Hi there, how are you all? Welcome to the What Bitcoin Did podcast and welcome to the
first Tuesday edition of the podcast. The way I plan my interviews is I have this little
sheet in a tool called Agenda. If something happens or there's some news or somebody
stands out, I tend to keep either a note of them or a topic I want to do and that list
has just been getting bigger and bigger. So I've decided to go to a two week show to
try and get through all the interviews I want to get through and who better to have first
on my Tuesday show than Jameson Lopp making his third appearance on the podcast to talk
about protecting your privacy and personal safety. The idea for the show started a few
weeks ago following my interview with Fluffy Pony and having read a blog post by Matthew
Green about why he was ditching Chrome, I did the same and I deleted as much of my Google
data as I could and moved to Brave. And in doing so, I started researching other ideas
for protecting privacy and came across Jameson's Medium post titled A Modest Privacy Protection
Proposal, which I'll be honest, it goes into a lot of detail. Lots of things I haven't
done or probably won't ever do, but it's very interesting to see how seriously Jameson
takes privacy and I thought it would be good to get him on, have a talk about it, but also
get an update on everything to do with CASA. If you've never checked out the show notes
for any of my interviews, I recommend you do that. They're all on the website. I always
include a whole bunch of links to relevant other articles or other interviews or things
that are discussed in the show. So for example, with this one with Jameson, there are links
to some of the things we talked about and some of the tools he recommended using, which
I've also installed on my computer. Okay. Lastly, I just want to give a shout out to
Joff, a motion graphics designer who reached out to me this week. It's pretty cool running
a podcast like this. I get emails every week with people offering to help to transcribe,
bev interviews, all different things, just offering the help for free, which is honestly
super cool. And this week, a guy called Joff got in touch. He wanted to see if he could
help me with anything within motion graphics. There was something I needed. I needed an
IDENT and look at some of my videos on YouTube. So he took an IDENT I'd used before and within
about a few hours, he'd reconfigured it, sent me all the files, sent me the fonts and full
instructions on how to use it. So I just want to give a shout out to Joff. If you've got
any motion graphics needs, reach out to him. His web address is joffjoph.co.uk and thanks
to you Joff. Okay. Couple updates on the show. Obviously this is the first Tuesday edition.
I do have a Friday edition. This Friday, I've got an interview coming out with Samson Mao
and Catherine Wu, where we look at the Bitmain IPO. As I mentioned previously, I'm also
launching a new podcast that's kind of come out probably in the next week. Now I've got
three interviews on that. That's non Bitcoin stories, but stories I found out because of
Bitcoin, but away from Bitcoin, I'm not sure on the name of it yet. I'm running with a
couple of ideas and I'm also going to send out a Bitcoin email today. So there's lots
of high quality crypto emails out there, but I haven't found a Bitcoin dedicated one I
like yet. So I just thought I'd do one myself. So if you subscribe on my website, you will
receive that. The first one's going out today, just a collection of all the news articles
and interesting things that I found during the day. Okay. Please support the show. There's
a number of things you can do. Firstly, you can consider becoming a patron. I think I've
got 24 now, which is utterly amazing. And I'm massively grateful to every single one.
You can check that out at patreon.com forward slash what Bitcoin did. There are a couple
of options. One of them includes getting show early, for example, patrons have already got
my interview with Catherine and Samson. And there's another one where you can help contribute
to the show, which people are doing, which is really, really cool. Actually, I had a
guy get in touch and also wanted to make a contribution, but he didn't want to use Patreon.
He wanted to make a crypto contribution. So on my website, I now accept donations in Bitcoin
and Monero. So you can check that out. You can think about becoming a sponsor. If you're
interested, please email me. My email address is hello at what bitcoin did.com. Downloads
are growing super quick. Happy to share with you all that data. I think I'm going to be
crashing through a hundred K this month, maybe, maybe this month. If not, it will definitely
be next month. Also, you can leave me a review on iTunes. They're helpful with people finding
the show. Also click the subscribe button. If you follow the show, you like the show,
do click the subscribe button because apparently Apple says that helps you with your search
results. Also, you can follow me on social media. I'm on Instagram. I'm on medium. I'm
on Twitter. My handle is at what bitcoin did on everything. I'm happy to chat to you about
anything. So feel free to get in touch. You can also check out my website, which is www.whatbitcoindid.com.
I've got loads of useful information on there. I'm starting to provide different ways of
navigating the podcast. So if you want to find old shows with specific people or specific
topics that exist there now, you can sign up to my newsletter, which I've already mentioned,
which is going to go to a daily newsletter. I think I'm going to merge in the podcast
that I find and listen to into that as well. So that should be cool. And you can share
the show up with your friends and family. So lots and lots you can do to help the show.
Okay. Onto the show. I hope you enjoy it. If you do have any questions, feel free to
reach out. Jameson did an absolutely cracking job on this. I love having him on the show.
Yeah. But if you have any questions, you can get in touch. My email address is hello at
what bitcoin did.com. And I will probably reply to you unless you send me some nonsense.
Okay. Enjoy the show.
All right. Hi there, Jameson. How are you doing? Well, thanks. Sir, third appearance
on the podcast. Glad to have you back as always. Where's all the beard gone? Well, that's just
part of operational security. One of the things that I mentioned in my post is that in terms
of real world physical security, you want to try to blend into the crowd and having
any features that are particularly unique really get other people's attention when you're
out in public. I thought you might've just gone corporate on us. Not at all. And quite
interesting that I contacted you wanting to talk about personal security and privacy.
And did you see the news that came out today about somebody potentially killed in a Bitcoin
exchange? Oh yeah. You know, I have various alerts set up for that because, you know,
I maintain this log, basically a repository of all of the known physical attacks against
crypto owners. And so that popped up on my feed. I know it's quite sad really. Before
we get into that, let's have a quick update. What's been going on? How's everything over
at Casa? Yeah, it's been going well. We've mainly been focused lately on the node product
cause we're trying to get those starting to ship out in the next week or so. Been focusing
a lot on the user experience, you know, trying to make it as plug and play as possible for
our users. But you know, this is definitely going to be a very experimental like entry
into this market. And you know, I'm already foreseeing a number of like future versions
of it that are going to be bigger, badder, more robust and have more features. So this
is our first foray into trying to do a plug and play node. And there's definitely a lot
more that you could do, especially if we were spending more money on the hardware, you know,
Raspberry Pi can only do so much. Right. I've ordered mine. I think it comes in December.
