This Week in Privacy #8

This Week in Privacy #8

Welcome back to This Week in Privacy, our weekly series where we cover the latest updates with what we're working on within the Privacy Guides community, and this week's top stories in the data privacy and cybersecurity space.

Privacy Guides is a non-profit which researches and shares privacy-related information, and facilitates a community on our forum and Matrix where people can ask questions and get advice about staying private online and preserving their digital rights.

Privacy Guides Updates

Unfortunately, Skiff Mail was removed from Privacy Guides's email provider recommendations earlier today, following their announcement that they are being acquired by Notion and shutting down their platform in 6 months.

If you currently use Skiff Mail for your email mailbox or aliasing service, you should switch to another provider such as Proton or as soon as possible. Obviously, this was not the expectation for Skiff Mail when we added them to the website last year.

Remove Skiff
Obviously <span class=“hashtag-icon-placeholder”></span>approved</span> with today’s news (Skiff – Migrating your data) and just needs a PR to remove them from the site now. I’m out & just on my phone right now so I’ll post more about this later— because we should brainstorm a better filter for companies like Skiff in the future certainly 😬

The longevity of the products we recommend is important to us, and we are carefully considering how predictable and avoidable this situation was in order to potentially try to prevent recommending other products that end up with this outcome in the future. This discussion is ongoing within our community, and if you have any thoughts on the matter we welcome them in this forum thread:

Avoiding the next Skiff (Criteria to ban VC-backed projects?)
Continuing the discussion from Remove Skiff: I think clearly there is some need to define a criteria to weed out technically proficient products that secretly aren’t in it for the long-term. There are of course many examples of this: Skiff, Keybase, Ello,, etc. The problem is of course where to draw that line. IMHO, the most promising possibility to me at the moment is to simply reject VC funded projects (I’m going to merge the discussion about that into this topic below, so you can r…

If we change our criteria to better flag and avoid companies which are likely to be acquired or shut down in the future, we will likely post an update on this blog detailing those changes further.

Privacy Updates

Mozilla has a new tool, Mozilla Monitor Plus, to automatically remove your information from data broker sites. This is an update to their previous Firefox Monitor tool which monitored your email address in the Have I Been Pwned database. Their new product offering combines that service with paid data broker search and opt-out functionality, powered by Onerep.

Mozilla releases Mozilla Monitor Plus
Seems like an alternative to DeleteMe with a more trusted brand name. Privacy as a service seems to be getting more and more popular these days, as Consumer Reports also released their Permission Slip app.

New laws in the United Kingdom would make wearing a face mask during a protest (e.g. to protect your identity, protect yourself from an ongoing pandemic, or protect yourself from police smoke screens) illegal:

Police will be given new powers to arrest protesters who wear face coverings under new laws cracking down on disorder, ministers have announced.
Demonstrators flouting an order to remove their mask could be jailed for a month and fined up to £1,000.
Protesters face jail for wearing face masks or carrying flares under new crackdown
New blitz unveiled on people hiding their identity, using fireworks and blocking roads

EU users on iOS 17.4 can apparently no longer install Progressive Web Apps on their phone following the recent changes to iOS in the EU which allow for browser engines other than WebKit. What this means is that users in the EU will be forced to obtain their apps from centralized app stores rather than the internet for full functionality.

This has a lot of consequences for users. For example, all data stored by these web apps is automatically deleted with the update. Websites can also no longer send push notifications to users.
iOS 17.4 seems to remove web app support in the EU
Apple recently released iOS 17.4 beta to comply with the European Union’s Digital Markets Act (DMA) antitrust legislation, which forced…

London Underground is testing our new AI surveillance tools to try and detect crime in weapons.

Thousands of people using the London Underground had their movements, behavior, and body language watched by AI surveillance software designed to see if they were committing crimes or were in unsafe situations, new documents obtained by WIRED reveal. The machine-learning software was combined with live CCTV footage to try to detect aggressive behavior and guns or knives being brandished, as well as looking for people falling onto Tube tracks or dodging fares.
London Underground Is Testing Real-Time AI Surveillance Tools to Spot Crime
In a test at one station, Transport for London used a computer vision system to try and detect crime and weapons, people falling on the tracks, and fare dodgers, documents obtained by WIRED show.

