Firewalls Don't Stop Dragons Podcast

Having data privacy laws are great. But if those laws can’t be practically enforced or your rights easily asserted, they’re not very useful. Modern cars are chock full of sensors, many of which are used to monitor the passengers and collect personal data. But cars are subject to privacy laws, too. Opting out of data collection or requesting data deletion should be straightforward. Andrea Amico and Merry Marwig from Privacy4Cars just completed a massive study on this, and the vast majority of auto brands had horrible user experiences for data management. They will share their findings with us on today’s show.

Interview Notes

Privacy4Cars: https://privacy4cars.com/ 

California UX whitepaper: https://privacy4cars.com/ux-california/ 

Vehicle Privacy Report tool: https://vehicleprivacyreport.com/ 

Company auto info: https://Privacy4Cars.com/CISO 

GDPR auto info: https://Privacy4Cars.com/GDPR 

Opt Out Code: https://optoutcode.com/

IoT on Wheels talk: https://instituteofprivacydesign.org/2025/08/11/cars-iot-endpoints-on-wheels-privacy-engineering-technology-education-discussion-peted-recording/ 

Data Diva car data graphic (slide 16): https://www.nist.gov/system/files/documents/2024/05/15/V3_2024_May_IoTAB%20%20-%20Monroney%20Sticker%20Presentation_Privacy_subteam_compressed%20508.pdf 

IoT Advisory Board Report: https://www.nist.gov/system/files/documents/2024/10/21/The%20IoT%20of%20Things%20Oct%202024%20508%20FINAL_1.pdf 

Enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ 

Further Info

Annual Listener Survey!!! https://fdsd.me/survey2026 

New Patron Promotion!! https://fdsd.me/promo126 

My book: https://fdsd.me/book 

My newsletter: https://fdsd.me/newsletter 

Support the mission: https://fdsd.me/support 

Give the gift of privacy and security: https://fdsd.me/coupons 

Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 

Table of Contents

0:00:14: Intro

0:01:06: Listener survey reminder

0:01:53: Patron promo reminder

0:02:30: Lingo definitions

0:03:14: What’s changed since our last talk?

0:08:15: What data do cars collect?

0:12:56: How could car data affect my insurance rates?

0:15:51: What was the purpose of your recent study?

0:23:01: How do authorized agents work?

0:28:01: How does Opt Out Code work?

0:33:21: What’s the response been to your report?

0:36:13: How do we make car data more obvious?

0:40:23: Does GDPR apply to cars?

0:45:17: What are some other cases to consider?

0:48:45: What’s the EU Data Act?

0:54:08: How do I limit my auto data sharing?

0:56:44: How remove car data before selling?

0:59:56: What’s next for you?

1:01:43: Wrap-up

1:03:25: Enable Global Privacy Control

1:05:24: Patron podcast preview

1:06:52: Looking ahead

AI has many problems, but also has promise. Today I’m going to focus on one particular problem that has some viable solutions: privacy. Chat bots like ChatGPT, Gemini and Claude all require your queries to be processed in the cloud. All the personal questions we ask are probably being logged against our identity and could be used to train future AI models or to present us with targeted ads. But there are alternatives that protect your data – I’ll give you a handful of solid options.

In other news: a Texas court has blocked the app store age verification law; Flock’s people-tracking cameras have horrible security; PornHub confirms data leak due to third party; stalkerware maker pleads guilty; Texas sues 5 TV makers over data collection; Wegman’s grocery using facial recognition in NYC; New York’s surveillance pricing transparency law goes into effect; DROP tool debuts in California for deleting broker data; two Chrome extensions caught stealing chat bot session text; ChatGPT rolls out new Health tool.

Article Links

Judge blocks Texas app store age verification law https://www.theverge.com/news/849752/texas-app-store-accountability-act-age-verification-injunction

Flock Exposed Its AI-Powered Cameras to the Internet. We Tracked Ourselves https://www.404media.co/flock-exposed-its-ai-powered-cameras-to-the-internet-we-tracked-ourselves/

PornHub Confirms Premium User Data Exposure Linked to Mixpanel Breach https://thecyberexpress.com/pornhub-data-breach-premium-users/

Founder of spyware maker pcTattletale pleads guilty to hacking and advertising surveillance software https://techcrunch.com/2026/01/06/founder-of-spyware-maker-pctattletale-pleads-guilty-to-hacking-and-advertising-surveillance-software/

Texas sues 5 smart TV manufacturers over data collection practices https://therecord.media/texas-sues-5-smart-tv-makers-over-acr-tech

Popular grocery store chain uses biometric surveillance on shoppers, raising privacy concerns https://www.aol.com/articles/popular-grocery-store-chain-uses-130056099.html