So I'm looking forward to getting that because I did make an attempt to set up a full node
here and failed epically. So if you guys can take some of the work off me, that would be
great. I also noticed some work done on the website. It's an excellent design work, talking
you through security, personal security. One of the things that's coming through on CASA
is that design across the board is important. Yeah. I think that, you know, I don't want
to say that nobody else has focused on design, but I think that we are making it much more
in the forefront of our thinking when we're developing these products. We're really kind
of looking at it as a trifecta, right? Is that security first, usability and design
second, and then really a support services third. And we think that that like trifecta
of things is what is going to be necessary to build products and services and the crypto
ecosystem that can gain mass adoption. And because you're closer to it than I am and
probably understand it better, what is the status of Lightning at the moment? It's definitely
better than it was a few months ago. We're constantly keeping on our toes, the new developments
that are coming out. So I know just in the past week or two, we were experimenting around
with some of the automatic channel rebalancing functionality that has come out recently.
You know, that's just another thing that I think is going to be important for these nodes
to figure out how to handle the complexities of this new economic system that we're building.
And you know, I was in Tokyo just a week or two ago, and a number of the talks were about
that, about challenges of basically managing payment channels and rebalancing them and
opening and closing them. And you know, I think that this is what a lot of the low level
protocol and lightning node engineering effort is going to be focused on for the foreseeable
future.
Fantastic. Well, looking forward to that. So I asked you on to talk about privacy and
security because I ended up discovering quite an epic medium post of yours. So let me talk
you through the journey that ended up taking me to that post. So I did my interview with
Ricardo and had a long talk about privacy and the importance of privacy. And then there
was a new release of Google Chrome, and I ended up reading a post by Matthew Green,
which is why he was done with Chrome. And I noticed that Chrome was logging me into
the browser, this little icon for my avatar, and it was trying to get me to do the same
on my phone. So I did some research and I felt a little bit kind of, I felt a bit sketchy.
So I made the decision to delete a lot of the Google things I use. I'm not done with
everything. I've still got maps, I still got calendar, and I still got Gmail, but I'm going
through the process. What I have done though is I've removed all my Google data that it
allows me, although it probably still exists. And I'm using a combination of the Brave Beta,
which ironically is a Chrome build and Firefox Quantum. And I've also been playing a little
bit with Opera with its built in VPN. And actually one of the interesting things actually,
they're all actually fantastic browsers in their own right. So I was going through all
those processes and then started to research other things I could do. And then along came
your article, which to me was quite interesting. It was a really good time in, but it would
be good to hear about what took you to write that post? What happened that made you write
that post?
Well, I mean, I've been writing that post all year. It's been similar to what a lot
of my articles are like where I start exploring the boundaries of some particular interesting
thing that has caught my eye simply because my research hits a wall and it seems like
nobody else is really gone in that area. And so as I'm doing my own research, I'm just
writing down my experience and everything that I'm learning. And the thing about privacy
in general, especially when you're talking about like real world privacy and operational
security is that there are a few books and various resources out there, but by and large,
I think the vast majority of people who are experts in this field or are living an extremely
private life, part of the deal is that they just don't talk about it. And so as a result,
that knowledge doesn't get shared. And I felt like I could do a service to the community
in general, privacy oriented community to help them overcome the hurdles that cost me
six months and like tens of thousands of dollars doing all of the research to figure out how
to set this stuff up. But even then, a lot of the things that I have done are very jurisdiction
specific. So while people who are in the United States will benefit the most, I think from
what I've done, there is still a fair amount of online and digital privacy stuff that I
also have in that post that should be applicable for pretty much anywhere.
I noted there was about 18 steps in it and we'll start covering some of that in a bit.
In the article, have you done everything in there?
Absolutely.
So is it hard to maintain?
It's one of those things where there's a really steep learning curve and then you have to
adjust some of your day to day life experiences, like how you react to things. Because a lot
of people, it's just a common convention when you're out and about or engaging in business
or conversation, people ask you questions that are invasions of your privacy. And sometimes
this is just small talk. It's making conversation. Other times it's bureaucracy where it's companies
that are just trying to collect as much information as possible. And so even something as simple
as like going through a checkout line at a store, like they'll ask you for your phone
number or your postal code or any number of other identifying pieces of information. And
they do it in such a way that it's like, well, yeah, everybody does this. And if you don't
answer the question, you get this like awkward silence. A lot of times the person isn't used
to being told I'd rather not give out that information. And in fact, I think just tweeted
the other week of I went to an amusement park and I got rejected. I went to try to give
them my ticket and instead of just scanning it, letting me through the gate, they called
over some manager and then they were looking through their system and they started asking
me all these questions of like, what's your address and your credit card number and all
this stuff. Basically going along with the things I've outlined in my post, I was using
a disposable debit card, disposable email address, fake mailing address, and they must
have had some sort of surveillance intelligence system on their backend that was trying to
put all these pieces of information together and tie them to my identity. And because that
failed their bureaucracy basically said that they had to cancel my ticket. Now this was
particularly stupid because I was standing there showing them my passport and actually
gave them my fingerprint. Like they had biometric identification for everyone entering this
park and yet their rules said they had to cancel my ticket. And then it was especially
stupid because then I just turned right around, took cash out of my wallet, bought a new ticket
and went on in. So it's just, yeah, it doesn't make any sense, but these are kind of the
rules and bureaucracy that have been built up by a lot of large corporations.
And in going through this process, have you therefore become almost more aware of how
much information people are asking from you?
Definitely. Yeah. And you know, my other, you know, friends and family in my close inner
circle that I then try to instill these same values upon, they start thinking the same
way too. And then sometimes they come to me and they're like, I had this experience and
they were trying to get all this information out of me and I was pushing back against it
and it got really awkward.
I have it every time I go into a shop, they want your email address and I always say no.
