910 01:32:49,276 --> 01:32:49,516 Yeah. 1911 01:32:49,716 --> 01:32:50,096 Oh, okay. 1912 01:32:50,176 --> 01:32:51,176 It's going to turn on and restart. 1913 01:32:51,176 --> 01:32:53,896 So let me then tell you what else would have happened. 1914 01:32:53,996 --> 01:32:59,416 So Apple also warns you as a user that this is an extreme security mode and it's not intended 1915 01:32:59,416 --> 01:33:03,916 for most people because they're worried, I think, I speculate, that people turn that 1916 01:33:03,916 --> 01:33:06,596 thing on, forget that they've turned it on and they have a bad experience, right? 1917 01:33:06,616 --> 01:33:08,936 Like a regular person who's not facing those threats. 1918 01:33:08,976 --> 01:33:11,216 And if you're like a big company, you've got to worry about that sort of thing. 1919 01:33:11,696 --> 01:33:14,416 If you're watching this and you care about privacy, turn it on. 1920 01:33:14,756 --> 01:33:18,736 Have the experience of breathing a little bit of oxygen, much more, not a silver bullet, 1921 01:33:18,736 --> 01:33:21,676 but like a much harder to hack device, right? 1922 01:33:21,776 --> 01:33:24,236 Like, and I can tell you that empirically, 1923 01:33:24,316 --> 01:33:26,756 like a much harder to hack iPhone. 1924 01:33:26,896 --> 01:33:27,396 It's very cool. 1925 01:33:27,616 --> 01:33:28,916 And for the longest time, 1926 01:33:29,376 --> 01:33:30,676 if you were an Android user 1927 01:33:30,676 --> 01:33:31,396 and you asked me this question, 1928 01:33:31,436 --> 01:33:32,376 people always ask me this question, 1929 01:33:32,436 --> 01:33:33,956 what's more secure, like an Android or an iPhone, right? 1930 01:33:34,356 --> 01:33:35,196 Everybody has their own view. 1931 01:33:35,296 --> 01:33:36,236 My colleagues will have different views, 1932 01:33:36,356 --> 01:33:41,536 but unfortunately, no lockdown analog existed for Android. 1933 01:33:42,196 --> 01:33:44,036 That has just changed. 1934 01:33:44,636 --> 01:33:46,596 Google has rolled out advanced protection for Android, 1935 01:33:46,596 --> 01:33:50,176 which is like a version of lockdown mode. 1936 01:33:50,196 --> 01:33:52,116 It has some other really interesting features. 1937 01:33:52,236 --> 01:33:55,156 So where lockdown mode is partially working by, you know, 1938 01:33:55,216 --> 01:33:57,936 preventing people outside of your contacts on FaceTime 1939 01:33:57,936 --> 01:34:00,856 from calling you and other stuff that's sort of like Royal Road for attacks. 1940 01:34:03,016 --> 01:34:04,436 Android's advanced protection, as we understand, 1941 01:34:04,516 --> 01:34:07,316 it has some other cool features like allowing you to securely put logs 1942 01:34:07,316 --> 01:34:09,596 from your device into a secure protective crowd 1943 01:34:09,596 --> 01:34:10,596 that only you have access to, 1944 01:34:10,956 --> 01:34:13,716 which means that if you're an attacker and you hack this device, 1945 01:34:13,716 --> 01:34:14,976 in theory, right? 1946 01:34:14,976 --> 01:34:15,996 Like a log of that 1947 01:34:15,996 --> 01:34:16,896 is being immutably 1948 01:34:16,896 --> 01:34:17,696 kept somewhere, right? 1949 01:34:17,696 --> 01:34:18,396 Like your private ledger. 1950 01:34:18,696 --> 01:34:20,276 And so even all the effort 1951 01:34:20,276 --> 01:34:31,366 that they may do to try to clean up and hide later there may still be some evidence Now this is like for now these are sort of in the realm of hypothetical will this make it easier for defenders to find stuff 1952 01:34:31,646 --> 01:34:34,246 But it definitely increases the risk factor for, 1953 01:34:34,526 --> 01:34:38,766 because if you're a scammer, it's a numbers game, right? 1954 01:34:38,826 --> 01:34:40,746 If you're doing hacking a large number of people 1955 01:34:40,746 --> 01:34:42,426 for crypto stuff, it's a numbers game. 1956 01:34:42,826 --> 01:34:45,506 And you're not using a really fancy, 1957 01:34:45,506 --> 01:34:48,586 you're not paying pearls to do your hacking. 