How New York’s Personalized Pricing Law Affects Consumers And Retailers https://www.forbes.com/sites/anishasircar/2025/12/03/new-yorks-algorithmic-pricing-law-what-it-does-and-why-it-matters/

This Tool Deletes Your Info From Data Broker Sites (If You Live in One State) https://lifehacker.com/tech/california-new-data-removal-tool

Two Chrome Extensions Caught Stealing ChatGPT and DeepSeek Chats from 900,000 Users https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html

Why I Won’t Be Giving ChatGPT Health My Medical Records https://lifehacker.com/tech/dont-give-chatgpt-health-your-medical-records

Tip of the Week: https://firewallsdontstopdragons.com/ai-chat-privacy/ 

Further Info

Annual Listener Survey!!! https://fdsd.me/survey2026 

New Patron Promotion!! https://fdsd.me/promo126 

Flock You project: https://github.com/colonelpanichacks/flock-you 

Shodan: https://www.shodan.io/dashboard 

My book: https://fdsd.me/book 

My newsletter: https://fdsd.me/newsletter 

Support our mission! https://fdsd.me/support 

Give the gift of privacy and security: https://fdsd.me/coupons 

Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch

Table of Contents

0:00:07: Intro

0:00:36: Listener survey

0:01:24: Dragon coin promo

0:02:11: News rundown

0:04:00: Court blocks Texas app store age check

0:09:52: Flock exposed its AI cameras to internet

0:21:04: Some PornHub user data leaked

0:26:22: Stalkerware maker pleads guilty

0:33:57: Texas sues 5 TV makers over data collection

0:39:39: Wegmans grocery is using facial recognition

0:44:33: NY personalized pricing law goes into effect

0:47:28: CA tool mass-deletes broker data

0:50:49: Two Chrome extensions steal AI chat records

0:54:56: ChatGPT unveils new Health feature

0:58:25: Tip of the Week

1:07:28: Wrap up

1:07:47: Patron podcast preview

1:08:23: Looking ahead

There are a ton of messaging apps on the market – and there are actually quite a few that are very secure and private. I would argue that there is no such thing as a “perfect” secure messaging app. There are several threat models to account for, each with different requirements. Today we’re going to talk about the pros and cons of decentralized messaging with the co-founder of Session, Kee Jeffreys. These messaging apps don’t rely on a set of servers hosted by the provider, but rather on a mesh of nodes run by hundreds or thousands of others. We’ll also discuss the importance of protecting metadata and the notion of “permissionless access”. Session just announced support for key features in the upcoming version 2 of their protocol, including Perfect Forward Secrecy (PFS) and post-quantum encryption.

Interview Notes

Get the Session app: https://getsession.org/ 

Session adds PFS, post-quantum crypto: https://getsession.org/blog/session-protocol-v2 

xkcd $5 wrench (“Security”): https://xkcd.com/538/ 

Further Info

Annual Listener Survey!!! https://fdsd.me/survey2026 

New Patron Promotion!! https://firewallsdontstopdragons.com/new-patron-promotion/

Generate passphrases using d02’s: https://d20key.com/#/ 

My book: https://fdsd.me/book 

My newsletter: https://fdsd.me/newsletter 

Support the mission: https://fdsd.me/support 

Give the gift of privacy and security: https://fdsd.me/coupons 

Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 

Table of Contents

0:00:13: Intro

0:01:12: Promotion teasers

0:01:54: Interview setup

0:03:33: Lingo

0:05:07: Why did you create Session?

0:11:01: How does the location of a company’s HQ matter?

0:18:58: Why do regular people need this level of security?

0:22:01: How does Session work?

0:29:59: Why does permissional account creation matter?

0:35:55: How does Session compare to other apps?

0:45:27: Why didn’t Session have Perfect Forward Secrecy originally?

0:53:50: When will PFS roll out?

0:58:37: How does cryptocurrency factor into Session’s network?

1:03:32: What happens if $SESH price goes way up or way down?

1:07:19: How does Session sustain itself?

1:13:34: Why is private messaging so important?

1:19:49: Wrap-up

1:22:34: Patron podcast preview

1:23:44: New patron promotion

1:27:14: Annual listener survey

Every week, I record a special, private bonus podcast for my patrons. Normally all of that content is restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Yael Grauer (Consumer Reports), Josh Summers (All Things Secured), Lisa LeVasseur (Internet Safety Labs), Josh Corman (UnDisruptable27), Andy Liddell (EdTech Law Center), Carissa Véliz (author, professor), Eamonn Maguire (Proton), Grace Menna & Adrien Ogee (Cyber Resilience Corps). Enjoy!