I mean, I don't want to be spanned by them, but the real kicker for me, I explained this
to Ricardo is that I sold an advert on my podcast and it was from a company called BTC
media and I got a payment. The next time I logged into my bank account, I had a form
asking me to fill in the details of my employer and how much I earned, which I, which wasn't
compulsory, but there was no option to cancel. I just had to find a link to get out of it.
And I thought that was kind of interesting. I think a lot of this is relevant to you because
of obviously the swatting incident. Some people won't have heard our first interview or maybe
not be aware of it. Do you mind just explaining what happened with that again?
Sure. And really this type of stuff is most relevant for any public personality. Anyone
who gains a following of hundreds of thousands or millions or tens of millions of people,
because the inevitable results there is that once you have, it's kind of like the law of
large numbers, I guess, where you have a huge number of people that are paying attention
to you, then inevitably at least a few of them are going to have issues and they might
do things to try to harm you in some cases, even if it's because they like you. So you
have to protect yourselves from those edge cases. But for me in particular, you know,
within the period of basically one year, I had been talking about Bitcoin and crypto
for probably four or five years on social media. But during this last bubble, my Twitter
following went from, you know, five or 10,000 followers to well over 100,000 followers.
And with that just came a lot more vitriol, a lot more spam, a lot more people trying
to steal my identity and get into all of my accounts. And inevitably one incident which
came more into the physical world where someone called the police in my town and claimed to
be me and said I had murdered a bunch of people and was holding other people hostage, which
resulted in my entire neighborhood getting locked down and was not a pleasant experience.
And this was possible because, you know, I had been living in the same place for 10 years.
My address was in a lot of public databases and public records. And anyone who, you know,
even knew how to do a halfway decent Google search could find my address and then very
easily find, you know, how to call the local police in my jurisdiction. And all that really
took beyond that was someone who had the sophistication of knowing how to place an anonymous phone
call then could not be traced back to them. So they can, you know, do this with impunity
pretty much.
Did you ever get to the bottom of why it happened? Was it some form of extortion or was it somebody
just trying to scare you or a prank?
I think it was mostly someone trying to scare me. They did try to extort me a little bit,
but they could have tried a lot harder to extort me. And then once it was all over,
they were claiming that they were going to do even worse things, but they never did.
So, you know, maybe they just lost interest at that point or who knows what else may have
happened.
And so was that pretty much the starting point for this full privacy journey or you obviously
had some interest before, but is that the time that you decided to take everything serious?
Yeah, I mean, before that, my only real interest was in terms of like financial stuff. And
so, you know, using crypto assets to kind of stay outside of the traditional financial
system that would, you know, hopefully be a little bit more difficult to surveil my
financial activity. But yeah, then after this, I started looking at absolutely every aspect
of my life that I might want to guard against surveillance.
So your modern privacy protection proposal is really a working document in some ways
needs to be a wiki that continues to grow and develop. That's kind of interesting.
Okay, so we're in the age of mass surveillance operated by the state, but also operated by
Silicon Valley behemoths. We have Facebook and Google, and to some extent, Amazon and
Twitter in a data arms race, whereby the more data they have, the better advertising they
can sell and the more money they can make. We are pretty exposed to some of the nefarious
things they do, the Cambridge Analytica scandal, the way Google reads our emails, yet people
still aren't reacting. So why is it you think people generally don't care? I mean, you care,
I'm starting to care, there's a very small group of people who are. But why do you think
on a larger scale, people don't care?
It's convenience. And and you know, a lot of these things that we're getting these services,
they are provided to us, quote unquote, for free, or at least, you know, from the general
perspective of being free, because the cost that we're paying is with our data. And, you
know, I think it's very tantalizing and easy for people to give that up in return for,
you know, social networking and, you know, maybe discounts on various things. And even,
you know, outside of like normal consumer and marketing behavior, that's even a challenging
for us as developers. So something that we've been dealing with at Casa is, how do we as
a company act as a third party where we can facilitate helping our customers, but doing
so in a way that is not actually harming their privacy. And what I mean behind that is that
even in pretty much almost all modern software, especially web based software, there's various
logging and analytics and tracking and functionality that is not for marketing purposes, but just
for debugging purposes. So that if anything goes wrong, the developers can, you know,
look up the entire sequence of events of what happened and then try to find the bug and
fix the bug and make a better user experience. And, you know, these things get referred to
as debugging and, you know, crash analytics type functionality. But what they really are
is surveillance software is that even the developers of various applications are unintentionally,
I guess, surveilling their users in order to make their own jobs easier. And so we're,
you know, having discussions of, you know, how do we, how do we prevent ourselves from
collecting a lot of data on our users while still, you know, making our jobs possible
so that we can help them if something does go wrong. It's a, it's a fine line to walk
for sure.
And is there with Casa a form of corporate privacy? Is there a corporate version of what
you've enacted to protect the privacy of the company, the people who work for it, the location?
You know, I don't think that as a company, Casa has done anything particularly different,
you know, unfortunately we still use a number of various centralized systems to do things
like payroll and tax management and all of that stuff. The, the only reason that we might
be, you know, a bit safer than your average company is because we're so distributed and
something like 80% of the employees, you know, work from home and are spread all over the
country. Now, even in some other countries, but it's only, it's only helpful, I guess
from the standpoint that corporations, at least in America have some additional legal
protections. And from reading my guide, you know, that's basically what I used is that
there are a couple of States in the United States that have even better legal protections
for the privacy of corporate entities. And so if you create entities in those States,
then you can start using them to own various property and, and basically create these firewalls
between your own identity and your residents and other things that you're owning.
And I guess one of the other challenges referring back to how you as a company extract data
and use data with regards to your customers is you are a company, you want to grow and
you do have to enact some form of marketing. Marketing isn't, I don't see as a bad word.
It's how you execute it. There is good and bad marketing, but even the security check
on your website is fantastic. And if that is a way of bringing in new customers, that's
great for Casa, right? So I guess you have that balance between not wanting to ask too
much data from your customers, but at the same time, you do want to market and find
new customers.
Yeah. I mean, so far we've been able to do very well just with a viral marketing, I suppose.
And then we do limit like the amount of personally identifiable data that we store in our databases.
