Show Notes - https://forum.closednetwork.io/t/episode-58-the-price-of-being-watched/198
Website / Donations / Support - https://closednetwork.io/support/
BTC Lightning Donations - closednetwork@getalby.com / simon@primal.net
Thank You Patreons & Direct Supporters! -
https://www.patreon.com/closednetwork
https://xmrchat.com/closednetwork
Direct Support - https://closednetwork.io
Subscribe Without Patreon - https://closednetwork.io/#/portal/signup
Michael Bates - Privacy Bad Ass
David - Privacy Bad Ass
TK - Privacy Bad Ass
Trying - Privacy Bad Ass
VO - Privacy Bad Ass
MrMilkMustache - Privacy Supporter
Hutch - Privacy Advocate
Inferno_Potato Privacy Supporter
Dolores Y - Privacy Supporter
Direct Support - Craig D
Thank You Producers! You Produce This Show!
TOP LIGHTNING BOOSTERS !!!! THANK YOU !!!
@bon thousands and thousands and thousands of SATs sats!!
@fireflygow - 5,000 sats!!
frigolay - 34,540 SATs.. HOLY SHITE
wardemoff - 5,000 SATs
Silas Thornbrook
Thank You To Our Moderators:
Unintelligentseven - Follow on NOSTR primal.net/p/npub15rp9gyw346fmcxgdlgp2y9a2xua9ujdk9nzumflshkwjsc7wepwqnh354d
MaddestMax - Follow on NOSTR primal.net/p/npub133yzwsqfgvsuxd4clvkgupshzhjn52v837dlud6gjk4tu2c7grqq3sxavt
Join Our Community
Closed Network Forum - https://forum.closednetwork.io
Join Our Matrix Channels!
Main - https://matrix.to/#/#closedntwrk:matrix.org
Off Topic - https://matrix.to/#/#closednetworkofftopic:matrix.org
SimpleX Group Chat - https://smp9.simplex.im/g#SRBJK7JhuMWa1jgxfmnOfHz7Bl5KjnKUFL5zy-Jn-j0
Join Our Mastodon server!
https://closednetwork.social
Follow Simon On The Socials
Mastodon - https://closednetwork.social/@simon
NOSTR - Public Address - npub186l3994gark0fhknh9zp27q38wv3uy042appcpx93cack5q2n03qte2lu2 - primal.net/simon
Twitter / X - @ClosedNtwrk
Instagram - https://www.instagram.com/closednetworkpodcast/
YouTube - https://www.youtube.com/@closednetwork
Email - simon@closednetwork.io
Special Thanks to - EloquentWinter for creating - A Linux guide on MAC address randomization
https://forum.closednetwork.io/t/a-linux-guide-on-mac-address-randomization/189
TOPICS
Encourage curiosity - This week ties together a single thread: someone else holds your data, and therefore holds the power. From algorithmic pricing to supply-chain malware to government scanning to cloud-AI assistants — and the hopeful counter-move, taking your data back. The episode theme is curiosity: in every story, one extra question would have changed the outcome.
Segment 1 — Surveillance Pricing
Inspired by More Perfect Union, "We Found the Radical Solution to Surveillance Pricing"
Surveillance pricing (a.k.a. personalized / surveillance-based pricing) = charging you an individual price based on sensitive data about you — purchase history, browsing, geolocation, social activity, even biometric and financial signals. The economic endgame is "perfect price discrimination": charging each person their exact maximum.
DoorDash holds a patent describing promotions based on a user's stress level.
Delta Air Lines (with AI firm Fetcherr) has talked about expanding generative-AI pricing to ~20% of domestic fares, with ambitions to go further. Senators (Gallego, Blumenthal, Warner) and House members demanded answers.
A Groundwork Collaborative / Consumer Reports / More Perfect Union study found different shoppers charged different prices for identical Instacart items. Former FTC chair Lina Khan has voiced concern.
The "radical" fix is a law: New York's proposed One Fair Price Act would ban surveillance pricing outright — one posted price for everyone.
Defensive moves (partial): private/container browsing, block cookies, disable ad personalization, use a VPN, compare logged-out vs. logged-in prices. Honest caveat: this is a structural problem — regulation, not browser tricks, is the real fix.
Curious question: Is this price the market — or is it me being read?
Segment 2 — "Arch malware btw": the AUR supply-chain attack
Inspired by Michael Tunnell and Switched to Linux — developing story, June 2026.
The Arch User Repository (AUR) is community-maintained, unvetted package build scripts (PKGBUILDs). In a ~24-hour window, a coordinated attack poisoned a large number of packages — reports cite 1,500+ touched, with community trackers confirming ~400–500 malicious package names and rising.
How: Attackers adopted orphaned packages (abandoned by maintainers — anyone can claim them) and edited the PKGBUILD to add a pre/post-install hook that pulls a malicious npm package, atomic-lockfile (Sonatype tracked one strand as the "Atomic Arch" campaign).