Original Interview Links

Ep416: Yael Grauer: https://podcast.firewallsdontstopdragons.com/2025/02/17/security-planner/ 

Ep420: Josh Summers: https://podcast.firewallsdontstopdragons.com/2025/03/17/all-things-secured/ 

Ep422: Lisa LeVasseur: https://podcast.firewallsdontstopdragons.com/2025/03/31/microscoping-our-apps/ 

Ep428: Josh Corman: https://podcast.firewallsdontstopdragons.com/2025/05/12/shelter-from-the-storm/ 

Ep426: Andy Liddell: https://podcast.firewallsdontstopdragons.com/2025/07/07/defending-student-privacy/ 

Ep438: Deviant Ollaf: https://podcast.firewallsdontstopdragons.com/2025/07/21/passport-lawyer-locksmith/ 

Ep446: Carissa Véliz: https://podcast.firewallsdontstopdragons.com/2025/09/15/on-the-ethics-of-ai/

Ep453: Eamonn Maguire: https://podcast.firewallsdontstopdragons.com/2025/10/27/privacy-focused-ai/ 

Ep454: Grace Menna & Adrien Ogee: https://podcast.firewallsdontstopdragons.com/2025/11/10/becoming-cyber-resilient/ 

Security Planner: https://securityplanner.consumerreports.org/ 

App Microscope: https://appmicroscope.org/ 

Take 9: https://pausetake9.org/ 

Meshtastic: https://meshtastic.org/ 

Previous dragon coin promo: https://firewallsdontstopdragons.com/dragon-coin-promo/ 

CISA Bad Practices: https://www.cisa.gov/news-events/news/bad-practices-0

Further Info

My book: https://fdsd.me/book 

My newsletter: https://fdsd.me/newsletter 

Support our mission! https://fdsd.me/support 

Give the gift of privacy and security: https://fdsd.me/coupons 

Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 

Table of Contents

0:00:07: Intro

0:03:55: Ep416: Yael Grauer

0:10:51: Ep420: Josh Summers

0:16:36: Ep422: Lisa LaVasseur

0:22:21: Ep428: Josh Corman

0:30:03: Ep426: Andy Liddell

0:35:49: Ep438: Deviant

0:41:55: Ep446: Carissa Veliz

0:47:12: Ep450: Jake Braun

0:52:55: Ep454: Grace Menna & Adrien Ogee

0:55:44: Wrap-up

I’m digging into the vault for a classic interview – a blast from the past! I’ve done 460 episodes over the last nearly 9 years, and some of the best old episodes still hold up well today. I first interviewed Troy Hunt, creator of Have I Been Pwned, in February of 2019. It was Episode 102 and it was entitled “You Must Stop Reusing Passwords”. In this episode we talk a little about the origins of HIBP, password security, data breaches and brokers, and how to keep our accounts secure. I’ve added some new commentary, but the original episode is preserved in all of its glory!

Interview Notes

Have I Been Pwned? https://haveibeenpwned.com/ 

NIST updated password guidelines:  https://pages.nist.gov/800-63-4/sp800-63c.html 

Proton summary of NIST changes: https://proton.me/blog/nist-password-guidelines 

Password haystacks: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ 

Choosing a strong PIN: https://firewallsdontstopdragons.com/how-to-choose-a-pin/ 

Using passphrases: https://podcast.firewallsdontstopdragons.com/2021/05/24/how-when-to-use-a-passphrase/ 

On passkeys: https://podcast.firewallsdontstopdragons.com/2023/05/22/problems-with-passkeys/ 

Further Info

My book: https://fdsd.me/book 

My newsletter: https://fdsd.me/newsletter 

Support the mission: https://fdsd.me/support 

Give the gift of privacy and security: https://fdsd.me/coupons 

Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 

Table of Contents

0:00:07: Intro

0:00:32: Interview setup

0:02:52: What is Have I Been Pwned?

0:05:37: What is a data breach?

0:06:42: Where do you get data breach records?

0:08:18: What is the “dark web”?

0:10:35: How do YOU get breach data?

0:11:43: What were some of the worst data breaches?

0:15:09: Who is behind these breaches?

0:17:03: How often are data brokers hacked?

0:19:47: Is it that hard to protect our data?

0:21:22: Is there no liability for not protecting data?

0:24:16: What about breach disclosure laws?

0:26:00: Do class action lawsuits provide accountability?

0:29:00: How can consumers evaluate a company’s data security?

0:32:35: Is data collection inherently bad?

0:34:43: How can we best use HIBP?

0:36:59: Should sites be rejecting known-bad passwords?

0:39:37: Why do some sites limit the use of special characters?

0:41:50: How up-to-date is HIBP data?

0:44:25: What does registering for notifications do?

0:45:39: What is your “opt out” feature?

0:46:25: Can hackers use HIBP for nefarious purposes?

0:48:16: Any other password advice?

0:50:27: Which services integrate with HIBP?

0:52:19: Wrap-up

0:54:52: New password guidelines

1:01:45: Patron podcast preview

1:02:12: Looking ahead