There's a lot of things that we don't want to know. You know, we, we don't want to know
your home address. We would rather, if we're shipping anything to you, we would rather
ship it to a private mailbox or a UPS store or something like that. And we, you know,
especially do not want to know where you're keeping your hardware devices that are managing
your private keys. It's, it's just things like that because we have to assume that even
though we have some great infrastructure security engineers, that anything that we put in our
database or our logs or what have you can potentially be compromised and leaked. You
know, if any type of like zero day exploit happens and you just, you can't know the future.
And so you have to guard against it by trying not to keep any valuable data in the first
place.
I guess so. Cause you don't want to have any hacker types or adversarial people thinking
you have data that they can access. So it's almost like inception levels of data and privacy
here is kind of interesting. Going back to your point on convenience for users, it was
quite interesting in going through the process of decoupling myself from Google. A couple
of things that are quite interesting. When I was using the Opera browser with a VPN,
every time I tried to use Google search, I was having to do the pick a car, pick a crossing,
you know, identify photos. So it was taken up to a minute before I could do a search,
which isn't convenient. And also secondly, when I noted when I was doing location based
searches, not using the location, but I'd come to expect a certain standard from Google
that it would know my location and the search results are very different when they don't
know your location. So for example, if you search for a doctor and you've got location
switched off, it goes to generic doctor based websites or Wikipedia pages. Whereas if you
have location switched on, it shows your local doctor. So you have to recondition yourself
to go back to how you use search back with, do you remember Alta Vista? Oh yeah. Back
to with the Alta Vista days. And that was a real process to get used to, but I've kind
of got used to it. I guess there's more extreme versions on your level of privacy and security
that you've had to get used to. Uh, you know, I mean, I generally use like DuckDuckGo and
start page for my searching and those even through a VPN, I haven't had those bring up
any of the CAPTCHA stuff, but you know, on almost every other website, they're going
to present CAPTCHAs. And I've actually seen some very interesting ones these days. You
know, most people are using that Google CAPTCHA where it's like identifying stuff for Google
street maps or whatever, but I've actually seen a few now that are puzzles where you
have to like move things around to drop them in the right place. So it's definitely interesting
to see how that technology has been progressing and prove that you're a human type of stuff.
But are there any experiences you've had offline similar where you've thought, God, this, this
has become more inconvenient. Yeah. It usually has to do with the financial stuff of like,
I can give you an example just from the other day actually, where, you know, I was ordering
some food to pick up and I go in there and I made the purchase through my, one of my
LLCs that I set up. And so that's not like a human name, right? And it's just awkward
to see like the person behind the counter is like looking through the receipts and they're
like trying to pronounce this thing because they assume it's a human name. And then they're
like yelling it out and mispronouncing it. And I'm like, yeah, yeah, that's me close
enough. Stuff like that, stuff like also going out, for example, with a group of people and
splitting a tab and, you know, not wanting to use a credit card that has my real name
on it. But then if I'm using a card that is in one of my LLCs, then I don't want that
potential privacy leak. If like the waiter comes back and was like waving it around,
you know, you know, whose is this type of thing. So it gets more awkward, you know,
when you are having face-to-face human interactions. Another thing that I've implemented of course
is that I'm using a pseudonym whenever I'm interfacing with like service providers at
my residence. There's no reason they need to know my real name. So that can also get
a little awkward if you haven't fully baked in, like this is my other, you know, name
now and I need to remember to be able to respond to it and so on and so forth.
Okay. So let's start digging into this. Firstly, can you outline the primary reasons
why people should care about their privacy? I mean, I've noted five, but it'd be good
to hear from you.
Yeah. So I guess the most extreme and one that I was recently trying to explain to someone
is that in the modern age for, you know, hundreds of years, we continue to add more and more
laws. So governments very, very rarely delete laws. They just keep adding more and more
and more. And we're at the point now where it's basically impossible to go about your
day-to-day life and not break a law. At least in America, I think there are statistics around,
you know, how many crimes a day the average person commits. Even if you believe you're
a good, honest, upstanding, law-abiding citizen, the truth is you're not. Nobody is. And if
you want to protect yourself from this overarching legal system, then you will want to hide as
much of your activity as possible from the legal system. There are countless cases now
of people, you know, getting picked up because they were, you know, in the wrong place at
the wrong time or some piece of data put them in a suspect list, even though they had nothing
to do with a crime that was being investigated. So that's kind of the extreme reason, you
know, to basically keep yourself from being falsely imprisoned. And then there are plenty
of other levels that are less extreme than that, such as I think some good examples are
we've seen cases where people like, you know, young teenage girls have gotten pregnant and,
you know, been searching for things online and basically the algorithms online figured
out that they were pregnant and, you know, started sending mailing stuff to their house
and like their parents found out and they hadn't even been able to give a chance to
try to figure out how they were going to explain it to them. So it can go a number of different
ways and just create very awkward and unpleasant experiences as a result of certain data being
tied together and then used by companies or government agents basically.
But there are plenty of other reasons. So I put the five down. I put five primary reasons
to care unwanted attention. I saw within the article about the lady who'd been tweeting
before getting on a plane and she had 170 followers. I'll share that on the show notes
because that's quite an incredible story. Personal safety. We've obviously covered that
future careers, potential for hacking, especially within crypto and potential for violence.
And do you think people in crypto are even more exposed and even more at risk? Or do
you think this is just a general problem?
So I think that the unique thing about crypto is the potential for violence and that we're
still in the very early days of that. You know, if you look at my like physical Bitcoin
attacks repository, I think I've cataloged like somewhere between 30 and 40 known attacks.
I think there are actually far more that have not been publicized here about them kind of
in the whispers every now and then. But there's a difference, I guess, between being crypto
wealthy and being traditionally wealthy, which is that if most of your wealth is in stocks
and bonds and savings accounts or physical real estate or whatever, it's very difficult
for someone to point a weapon at you and tell you to hand those over. But if you are wealthy
because you have these crypto assets that are basically digital bearer bonds, then the
risk reward ratio is a lot different. And criminals are starting to do the mental math
of saying, well, I see that this person has been tweeting about Bitcoin since the price
was only a few hundred dollars. And so they probably have somewhere in the realm of this
amount of wealth that they're probably holding themselves. And if I can put enough physical
pressure on them, they would probably hand over a significant chunk of that wealth and
it would be a lot easier than me trying to go in and rob a bank.