Payload: A Linux infostealer + optional root-only eBPF rootkit. Targets developer secrets — browser creds/cookies, SSH keys, GitHub creds, Vault/npm tokens, Docker/Podman, VPN configs, shell history, Slack/Teams/Discord/Telegram, crypto wallets. eBPF lets it run in-kernel and hide processes/files/connections.
If you were hit and the rootkit deployed: rotate every credential (from a clean machine) and reinstall from scratch. A normal uninstall is not enough.Status: Maintainers are removing malicious commits and banning accounts; the official repos of Arch-based distros (CachyOS, Garuda, Chaotic-AUR) were not infected — only users who installed/upgraded a compromised AUR package during the window. Community checker script + affected-package list were published within hours.
Action checklist (Arch users):
pacman -Qm → list your foreign (AUR) packages.
Compare against the community list / run the checker script (CachyOS advisory).
If matched → rotate credentials from a clean machine, then clean-reinstall.
Curious habit: Before installing, ask who maintains this, when did it last legitimately update, and did ownership recently change? On the AUR, read the PKGBUILD — the malicious line was visible to anyone who looked.
Segment 3 — UK Device Scanning: 90 Days to Comply
Inspired by "Signal's Warning: The UK's Phone Scanning Plan Just Got Real"
The UK government signaled that phone makers (Apple, Google) will get ~90 days to start scanning photos on young people's devices for nude images. Running alongside: Online Safety Act powers for Ofcom aimed at encrypted messaging (key report expected ~April). The mechanism: client-side scanning — every message/image checked on your device, before encryption.
Why it matters: Client-side scanning doesn't break encryption directly — it inspects content before the lock clicks shut. The "end-to-end encrypted" label survives, but the privacy guarantee (nobody is looking) is gone.
Signal's position: scanning won't protect children and builds surveillance infrastructure that "endangers us all."
Security: once scanning exists on every device, the match-database can be expanded — swap it and you're scanning for slogans, documents, faces. Signal would withdraw from the UK rather than build a backdoor. Mullvad raised parallel alarms.
Misdiagnosis: real child safety = better-funded education, social services, AI-platform guardrails — not default scanning. Rallying phrase: "Surveillance is not safety."
Bigger picture: This is a template (cf. the EU's "Chat Control"). Sympathetic justification + a mechanism that, once built, can point anywhere.
Curious question: Not is the goal good? (it usually is) but what else can this machine do once built, and who decides what it points at next?
Segment 4 — iOS 27 at WWDC: the Privacy Fine Print
Apple WWDC 2026 keynote coverage.
Genuine wins: New Siri AI (next-gen Apple Intelligence) uses a tiered architecture — simple requests on-device, moderate ones via Private Cloud Compute (inspectable, hardened). Plus stronger family safety: child-account setup, parental controls, redesigned Screen Time, new Safari safeguards.
The fine print (two concerns):
Total context access. Siri AI indexes across your messages, emails, photos, and apps — a unified, queryable view of your whole digital life. Conversation history syncs via iCloud ("with privacy protections"), but strength depends on whether you've enabled Advanced Data Protection (Apple's E2EE for iCloud — not on by default).
New Google dependency. Apple made official a Gemini partnership — the heaviest reasoning routes to Google Cloud. Apple says queries are anonymized and tokenized so neither Apple nor Google can link them to you (Federighi: "privacy in AI is non-negotiable"). Critics counter that PCC/anonymization is "only as private as the weakest link" — if Google retains any path to usage data for training/debugging, the guarantee weakens.
Takeaway: Apple's defaults are still among the best of the mainstream — but don't let "privacy" in a keynote switch off your curiosity. On update: review Siri AI indexing settings, turn on Advanced Data Protection, and understand where your hardest queries travel.
Curious question: A magical assistant that knows everything about you is, by definition, a system granted everything about you. Did you make that trade on purpose?
Segment 5 — Self-Hosting 101: What to Migrate First
Original recurring segment — Part 1 (scope). Part 2 next week: hands-on photos build.
Self-hosting = run the services yourself, on hardware you own, instead of renting space on a company's servers. It's the deliberate counter-move to every other story this week. Honest caveat: you become your own IT department (backups, updates, downtime). Don't eat the elephant at once — scope first.
The five candidates (ranked by impact-to-effort):
Photos — highest emotional and surveillance value (faces, locations, timestamps). Self-host with Immich (Google-Photos-like: app, auto camera-roll backup, face/object search). Difficulty: moderate; biggest single win.
Calendar — a forward-looking map of your life. CalDAV via Radicale or Nextcloud; syncs to your existing calendar app. Easy–moderate; great first project.
Contacts — your social graph (everyone else's data too). CardDAV on the same Radicale/Nextcloud server — bundle it with calendar. Easy.
File backups — documents and digital paperwork. Often Nextcloud.
Portugal