Captain (6:38)

Race the rudders. Race the sails. Race the sails.

First Mate (6:41)

Captain, an unidentified ship is approaching.

Eva Galperin (6:44)

Over.

Captain (6:44)

Roger, wait. Is that an enterprise sales solution?

First Mate (6:49)

Reach sales professionals, not professional sailors. With LinkedIn ads, you can target the right people by industry, job title, and more. We'll even give you a $100 credit on your next campaign. Get started today at LinkedIn.com results, terms and conditions apply.

Dr. Samantha Amin (7:12)

Think about this. Our phones, laptops, and cloud accounts are like digital diaries. Not just diaries, digital. They're more like vaults that hold nearly every detail of our lives. Now imagine this. You're going through airport security. You've packed light. Everything's on your phone, your boarding pass, your messages, your travel plans and reservations. Even that late night selfie you weren't sure about. A border agent asks to see your device. Maybe they want to scroll through your photos. Maybe they want your passcode. Suddenly, it hits you. They're not just holding your phone. They're holding a window into your private world. Your location, history, personal conversations, health, data, work, emails, saved passwords. It's all there. And the truth is, in that moment, you might not have as much control as you think. It's easy to assume our data is secure behind passwords and encryption. But the rules around digital privacy are changing fast and often without us realizing. The question is not whether our data is being collected, it's definitely is, but how. Your data is structured, interpreted, and then used. It's where science and engineering meet in your life every day. And that's surveillance. It works behind the scenes, quietly monitoring you. The data extraction and device fingerprinting to machine learning models that infer your identity. Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation. Her work focuses on how these surveillance systems operate and how digital vulnerabilities are exploited, exploited across platforms and devices. She's got a lot you want to pay attention to. Welcome to Curiosity Weekly, Eva.

Eva Galperin (8:47)

Thank you for having me.

Dr. Samantha Amin (8:49)

Let's start with the basics here. What do we actually mean when we talk about digital privacy?

Eva Galperin (8:55)

Well, to begin with, what we're mostly talking about is just all of the data that is created about you and that is stored on your devices or in at other companies or on other platforms that we sort of create every day. And this can be our. Our passwords to our accounts, the messages that we send to one another, the photos that we take and we send back and forth, information about our location and the location of our devices. The things that we are buying are financial and information about your web browsing, where you are going every day, and what you're looking at and what you're searching for and what you're buying. And all of this adds up to a very nuanced picture of who you are for the people who have access to this kind of data. Just because all of this information is available to your phone doesn't mean that all of this information is available to everybody all the time. One of the things that kind of makes people into privacy and security nihilists is they hear this long list of things that your phone can possibly pick up and they say, well, why should I bother trying to protect anything? Because the government could see everything all the time anyway. And that is simply not true.

Dr. Samantha Amin (10:23)

Okay, good to know, because I feel that way sometimes.

Eva Galperin (10:25)

Yeah, trying to protect everything from everybody all the time is a good way to drive yourself crazy and to exhaust yourself. But if you understand where your data is located and who can get what under what circumstances, you can take certain steps to mitigate the access for the things that you are particularly concerned about, and you can mitigate that access against the people that you are concerned about. So trying to secure your phone for crossing a border is very different from trying to secure your phone from just like random hackers that are trying to get their hands on your financial data by sending you text messages saying that, that you need to make a remote tax payment, or there's something up with your fast track for crossing the bridge, or you have gotten some sort of ticket. These are extremely different threats, and the things that you do in order to protect them are very different from one another. But you don't have to protect everything from everybody all the time.

Dr. Samantha Amin (11:35)

In addition to the digital nihilism, another reason why people may kind of feel defeated or not care as much about digital privacy is because they'll say, well, I have nothing to hide, so who cares? What's your response to that?

Eva Galperin (11:49)

Everybody has something to hide. We, we lock our doors, we close our curtains, we wear clothes there. Everybody absolutely has something to hide. And even if you don't have anything to hide, and mind you, the people who say this never want to hand over their password to me.

Dr. Samantha Amin (12:06)

For some reason that's fair. I mean, at the very least, perhaps your bank information is something we might all want to hide.