So you need carcer at that point.
That's one way to approach it. Yeah. We were trying to create better than bank level security
for crypto assets.
And I guess one of the myths with privacy is, and I'm not sure why it's perpetuated,
but is that privacy is about hiding illicit activities. And if you're not doing anything
illegal, then you don't need to care. But that's a myth, right?
Well, yeah. It's like I was saying earlier, even if you're not doing anything illegal,
it's possible that you just get caught up in the wrong thing. There have even actually
where I used to live in North Carolina, there was a case where the local police actually
subpoenaed Google for all of the activity of every Google user within like a several
square mile area at a certain period of time, because they were trying to find someone who
committed a crime. And so that's a good example of how simply being in an area while you're
carrying your surveillance device around, by which I mean your phone, just gets you
caught up in a digital dragnet of sorts. And I think pretty much everybody would agree
that they would rather not get caught up in any dragnets, even if they are innocent.
Yeah, of course. I didn't realize you'd move from North Carolina. I won't ask where you
are because obviously that would break the rules.
Somewhere in the United States.
So one of the things I noticed is that it's the ability for people to build a dot to dot
pattern and that's where some of the risks are. So I noticed, for example, if you tweet
that you're on holiday and someone can find your home address, they can burgle you. Or
you have a display of wealth and then you check into somewhere, somebody knows where
you are to come and attack you. Or even old tweets can affect a future career. I think
that's what probably people don't recognize. It's the connection of the dots, but the clever
hackers, that's what they're doing, right?
Yeah, just using your own data against you. This is part of the problem with privacy is
that you don't know what might be more important or more sensitive in the future. And this
actually, this goes kind of goes back to the Justine Sacco tweet that you were talking
about where she had 170 Twitter followers and she was making crude jokes on Twitter.
Even though she should have known better because she was like the director of marketing for
some internet advertising agency. But you know, she had been doing it and not having
any issues. And then she just made one wrong tweet that went viral. It caught the attention
of the internet. And all of a sudden she had hundreds of millions of eyes basically focused
on her. And we once again get into that kind of issue of large numbers and high amount
of attention. And the result is that she would then have a relatively small number of those
people who would then take it to the next step. And like a few of them actually showed
up at the airport to basically be paparazzi and take photos of her and you know, make
fun of her. And other people I think were like calling her and her family and harassing
them.
It's almost like a black mirror episode.
It is. Yeah. But it's the issue of trying to manage the attention that you're receiving.
It's not completely manageable, but better privacy definitely helps you prevent getting
more unwanted attention.
Did you ever see that video of the... I can't remember what it was. It was for a fortune
teller. And what they did, they were queuing up to go and see a fortune teller and they
would just fill in a form with their name and details. They would wait 10 minutes. Somebody
in the background was using their details to find out information online. They were
feeding that all to the fortune teller and the fortune teller would then tell them all
this stuff about them or the psychic. And then they would turn around and say to them,
no, I found all this information online.
Smart. No, I can definitely believe that. I haven't seen that one though.
Yeah. It's fantastic. I'll dig it out and send it to you. Okay. So moving on for this,
your article is fantastic, but it says in it, the only way to completely disappear is
to go off grid essentially and live in the middle of nowhere. It's not realistic. And
you also rightly point out that Americans are under more attacks from frivolous lawsuits
tracked by more private investigators. So it's kind of a lot harder for Americans. There
are different levels that people should go to in terms of protecting their privacy. You've
obviously done the extreme version. You spent a lot of money doing it. What would you consider
level one? I think almost most people listen to this, either they care enough and they'll
read your article or do it, or there'll be a bunch of people who will say, I need to
do something. Where do people get started? What would you say are the most important
things people should be doing?
Yeah. I mean, level one is what I was doing for many years because actually my first job
in my career was working for an online advertising company where we were sending out hundreds
of millions of emails and every day. And my job was basically to write large backend batch
processing jobs that would perform analytics across billions and billions of various tracking
points to help marketers better target their future advertising efforts. So I was very
deep into the tracking of people as a full-time job. And so I would say level one is just
installing various browser extensions that help protect your privacy, like Privacy Badger,
for example, or the HTTPS Everywhere extension that kind of forces as many of your connections
to be encrypted as possible. These are things where you can spend basically less than half
an hour and drastically increase your privacy from the sort of dragnet surveillance that
online advertisers are doing.
Can you use those kinds of tools on your mobile?
Yeah. In many cases, there are additional apps, like they have mobile versions of it
that can do the same. You can install mobile browsers that are more privacy-centric. Depending
on how technically sophisticated you are, one thing that I like doing is trying to figure
out ways to only do this one time in your house and then have all of your devices benefit
from it. And so when we talk about the privacy and anti-tracking stuff, you can get something
called a pie hole, which you just run a Raspberry Pi that's running the software that is basically
filtering all of your DNS queries and blocking everything from known advertisers. And if
you put that behind your router, then all of your devices on your home network automatically
get that filtering. And then on a similar vein, if you go to the next level and you
start doing VPN usage to basically encrypt your entire internet connection and all of
your traffic, then you can also do that at the router level so that you don't have to
configure every single device to use a VPN.
But outside of the home, as you say, people are carrying with them a portable surveillance
device. I think it's going to be a hard stretch to get people to either get rid of their Android
or get rid of their Apple phone. Do you have a preference of the two of those? I feel like
I trust Apple more because they make less money off data than Google, so they have less
reasons to track. Do you have a preference over those two?