1958 01:34:48,586 --> 01:34:53,026 If you're using one of these sophisticated pieces of technology, getting caught is like game over. It's really really bad 1959 01:34:53,026 --> 01:34:57,226 And it you like all the customers fate share, right? So if it stops working 1960 01:34:57,686 --> 01:35:02,426 For you know, hungry, it's also going to stop the same x-play stop working for everybody else 1961 01:35:02,426 --> 01:35:06,346 They get caught and patched. So they're always trying to hide 1962 01:35:06,906 --> 01:35:10,726 This cat and mouse thing. Yeah, and the risks to them are much higher 1963 01:35:10,726 --> 01:35:17,306 And so if you as a user can do things or if developers can do things that are more likely to generate alerts 1964 01:35:17,306 --> 01:35:20,306 or things that are hard to get rid of, 1965 01:35:20,306 --> 01:35:24,306 then you've actually changed some of the cost calculus 1966 01:35:24,306 --> 01:35:27,306 about whether it makes sense to hack a person 1967 01:35:27,306 --> 01:35:29,306 or whether it will work. 1968 01:35:29,306 --> 01:35:32,306 The other cool thing about lockdown mode is 1969 01:35:32,306 --> 01:35:36,306 it may break certain kinds of exploit effort 1970 01:35:36,306 --> 01:35:38,306 in ways that a user would then see. 1971 01:35:38,306 --> 01:35:41,306 And so there's sort of dual layers 1972 01:35:41,306 --> 01:35:43,306 of potential protection in some of these things. 1973 01:35:43,306 --> 01:35:44,306 None of these are silver bullets, 1974 01:35:44,306 --> 01:35:46,306 but they're all very interesting. 1975 01:35:46,306 --> 01:35:48,806 Well, I am now a little more secure. 1976 01:35:48,846 --> 01:35:49,806 So thank you. 1977 01:35:49,846 --> 01:35:50,806 A little bit more. 1978 01:35:50,846 --> 01:35:52,306 I could literally talk to you all day, Jon. 1979 01:35:52,346 --> 01:35:53,806 This has been really good. 1980 01:35:53,846 --> 01:35:55,546 We are already quite late for dinner, 1981 01:35:55,586 --> 01:35:56,746 so we should probably wrap this up. 1982 01:35:56,786 --> 01:35:58,526 But there is one thing to do. 1983 01:35:58,546 --> 01:35:59,386 There is one thing to do. 1984 01:35:59,426 --> 01:36:00,426 Let's find out. 1985 01:36:00,446 --> 01:36:01,426 So, um... 1986 01:36:01,446 --> 01:36:03,326 Do we need to turn the cameras off while we do this part? 1987 01:36:03,366 --> 01:36:07,666 Well, what we can do is I can go off scene for a minute. 1988 01:36:07,686 --> 01:36:08,466 Sure. 1989 01:36:08,486 --> 01:36:09,426 And do something. 1990 01:36:09,466 --> 01:36:10,066 Should we do that? 1991 01:36:10,106 --> 01:36:11,106 Yeah. 1992 01:36:11,126 --> 01:36:15,426 Am I lucky enough to be a part of the Pegasus crew? 1993 01:36:15,426 --> 01:36:19,726 So, Danny, do you consent to me telling you your results 1994 01:36:19,806 --> 01:36:21,926 on a podcast viewed by a bunch of people? 1995 01:36:22,006 --> 01:36:39,616 Yeah So the good news is we didn find signs of the kinds of things that we check for I need to push harder The good news is probably that means that there a bunch of stuff that never happened on your device 1996 01:36:40,036 --> 01:36:42,916 The caveats, of course, the things we don't know to look for, right? 1997 01:36:43,236 --> 01:36:47,196 There are things that maybe we're not able to check for with this particular methodology. 1998 01:36:48,516 --> 01:36:51,416 So, you know, known unknowns, unknown unknowns. 1999 01:36:51,416 --> 01:36:52,876 but it's like the equivalent of getting like, you know, 2000 01:36:53,176 --> 01:36:56,976 a strep rapid test, COVID rapid test for your device. 2001 01:36:57,216 --> 01:37:00,996 I wish it were the case that there were some app 2002 01:37:00,996 --> 01:37:02,116 that everybody could have access to 2003 01:37:02,116 --> 01:37:05,136 that would do a check at that level of fidelity 2004 01:37:05,136 --> 01:37:06,176 and give you an answer. 2005 01:37:06,516 --> 01:37:09,096 The problem is if that existed, 2006 01:37:09,696 --> 01:37:11,936 it would stop working the next day 2007 01:37:11,936 --> 01:37:13,696 because they would know exactly how to get around it. 2008 01:37:14,396 --> 01:37:16,156 When you look at contracts 2009 01:37:16,156 --> 01:37:18,116 from like mercenary surveillance providers, 2010 01:37:18,576 --> 01:37:19,656 sometimes they get leaked. 2011 01:37:19,756 --> 01:37:20,616 You'll see like a document. 2012 01:37:20,616 --> 01:37:23,156 The document is like a list of like 30 antiviruses 2013 01:37:23,156 --> 01:37:25,076 with a little like a green check mark. 2014 01:37:25,176 --> 01:37:27,416 Like, don't worry, not detected by any of this. 2015 01:37:27,916 --> 01:37:28,096 Right? 