A proposed border policy in the US allocates $170 million towards autonomous surveillance towers and $204 million for "expenses related to the analysis of DNA samples."

“This combination of money for surveillance and surveillance technology, along with the included gutting of asylum, would transform our system and hyper-amplify what’s already happening on the ground,” said Paromita Shah, the executive director of the immigrant rights group Just Futures Law.
The US has already spent hundreds of millions of dollars on these automated surveillance towers, which are primarily made by Anduril Industries – the brainchild of Palmer Luckey, founder of Oculus VR.
‘A privacy nightmare’: the $400m surveillance package inside the US immigration bill
Experts issue warning over bipartisan measure’s funding for towers and DNA tests that would ‘hyper-amplify what’s already happening’

Security News

Canada is planning to ban the Flipper Zero to curb a "surge in car thefts," despite the fact that the Flipper Zero is unable to be used to steal devices in any vehicle with even the most basic rolling code mechanism, i.e. any vehicle since the 90s. This follows the Flipper Zero being banned on Amazon for being a card skimming device, despite it being unable to skim cards, and being banned in Brazil due to alleged "criminal use."

Canada to ban the Flipper Zero to stop surge in car thefts
The Canadian government plans to ban the Flipper Zero and similar devices after tagging them as tools thieves can use to steal cars.

BleepingComputer reports that Apple allowed a fake version of LastPass on the App Store:

As LastPass is used to store very sensitive information, such as authentication secrets and credentials (username/email and password), the app was likely created to act as a phishing app and steal credentials.
Fake LastPass password manager spotted on Apple’s App Store
LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users’ credentials.

Ars Technica reports that developers are currently patching a "critical vulnerability" in the shim bootloader software, which enables secure boot for many Linux distros. According to Matthew Garrett, a security developer and one of the original shim authors:

An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code).
Critical vulnerability affecting most Linux distros allows for bootkits
Buffer overflow in bootloader shim allows attackers to run code each time devices boot up.

Earlier this week, many tech publications erroneously reported that "3 million toothbrushes" were used in a DDoS attack, despite there clearly being no toothbrush vendors who even make millions of Wi-Fi enabled toothbrushes in the first place (existing smart toothbrushes use Bluetooth and have no internet connectivity), and no actual evidence of any such botnet from any sources. The original source of this story later confirmed that it was a "hypothetical scenario and not a real attack."

No, 3 million electric toothbrushes were not used in a DDoS attack
A widely reported story that 3 million electric toothbrushes were hacked with malware to conduct distributed denial of service (DDoS) attacks is likely a hypothetical scenario instead of an actual attack.

Community News

Fedora rebranded all their immutable desktops as Fedora Atomic Desktops. Fedora Silverblue (GNOME) and Fedora Kinoite (KDE) are retaining their names because of their brand recognition, but future versions will use a naming convention like "Fedora Sway Atomic" (for the Sway desktop environment).

Introducing Fedora Atomic Desktops - Fedora Magazine
Announcing a new family of Fedora Linux spins: Fedora Atomic. This will simplify how to discuss rpm-ostree and naming of future atomic spins.

Mozilla has a new interim CEO, as Mitchell Baker steps down from her position. The Register reports that Mozilla is unwilling to share the compensation package for the incoming CEO at this time.

Mitchell Baker steps down as CEO of Mozilla Corporation

TWIP Live 🔴

All the updates from This Week in Privacy will be shared here on the blog every week, so subscribe with your favorite RSS reader if you want to stay tuned. However, for people who prefer audio, we're going to be trying out a podcast-style recording of these updates every week, livestreamed on our YouTube channel.

In the next TWIP

Will we continue to publish these updates? We'll see! We are hoping to publish a new TWIP update every Saturday, but we won't be able to do so without your help. If you find a news story you'd like us to share, or you're working on anything in the privacy space which our community would be interested in, please get in touch on our forum to share your update and be featured in next week's publication.