I mean, I've always been an Android fanboy and that's because I prefer to be able to
tinker and customize things. Admittedly, Android isn't as friendly a user experience, but I'm
a geek and I prefer to be able to turn things on and off and what have you. And if you're
really nerdy, you can flash your Android phone with some privacy enhanced kernels like Copperhead
OS and I think Rattlesnake OS is the new one. But I'm particularly interested in seeing
what happens with some of the privacy specific phones that are being developed. In particular,
for the past year or so, I've been using a Purism laptop, which is open source hardware
on the motherboard and actually has like physical hardware switches to disable all the surveillance
devices such as the microphone, webcam, even the Wi-Fi and the Bluetooth and comes at a
bit of a premium. But I found that the user experience is reasonable and this company
is actually working on a phone that runs the same type of operating system and I think
will have similar hardware switches to turn things on and off. So the next question though,
even like above the hardware becomes, well, what about your ISP or your phone provider
or whatever? And even if you turn off your GPS and all the other tracking stuff, as long
as you're using one of these mobile phone networks, you can still get triangulated within
like a hundred meters or so just from the cell towers. So if you do want to carry around
a surveillance device like this, because they're so convenient, then the only way to do that,
it can't be tracked. Well, it'll always be tracked, but you can basically get one that
is not tied to your identity. And that's where like the burner phones and the SIM swapping
comes in, you know, getting throwaway SIM cards that are basically purchased with cash
and are not traceable to your identity. So a cashless society is going to present certain
problems in certain areas here then, right? Yeah. I mean, I had that section about all
the financial stuff and the biggest takeaway is that cash is still king. But in my own
experience using cash more often over the past year, it's actually becoming trickier
because fewer people are using cash. In many cases, I've actually not been able to complete
a cash transaction because they weren't able to give me enough change. Right. Okay. That's
kind of strange. Wow. Will crypto solve any of that? Crypto of today has long ways to
go. I still generally say that Monero has the best like real world, realistic privacy,
but unfortunately has pretty terrible scalability, which they are working on. The next question
comes down to like, can we build better privacy on second layer networks like lightning? I
think that that's a tricky question. You definitely get better privacy simply by doing payments
that aren't getting broadcast to the entire world. But then the thing that I'm still trying
to wrap my mind around is how does the privacy on the second layer networks actually relate
to the privacy that you have on chain because you're still tying these off chain transactions
to on chain transactions. So I think it's going to be complicated. There's still a lot
of work to be done, but hopefully that'll get tied in to a lot of the efficiency gains
that the developers are trying to make with regard to basically multi-party channel opens
and closes. And then something that was very interesting that came up in Tokyo recently
was the two-party ECDSA, which basically means figuring out ways to do multi-sig that is
not, it looks like single-sig. So anyone who's looking at the transactions on chain can't
even tell that they are to open and close payment channels. Is there a form of block
explorer for lightning addresses? Yeah, kind of. I mean, there is a few different lightning
network explorers out there, but it comes down to A, whether or not a given node is
advertising its channels. The default is actually going to be changing where like far fewer
nodes are going to be advertising their channels as the lightning network continues to mature.
So these lightning network explorers of today are actually going to become less and less
useful because I think the privacy on the network is going to continue to improve. Other
than that, the best way that you would be able to surveil the lightning network would
be to spool up a ton of lightning nodes and basically try to man in the middle everybody,
which you know, feasibly like nation state actors could probably manage to do. Even then,
I don't know what the math would be off the top of my head, but you do to like the
onion routing of how the messages and the payments get sent through the lightning network.
You're only able to tell the previous hop and the next hop on a given payment. You can't
see the entire like set of hops that in and of itself provides a much better level of
privacy. And how do you feel about privacy on Bitcoin?
It's come up in a couple of my interviews recently, but I'm totally out of my depth.
I did an interview with Safedean Amoos and Caitlin Long, and they were talking about
fractional reserve Bitcoin and the potential for that existing on Wall Street. And one
of the things that Safedean said is the great thing about having an open ledger is you can
audit the wallet. Whereas if you didn't have an open ledger, you wouldn't be able to do.
So it'd be more difficult to audit whether people are operating a fractional reserve
Bitcoin. And also I interviewed Jimmy Song and we were talking about the CVE bug. And
I was asking is if there was fully private base chain, if the bug had been exploited,
would the inflation go undetected? I know the questions I'm asking, but I'm out of
my depth with whether these are real problems that would exist with a fully private base
chain.
Well, yeah. And really the closest I think that you'll come to that is if you look into
Zcash, and there's been a lot of discussions in Zcash around that. And last I heard the
closest thing that was proposed to try to guard against that would be to basically have
a like a transparency day every now and then where everyone is forced to reveal the value
in their UTXOs so that we can then sum them all up and make sure that nobody has inflated
the monetary supply. But the other thing, the tricky thing with the like wallet and
exchange auditing, this is actually something we ran into when I was working at BitGo is
one of our first kind of extra features that we offered at BitGo was a cryptographic attestation
of funds value. I think we called it proof of reserve, but we didn't call it proof of
solvency or proof of not fractional reserve because you still run into a fundamental problem
of proving the value of what is in the Bitcoin or crypto wallet is only half of the problem.
You have to prove what their debts are as well, which means someone has to go and audit
all of their own like internal accounting and databases because otherwise, you know,
how do you know they haven't promised a bunch of funds to someone else? And you know, how
do you actually know what the reserve is supposed to be in the first place? So that product
ended up not doing very well because it just wasn't particularly useful without being backed
by an independent audit of the entire company's finances at the first place. So how do you
personally feel about privacy with Bitcoin? Do you want it on the main chain? Do you want
it on side chains? Do you have any kind of personal views? Yeah, I mean, right now it's
the default is terrible. If you go look at the like open Bitcoin privacy project, they
outline dozens of different threats in their threat model. And there's far more to it than
just the analysis of the blockchain transactions themselves. There's also issues of like network
analysis. We know that there are multiple companies that are surveilling the Bitcoin
network and basically running nodes all throughout the network to try to figure out, you know,
who is broadcasting transactions, you know, geo locating them, also identifying as many
of the major players on the network as possible. So the kind of making the network more private
is far more than just like obscuring the values of the transactions. You know, even if we
did something like confidential transactions, that would only be half the battle. Thankfully,
we are seeing plenty of improvements, even at the base layer, such as dandelion protocol,
for example. I don't know, is it anyone explained how that works to you? No, I did see it the
other day. I think I saw Nick Carter reference to it in an article, an interview he did,
he was talking about some technologies. And I think I saw in a list alongside Mimblewimble
and Grin. I think there's a list of things. Yeah. So dandelion is basically going to make
the network more private for people who are broadcasting transactions. Because right now,
if you broadcast a transaction, then your node essentially tells every peer node that
is connected to, Hey, I've got this transaction. Do you want it? And if they don't have it,
they're like, yeah, I'll take it. And then each of those nodes does the same thing to
everyone it's connected to. And this is called a gossip protocol. And this is a flood fill
type protocol where it very quickly expands through the entire network. The downside to
that is that if you have a sufficient number of nodes listening on the network and they're
all in sync with each other, like using network time protocol, then you can very easily see
like where the origination of the transaction was just by saying, okay, it arrived here
a few milliseconds after it arrived here. And then you sort of work backwards from there
to say, Oh, it probably originated from this node. And so what dandelion does to protect
against that is instead of just globally broadcasting immediately, it instead your node only sends
the transaction to one other node and that node only sends it to one other node. That
node only sends it to one other node. And then eventually after a few hops, that node
will then broadcast globally. And so the reason it's called dandelion is because from a network
graph, it looks like you've got a stim and then you've got the big fluffball. And so basically
this is like a misdirection thing, right? And so anyone who is surveilling the network
from their perspective, it looks like the transaction is coming from over here, but
in reality it started out way over here. So interesting new developments like that, that
I think are very practical and don't require major changes to the protocol.