2016 01:37:28,416 --> 01:37:31,336 And so the challenge as researchers is always 2017 01:37:31,336 --> 01:37:32,836 you want to check widely, 2018 01:37:33,296 --> 01:37:36,596 but not burn the ways that you're checking. 2019 01:37:37,036 --> 01:37:38,916 And then you hope, 2020 01:37:39,076 --> 01:37:40,496 and I kind of like, let's end on this thought. 2021 01:37:40,596 --> 01:37:42,236 So we've talked a lot about tech 2022 01:37:42,236 --> 01:37:43,476 and a lot about privacy. 2023 01:37:43,556 --> 01:37:46,636 We haven't talked too much about victims as individuals, 2024 01:37:46,636 --> 01:37:48,536 but I'm going to tell you something really interesting 2025 01:37:48,536 --> 01:37:51,096 that to me is maybe the most meaningful thing. 2026 01:37:52,216 --> 01:37:55,276 The real heroes in this story 2027 01:37:55,276 --> 01:37:58,676 are the people that got targeted with spyware 2028 01:37:58,676 --> 01:37:59,976 and that got checked. 2029 01:38:00,456 --> 01:38:01,076 Why? 2030 01:38:01,756 --> 01:38:04,676 Because they were the canaries in the coal mine 2031 01:38:04,676 --> 01:38:06,756 that led to discoveries 2032 01:38:06,756 --> 01:38:08,756 that have increased the security of that device 2033 01:38:08,756 --> 01:38:10,656 and every other device around us. 2034 01:38:11,036 --> 01:38:12,896 Billions of devices in the world 2035 01:38:12,896 --> 01:38:15,796 have received security improvements 2036 01:38:15,796 --> 01:38:20,796 thanks to individuals, a Saudi woman driving activist, 2037 01:38:24,176 --> 01:38:39,406 a UAE human rights defender whose name is Ahmed Mansour who now a prisoner of conscience Individuals who bravely chose to get checked and to consent to have their stuff shared 2038 01:38:40,386 --> 01:38:46,466 These are the heroes in this story. And we are all safer thanks to them and their participation. 2039 01:38:47,026 --> 01:38:51,346 In many ways, we're just the vehicles for those people. And I really want to highlight this. Like, 2040 01:38:51,346 --> 01:38:52,646 I'm a researcher. 2041 01:38:53,006 --> 01:38:54,906 I work with a team of very smart people. 2042 01:38:55,266 --> 01:38:58,106 But the motor of our research is collaboration. 2043 01:38:59,406 --> 01:39:03,966 Nowhere more so than with regional and local organizations around the world, 2044 01:39:04,406 --> 01:39:10,986 scrappy people who work with us and do the legwork to get people checked and to get people screened. 2045 01:39:10,986 --> 01:39:20,466 So to tie the buckle on this one, it is a remarkable story of the script getting flipped 2046 01:39:20,466 --> 01:39:28,106 on these scary, powerful companies that what caused them to lose billions, what caused 2047 01:39:28,106 --> 01:39:34,026 them to have huge trouble, in some cases to fold, was one humble activist somewhere. 2048 01:39:34,666 --> 01:39:35,746 That is amazing. 2049 01:39:35,926 --> 01:39:37,906 You asked me earlier about hope and optimism. 2050 01:39:38,766 --> 01:39:40,006 That's my optimism motor. 2051 01:39:40,986 --> 01:39:44,046 I mean, what an amazing way to close out the show. 2052 01:39:45,486 --> 01:39:48,306 I mean, I'm very grateful for this conversation. 2053 01:39:48,426 --> 01:39:49,326 I've really enjoyed it. 2054 01:39:49,626 --> 01:39:51,006 I think it's a really important message. 2055 01:39:51,186 --> 01:39:52,626 Obviously, a very different show for me. 2056 01:39:52,866 --> 01:39:55,166 We're normally just talking about Bitcoin and macroeconomics. 2057 01:39:55,386 --> 01:39:57,506 But I'm glad you made the time to do this. 2058 01:39:57,666 --> 01:39:58,606 So yeah, I appreciate it, John. 2059 01:39:58,886 --> 01:39:59,286 Thank you. 2060 01:39:59,406 --> 01:40:03,586 And I just want to thank everyone who has contributed to our research, 2061 01:40:04,146 --> 01:40:05,186 everyone who's collaborated, 2062 01:40:05,846 --> 01:40:08,866 all the people who have helped us along the way. 2063 01:40:09,466 --> 01:40:10,126 Thank you to them. 2064 01:40:10,126 --> 01:40:11,186 This has been awesome. 2065 01:40:11,786 --> 01:40:12,246 Thanks, man. 2066 01:40:12,286 --> 01:40:12,906 Let's go have dinner. 2067 01:40:13,906 --> 01:40:14,646 Good God.