Debbie Reynolds (aka, The Data Diva) has been working in the privacy realm for many years, as a privacy consultant, speaker, advisor and podcaster. She and I have been running in the same circles on LinkedIn for a while now, and we finally decided it was time to be a guest on each other's shows. Today Debbie and I will discuss the dangers of privacy in the realm of IoT devices (including her contributions on the US Department of Commerce's IoT Advisory Board), vehicles, and AI. I'll ask about her experiences advising corporations on privacy issues with emerging technologies and how she advocates for less data gathering and more transparency.
Interview Notes
Debbie Reynolds consulting: https://www.debbiereynoldsconsulting.com/
Data Diva podcast: https://www.debbiereynoldsconsulting.com/podcast
My interview on Debbie’s podcast: https://www.debbiereynoldsconsulting.com/podcast/e228-carey-parker
The Right to Privacy book (1995): https://www.amazon.com/Right-Privacy-Caroline-Kennedy/dp/0679419861
IoT Advisory Board report: https://www.debbiereynoldsconsulting.com/iot-advisory-board
Shodan search: https://www.shodan.io/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:01:27: During your privacy career, how have privacy changed?
0:05:59: How do you define privacy?
0:08:51: What were your contributions on the IoT Advisory Board?
0:12:54: Who was the primary audience for that report?
0:15:49: Which IoT devices have the worst privacy?
0:19:33: How bad are modern cars in terms of privacy?
0:29:50: How does AI threaten our privacy today?
0:33:30: How can we mitigate AI privacy risks?
0:40:11: How can we convince companies to truly embrace user privacy?
0:45:36: What are some of the biggest privacy mistakes companies make?
0:49:34: Why can't we have a global tracking opt-out signal?
0:53:52: What can we learn from the EU's GDPR?
0:58:35: So what can we do to improve our privacy?
1:00:50: Patron preview
1:01:21: Looking ahead
--------
1:02:36
Life in the Panopticon
Tracking our faces and whereabouts is getting out of control. It's a mass surveillance infrastructure that keeps growing in Borg-like fashion. Facial recognition and license plate readers are proliferating at a stupefying pace and companies like Flock are consolidating the collected data and packaging it up for sale to law enforcement agencies. Even if no human in these agencies were to abuse this data, it's creating an irresistible target for scheming hackers and nation states keen on espionage. The longer we let this go, the harder it will be to stop.
In today's news: Asus routers are being hacked and you need to take action; 23andMe has been sold, along with its users' genetic data; AI-generated videos have just become way more realistic; US government taps surveillance company to centralize all its citizen data; CFPB regulation limiting data brokers is axed; Kroger is packaging and selling its customer loyalty data; automated license plate reader data use is expanding in scary ways; Android phones gain key new security feature; EU court rules that real-time bidding data gathering is illegal; Montana is first state to plug data broker loophole; and I relate my recent privacy experience at the US border.
Article Links
[LifeHacker.com] If You Have an Asus Router, You Need to Check If It's Been Hacked https://lifehacker.com/tech/asus-routers-hacked
[404media.co] 23andMe Sale Shows Your Genetic Data Is Worth $17 https://www.404media.co/23andme-sale-shows-your-genetic-data-is-worth-17/
[lifehacker.com] You Are Not Prepared for This Terrifying New Wave of AI-Generated Videos https://lifehacker.com/tech/you-are-not-prepared-for-this-new-wave-of-ai-generated-videos
[nytimes.com] Trump Taps Palantir to Compile Data on Americans https://www.nytimes.com/2025/05/30/technology/trump-palantir-data-americans.html
[techcrunch.com] White House scraps plan to block data brokers from selling Americans’ sensitive data https://techcrunch.com/2025/05/14/white-house-scraps-plan-to-block-data-brokers-from-selling-americans-sensitive-data/
[therecord.media] Consumer Reports: Kroger using loyalty program to package, sell customer data https://therecord.media/kroger-using-loyalty-program-to-sell-customer-data
[404media.co] A Texas Cop Searched License Plate Cameras Nationwide for a Woman Who Got an Abortion https://www.404media.co/a-texas-cop-searched-license-plate-cameras-nationwide-for-a-woman-who-got-an-abortion/