Very interesting. Okay. So let's go back to your article. We can't cover it all. And
obviously I'll share it down in the show notes, but I think there are certain areas that most
people should pay attention to. So we covered your phone and we've covered pretty much your
internet privacy, but what we haven't covered in there is internet behavior. There is a
whole bunch of behavior that people aren't thinking about. So I'm thinking about it with
regards to my children already now starting to think like my son's on social media and
starting to educate him on ways he should be thinking about behavior because of the
impact it might have in the future of his life. What are the other key things that people
should be thinking about and the stupid things people tend to do online?
Well, one of the worst things I think is any post that gives away your current physical
location, right? And you already made a mention of that of if you post something that shows,
you know, you're on vacation or you're off doing something, then obviously you're not
at home and you know, that gives people an incentive to go check out your house and see
if they can take anything. For me, you know, I purposely, I time delay any posts that might
be related to a geographic location. So if someone is trying to go there and potentially
find me, then they're not going to do that. And interestingly enough, that is a tactic
that I was already doing. And it helped with regard to my swatting incident because I posted
something on Twitter. It was like a Monday morning and I made it. What did I say? I said
something like waking up seeing that we're going to have to deal with Segwit2x for the
rest of this week type of thing. And as far as I can tell, the attacker assumed then that,
you know, I had just gotten out of bed and was at my house and was, you know, getting
ready for the day. But in reality, I was already at the gym working out doing my thing 20 miles
away from my house. And so the attacker then placed that call of the police and law enforcement
shut down my neighborhood. And I wasn't even at home when it happened. I actually drove
into the law enforcement blockade and I was like, Hey guys, I'm just trying to get to
my house. What's going on? And then, you know, after a few minutes, we finally figured out
that they were there for me. And so that was, I think one of the reasons why law enforcement
did not end up breaking down my house was because I actually came to them first and
we figured out what was going on pretty quickly. So what do you do about conferences? You telling
people they can't put you on the speaker list? No, you know, I am still doing conferences
and you know, this is a calculated risk. Basically, I think we're not at the level where someone
is going to send in a whole team of mercenaries into a conference with hundreds or thousands
of witnesses and try to like kidnap me, you know, from in front of everybody else. You
know, maybe that will change at some point in the future, but I believe that we're not
quite at that level. And so I'm part of the reason why I've done all of this operational
security and privacy stuff is because I still want to be out there interacting with the
public and helping educate people, continuing to use the reputation that I've already built.
As I said, if I wanted to do this perfectly, then I would just completely drop off the
face of the internet, stop talking to anyone using my regular identity and potentially
just pop up as a new pseudonym with a fake avatar on my social media and nobody would
know that it was me.
Conscious of time, and I've got a couple of other questions I want to ask you about at
the end. So just on a wrap up, but if you were to advise people to do anything today,
what are the things you would say to do straight away or the habits that you would ask them
to change?
Yeah, I mean, in general, it's just being more mindful about what you're posting publicly
because you don't know what might come back to bite you. And being mindful that the internet
never forgets anything, you know, even though we have seen instances of people like deleting
all of their accounts because they're, you know, trying to get some sort of important
job, especially in politics. You know, what happens a lot of times is the reporters just
start sifting through internet archive stuff and finding all the stuff that they thought
was deleted. And it just gets even more embarrassing that they tried to cover it up in the first
place. So you have to operate under the assumption that, you know, anything you're doing on the
internet is going to become public. Even if you're taking a lot of these privacy precautions,
it's like, I think just yesterday, you know, there was another announcement of some big
database leak. I think it was voter registration or something where anything that you're doing
that is creating records in a database somewhere, you have to assume that that data is eventually
going to get leaked regardless of how secure or how much you trust the organization that's
controlling it. Information wants to be free. It's very hard to keep information from flowing
around. And so as a result, the only real protection you have against that is limiting
what information you put out there in the first place.
It was quite interesting. I almost feel like that step by step guide you've got on the
castle website for your crypto security. I almost feel like it'd be good to have a privacy
version of that. The Jameson lock 18 step privacy version of that would be pretty useful.
Well, we could do that for digital privacy, but you know, like I said, the problem with
the physical stuff is that the jurisdictions are so different. And in many cases, you actually
have to talk to an attorney. Yeah. And also where I am, I don't have a rack
of guns as a final security of last resort device. I still haven't actually shot a gun
again since I shot one with you need to do that again. Okay. So the last thing I wanted
to ask you about is because you were part of it is the B foundation. So you're part
of it. What's your involvement? So it's really being driven by Jacomo Zuko and then Elena
Branova is kind of the person behind the legal entity, but Jacomo is doing the like day to
day driving and operations and the rest of us, we're just chiming in basically with our
advice on any decisions that need to be made. So it's basically, you know, we're all in
a chat room together and we're discussing decisions like how to approach certain things,
but you know, it's still kind of spooling up right now. You know, we haven't really
done much to speak of other than announce our intention to create this organization.
As far as I'm aware, the legal entity has not actually been formed yet, but it should
be pretty shortly. And so, you know, there was a lot of backlash, of course, immediately
because of all of the memories of the Bitcoin foundation and everything they screwed up.