Eva Galperin (12:14)

Yes, yeah, absolutely. Everybody has something to hide. And furthermore, even if you are God's chosen creature that will hide nothing, does that mean that your friends have nothing to hide? Does that mean that your family has nothing to hide? All of your associates have nothing to hide? I do have the right to make that choice for other people. And the answer is no.

Dr. Samantha Amin (12:39)

Thinking a little bit more about all of the data that's being collected and how some of it is behind a password or encrypted. Are there scientific or engineering limits of those tools beyond it? Just end to end encryption, beginning and ending on someone's phone?

Eva Galperin (12:56)

Well, this isn't really a limit. This is the tool behaving the way that it's supposed to behave. The entire purpose of end to end encryption is to prevent your conversation from being spied on by third part parties in the middle, by the people who run the platform, or the people at the ISP or the people at the government. The conversation is happening only on your device and the devices of the people that you are talking to. This is not a failure or a limitation of science. This is a tool doing exactly what it's supposed to do. The reason why you want to have more than one factor of authentication is because passwords are frequently stolen and leaked. This is why reusing passwords is such a bad idea. You want your passwords to always be strong and unique. But more importantly, even if your password is garbage, you want to make sure that even if somebody does have your password, they still can't get into your account because they don't have that second factor of authentication. Now, frequently the second factor of authentication comes in the form of an SMS or a text message. And the problem with that is that SMS and text messages are not end to end encrypted at all. This is not a secure method of communication. Again, in the interest of talking about, whenever you talk about whether or not something is private or something is secure, you should ask from whom? Against whom. In this particular case, the vulnerability that these messages have is that you are not safe against anybody at the isp. You are not safe against anybody at the government or somebody who can show up with like a warrant or a subpoena asking for the contents of that text message. Very recently there was a very famous hack that took place, or rather it happened some time ago, but the US Government didn't realize it until several years in. It turned out that hacking group in, in the Chinese government, which is referred to as Salt Typhoon, had been buried deep inside our communications infrastructure for years with full access to all of our SMS and text messages. And so that would allow them to get the second factor of authentication for people that the Chinese government is watching and to get into their accounts.

Dr. Samantha Amin (15:25)

Wow, that's massive. Why didn't I hear more about that story?

Eva Galperin (15:28)

It was a very big deal. It is in fact still a very big deal. And one of the reasons why we're not hear about it is because the part of the government that was in charge of investigating this and securing our infrastructure against it is an organization called cisa. And CISA was, is still one of the parts of the government that has been very thoroughly gutted by doge. So Trump fired almost everybody.

Dr. Samantha Amin (15:58)

One of the things you mentioned is trying to keep in context who is something private from. So what about when you use private browsing or turn off tracking, you can still be identified. How does that work in the grand scheme of things?

Eva Galperin (16:11)

There's a lot of misunderstanding about what incognito mode does in browsing and who it protects you from. So really all that private browsing does is it prevents your particular, your browsing window from being associated with any of the other browsing that you have done. If you log in to your account, which is jane doegmail.com and you are Jane Doe, it will still be possible to come to the conclusion that you are Jane Doe.

Dr. Samantha Amin (16:58)

Fair. And then cookies that you use, you know, a lot of us, guilty, please don't be mad at me, we just click accept all cookies. Those are building a profile on me and kind of understanding my behaviors as well.

Eva Galperin (17:12)

Good news, good news about cookies to begin with. So one of the reasons why you get this little pop up saying, do you accept all cookies? And it's usually a Pop up designed to make it as difficult for you to not accept cookies as possible is a law in the EU called the gdpr and it basically operates on sort of a opt in model. But if everybody is essentially forced to opt in, then your opt in is kind of meaningless. Fortunately, there is a browser extension called Privacy Badger which EFF makes and it eats cookies. So even if you have accepted all the cookies, then the browser extension simply sits there and blithely deletes them, preventing the website from using them in order to track you and figure out where else it is you're going and draw conclusions about who you are based on that information.