[404media.co] License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows https://www.404media.co/license-plate-reader-company-flock-is-building-a-massive-people-lookup-tool-leak-shows/
[arstechnica.com] Android phones will soon reboot themselves after sitting unused for 3 days https://arstechnica.com/gadgets/2025/04/android-phones-will-soon-reboot-themselves-after-sitting-unused-for-3-days/
[signal.org] By Default, Signal Doesn't Recall https://signal.org/blog/signal-doesnt-recall/
[therecord.media] EU court rules that tracking-based online ads are illegal https://therecord.media/eu-court-rules-tracking-based-ads-illegal
[eff.org] Montana Becomes First State to Close the Law Enforcement Data Broker Loophole https://www.eff.org/deeplinks/2025/05/montana-becomes-first-state-close-law-enforcement-data-broker-loophole
Tip of the Week: https://firewallsdontstopdragons.com/border-insecurity-update/
The Atlantic: How to Disappear https://www.theatlantic.com/ideas/archive/2025/05/extreme-personal-data-privacy-protection/682867/
BADBOOL data removal service list: https://docs.google.com/spreadsheets/d/115L6LpQg_UX638IyUfdwGhRS7dIU3lKwz6fjAcDtE-0/edit?gid=0#gid=0
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
--------
1:26:01
Dividing Trust
VPNs were not invented for privacy, despite the name - they were invented for security. Nevertheless, in recent years, they have been touted as privacy tools to thwart rampant and fanatical data gathering. With a regular VPN, this really just means you're shifting your trust from your internet service provider to your VPN provider. But what if your encrypted data traffic was actually divided between two separate companies? The split trust model is a powerful way to protect your privacy and it's the key technology behind new services like Apple's Private Relay and Obscura VPN. Today we'll discuss the benefits of this approach with Obscura's founder, Carl Dong.
Interview Notes
Obscura VPN: https://obscura.net/
Wireguard: https://en.wikipedia.org/wiki/WireGuard
Obscura Wireguard configuration tool: https://obscura.net/#faq-wireguard-config
QUIC explainer video: https://www.youtube.com/watch?v=HnDsMehSSY4
Masque: https://datatracker.ietf.org/wg/masque/about/
Privacy Pass: https://privacypass.github.io/
Anubis: https://anubis.techaro.lol/docs/design/how-anubis-works/
How Onion Routing Works: https://firewallsdontstopdragons.com/how-onion-routing-works/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:01:16: Interview setup
0:04:46: Lingo definitions
0:09:48: Why do we need yet another VPN?
0:15:00: How does Obscura differ from Apple Private Relay and Tor?
0:21:59: How little info can you give to set up an Obscura account?
0:25:33: What is the Bitcoin Lightning Network?
0:27:30: How can we know how much logging a VPN provider is doing?
0:35:04: Does Obscura have the same quirks as regular VPNs?
0:42:10: How vulnerable are you to being taken down by governments?
0:46:11: What are the core technologies in Obscura?
0:50:49: What do you think about Safing's IP-per-connection idea?
0:54:00: Are you planning to expand your partner VPNs?
0:56:41: How does Obscura handle the TunnelVision problem?
0:59:57: What is the roadmap for supporting other operating systems?
1:03:14: What's next for Obscura?
1:04:32: Interview wrap-up
1:09:19: Patron podcast preview
1:09:50: Looking ahead
--------
1:10:19
Slay Message Snoopers
There are way too many messenger apps today. It's a sad state of affairs and I don't see it getting better anytime soon. But the real problem (for me) is that almost all of the popular messenger apps aren't really that secure and private. Most do not have end-to-end encryption (E2EE) at all or it's not turned on by default. And frankly even the apps with E2EE are run by companies whose revenue model is based on monetizing your personal data. I'm going to suggest you try Signal.
In other news: study finds Canadian's health data being sold to drug makers; DOGE worker's computer has been hacked; airlines are selling your data to ICE; a massive proxy botnet has been shut down; Google pays $1.4B to Texas over unauthorized tracking and data collection; Denver decides to stop using license plate readers of privacy concerns; jury orders NSO Group to pay hundreds of millions of dollars for hacking WhatsApp users.