And it's kind of weird how there are a number of folks that almost seem to be anti organization
in the first place simply because they're afraid of what could happen if the organization
basically turns malevolent or starts having incentives to do things that are contrary
to the ecosystem. So I guess I would just prefer that people wait until we actually
screw something up to, you know, get too mad at us. At this point, you know, I'm not really
interested in spending any more time hearing people complain about us when we haven't even
done anything yet.
Yeah, it sounded like quite a proactive thing. So I actually interviewed Giacomo early in
the week, and it's coming out tomorrow. And I talked to him about it. And what I thought
was quite interesting about it as well, it isn't just focused on development. You know,
I understand that development is important, but I'm a marketing person. I also think marketing
is important and communications is important. And one of the things that other cryptocurrencies
have maybe done better than Bitcoin is promotion. And it feels like a lot of people in Bitcoin
are scared of marketing or scared of communications. And they feel like if you go out and sell
something's bad. But actually, Bitcoin has had a very good word of mouth strategy for
the last 10 years. And I quite like the fact the marketing is part of it. And because I
think marketing has changed now. It's not just about a poster, it's about education.
And I think with Bitcoin and a budget behind it, you can actually educate people better.
There's like bits all over the net. Most people are like, how do you learn about Bitcoin?
It's like, well, go and watch this video or go to lop.net and read this. And it feels
like we need a bit more of that. So I thought it was quite positive.
Well, yeah, but it's going to be tricky, right? As you know, even if we are positioning ourselves
as a source of educational content, then that has the potential to become politically controversial.
So I'm very wary of the marketing aspect myself. I'm going to be keeping a close eye on what
is being proposed on the marketing side. I just feel like organizing funding for development
of various applications and features to build out the ecosystem is probably less controversial.
I certainly see that there's value in marketing, but I think that is where most of the potential
for controversy lies, because we do want to avoid trying to give the image of being representative
of Bitcoin. It does suck that there were legal requirements to have foundation in the name
itself. And I will generally be referring to it as the B to try to push the branding
away from the foundation perspective, because Bitcoin doesn't need a foundation. And I've
actually said in the past, if you find the foundation of Bitcoin, you should destroy
it.
As ever, Jameson, another great interview. My final question is for you. Can you just
tell me what's coming up for CASA, what's coming up for you, and where you're going
to be at 1130 tomorrow?
Well CASA, we are basically working on onboarding and scaling up our ability to onboard more
of our premium users. It's that $10,000 a year vault product. We're also just trying
to ship these nodes, get them out the door, experimenting with various replication technologies
so that we can clone everything that we need and get them shipped out. And I don't know
for myself, I've just been doing a lot of traveling, going to be going to a number of
different conferences. I was already in Japan just a couple of weeks ago, and I'm going
to be going back to Asia, and then over to Europe, and back and forth, and back and forth,
trying to continue to educate people as much as possible.
Had you been to Japan before?
I was in Japan for 24 hours in 2017. I was actually in the air longer than I was on the
ground. I just spoke at a Tokyo University for a few hours.
For this trip or a previous one?
No, that was a previous one.
So you had a proper trip this time?
Yeah, I was in Tokyo for three or four days this time around, got to do a little bit more
sightseeing.
What did you make of it?
It's very clean, everybody's very polite. It's definitely a nice place, though I wouldn't
want to live there. Not quite the same level of freedoms as we enjoy in the United States.
Did you meet up with Roger?
You know, it was kind of weird. We were in Roger's hometown, but he never showed up at
the Scaling Bitcoin conference. I think that the last one he went to was several years
ago. It was actually Scaling Bitcoin in Milan, and he forked off the opening party. He basically
forked it off to create a big blocker opening party that did not, I guess, ingratiate himself
to the rest of the folks that were at Scaling Bitcoin.
And we now have Satoshi's vision. Is it today happening?
I think that's actually been happening earlier in the week because I've seen some videos
get posted.
Well, we'll see. Well, anyway, look, just a big thank you and also a lot of people won't
know the amount of work you do in the background helping me keep my podcast going and getting
it where it has been. So thank you so much for everything you've done for me. Always
a pleasure. I'm not sure when I'll see you next, hopefully at a conference sometime,
but take care, Jameson, and thank you.
Okay, so what did you make of that? Did you enjoy that? How cool is Jameson? I absolutely
love having him on the show. If you haven't listened to my two previous interviews with
him, I suggest you check them out. I've included links to those in the show notes. One of them
was my, I think it was like my fourth or fifth interview. So yeah, please go and check those
out. And if you haven't checked out CASA, go and check them out. Go and get yourself
a CASA for Bitcoin and Lightning node. I've got mine ordered. Can't wait to get it. Okay.
What about the privacy stuff? Pretty scary at times, right? I think you should go and
check out the show notes. I've included loads of information from the show, loads of links,
the link to the GitHub where Jameson keeps a record of attacks on Bitcoin people, some
pretty scary stuff in there. And just some important things we should be thinking about
with how we conduct ourselves online. Certainly something I'm thinking about. I've also migrated
to Brave. I think you should check it out. Brave is pretty cool. I like what they're
doing. So yeah, great interview. Love having Jameson on and so grateful to him. He's done
so much to help me in the background with the podcast. And yeah, thanks Jameson. Okay.
Please support the show. Bunch of things you can do. You can consider becoming a patron.
You can check that out at patreon.com forward slash what Bitcoin did. You can become an
advertiser if you want to do that. Sponsor the show. You can email me on hello at whatbitcoindid.com.
You can leave a review on iTunes. That's really helpful with the search results and subscribe.
Make sure you click the subscribe button. You can follow me on social media. I'm on
medium Twitter, Instagram. My handle is at what Bitcoin did on everything. You can check
out my website, which is www.whatbitcoindid.com and feel free to send any suggestions for
that. You can subscribe to my email list. I've got a daily email going out today where
I'm trying something new with that. You can subscribe on my website. You can share this
out with your friends and family and you can get in touch. Feel free to email me on hello
at whatbitcoindid.com. I'll probably get back to you outside of that. I hope you have a
great week. Looking forward to bringing you my interview with Samson and Catherine on
Friday.