Article Links
[cbc.ca] Millions of Canadians' health data available for sale to pharmaceutical industry, study shows https://www.cbc.ca/news/health/health-data-records-pharmaceutical-private-clinics-1.7529955
[micahflee.com] DOGE bro Kyle Schutt's computer infected by malware, credentials found in stealer logs https://micahflee.com/doge-bro-kyle-schutts-computer-infected-by-malware-credentials-found-in-stealer-logs/
[jacobin.com] Airlines Are Selling Your Data to ICE https://jacobin.com/2025/05/airlines-data-ice-trump-immigration/
[The Hacker News] BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html
[The Hacker News] Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection https://thehackernews.com/2025/05/google-pays-1375-billion-to-texas-over.html
[9news.com] Denver will stop using license plate reader cameras amid privacy worries https://www.9news.com/article/news/local/local-politics/license-plate-reader-camera-data-security-concerns/73-9c570252-9d1c-4e5c-b042-c12392aa1081
[arstechnica.com] Jury orders NSO to pay $167 million for hacking WhatsApp users https://arstechnica.com/security/2025/05/jury-orders-nso-to-pay-167-million-for-hacking-whatsapp-users/
Tip of the Week: Slay Snoopers: https://firewallsdontstopdragons.com/dragon-hacks-slay-snoopers/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:43: News preview
0:02:53: Millions of Canadians' health data available for sale to pharmaceutical industry
0:08:39: DOGE engineer's computer infected by malware
0:14:38: Airlines Are Selling Your Data to ICE
0:22:05: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in US, Dutch Operation
0:28:04: Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection
0:30:21: Denver will stop using license plate reader cameras amid privacy worries
0:34:54: Jury orders NSO to pay $167 million for hacking WhatsApp users
0:39:17: Tip of the Week: Slay Snoopers
0:44:31: Wrap-up
--------
45:24
Shelter from the Storm
Almost exactly two years ago, "Five Eyes" intelligence agencies discovered a successful and ongoing cyber attack on critical US infrastructure by a state-sponsored actor based in China. This group, associated with the People's Liberation Army and known as Volt Typhoon, was tasked with quietly gaining persistent remote access to critical systems including water, power, communications, and transportation systems, as well as ports and government networks. The goal was to deter the US from interfering with a future invasion of Taiwan by China, either by crippling the US infrastructure or threatening to. Despite dire warnings from the four top cyber officials in a Jan 2024 Congressional hearing, the US is still woefully unprepared for such attacks. Josh Corman is leading an effort labeled UnDisruptable27 to greatly improve the resilience of our critical systems before 2027, the year China seems to be targeting to make their move.
Interview Notes
UnDisruptable27: https://securityandtechnology.org/undisruptable27/
Critical Effect conference (DC): http://critical-effect.org/
Congressional hearing, CCP cyber threat to national security: https://selectcommitteeontheccp.house.gov/committee-activity/hearings/hearing-notice-ccp-cyber-threat-american-homeland-and-national-security
Josh’s RSA talk (2024): https://www.youtube.com/watch?v=dhJvslRRlFc
UnDisruptable27 video 1: https://www.youtube.com/watch?v=GnozKc3gFsM
UnDisruptable27 video 2: https://www.youtube.com/watch?v=d8UsrMRvt14
Cyber Resilience Corps: https://cltc.berkeley.edu/program/cyber-resilience-corps/
Cyber Volunteer Resource Center: https://www.cisa.gov/audiences/high-risk-communities/cybervolunteerresourcecenter
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:03:49: Lingo explanations
0:07:26: What is UnDisruptable27 and why did you start it?
0:16:47: How does this relate to China's intention to invade Taiwan?
0:22:00: What at the psychological impacts of this sort of attack?
0:25:31: How long might it take to recover from this sort of attacK?
0:33:12: If this threat is so dire, why aren't we scrambling to address it?
0:37:24: Do Russia, Iran and North Korea pose similar threats?
0:41:32: How can we surface single points of failure from secondary sources?
0:49:21: Can't we also do this to our adversaries? Is that a deterrence?
0:53:45: What should our government be doing about this?
0:58:39: How can we incentivze private companies to take action?
1:01:55: What can we do, at home and in our communities?
1:07:19: What's next for UnDisruptable27?
1:10:47: Some final thoughts
1:15:03: Patron bonus content
1:15:29: Looking ahead
Italia