Dr. Samantha Amin (18:15)

That is good news. And it comes like it's so cute the way that they branded that to eat the cookies. I will remember that and definitely need to download it. Are there any other tips you have for the average person? Simple actions they can take to take their cybersecurity a little more seriously?

Eva Galperin (18:33)

Well, there's really some basic hygiene, the digital privacy and security equivalent of eating your vegetables and washing your hands. What you should be doing is you should have a password manager. All of your passwords should be in your password manager.

Dr. Samantha Amin (18:49)

I have that.

Eva Galperin (18:49)

Cool. Cool. Your passwords should be strong. And what makes a strong password is a long password, not a password with lots of different letters and special characters in it and all that kind of stuff. That doesn't affect the entropy. Now we're getting into science. But what does affect the level of entropy is how long it is. Usually what I recommend to people is that your password should actually be a passphrase. And that passphrase should be like five or six words long. And those words should be chosen at random. That's one of those things that a password manager can do for you. Because there are like five or six words chosen at random. It becomes a lot easier to remember that password when you have to enter it. So you want long, strong, unique passwords for every account. And then you want to turn on the highest level of two factor authentication that you are comfortable using. So text message better than nothing, unless you're up against the Chinese government. Then next from Text Message, you want to use an authenticator app. So something like Authy or Google Authenticator. There are also authentication apps built into certain password managers. I think Both Bitwarden and 1Password have authenticator apps built into them, so I recommend those. And then the next strongest thing is a physical key. Physical keys are really great for accounts that you really want to protect, but. But specifically they're really good for protecting you against, against hackers, against some stranger that's never going to get their hands on your device? If you are worried about somebody who has physical access to your stuff, then a key actually makes things easier because, you know, you put the key on your keychain and they just get their hands on your phone and your keychain, they have managed to get in, or they simply run off with your keychain and they add another, another device to your account. You, you don't want that. So in like domestic abuse situations, I do not recommend these, these kinds of keys. But if you want to protect yourself against hackers, against governments, then a security key is, is a very good idea and is the appropriate mitigation.

Dr. Samantha Amin (21:11)

Last thing I want to ask you, Are there any trends you're seeing, things that are changing, things that we should really focus on going forward, or new things on the horizon to make sure digital privacy even easier?

Eva Galperin (21:22)

Well, one of the things that I think people really need to talk about is harassment and harassment online and also sharing other people's information online. Again, I think it's really important for people in relationships to talk about when it is appropriate to share information about themselves, but also to understand that you're not necessarily going to be in your relationships forever and you should talk about like what is appropriate, what is and is not appropriate when you no longer trust that person. So you might want to be sending your messages over, disappearing messages so that that person can't necessarily save your selfie. And that's, that's definitely something to discuss. Or if you are sharing an account, you want to make it very easy to lock that person out of any kind of sensitive accounts after you have a breakup. This is especially important if, if you are sharing a home that has a bunch of IoT devices in it, or if you are trying to parent a child together in the middle of a divorce, things can get really contentious. So that's a big thing that I think that people should talk about. And also increasingly people are really concerned about crossing borders where the border crossing situation is fraught with peril. And the rules about what you should and should not be doing and what your rights are appear to be changing every day. And the extent to which what the law thinks your rights are even matters also appear to be changing every day, which is pretty disturbing. So one of the things that I am doing this month is writing a border crossing guide. And it's really difficult because essentially what I have to do is I have to, I have to plan for the best. Sorry, I have to plan for the worst case scenario.

Dr. Samantha Amin (23:16)

I will be keeping an eye out for that because I think it's something that we should certainly all be paying attention to and thinking about. Unfortunately, more these days border crossing is.

Eva Galperin (23:25)

One of those situations in which thinking about who you are and what you want to protect and who you want to protect it from is particularly important because there are different groups with different levels of risk. For example, if you are coming from outside of the United States into the United States for something work related and they may question your visa at the border. That's a situation in which you really want to think about what your what is on your devices and what kind of information is easily available about you on your on your social media accounts or if you live in the United States and you are you are here illegally, or even if you are here on a student visa now and you took part in the Gaza protests over the course of the last year, those are all things to be really concerned about right now.

Dr. Samantha Amin (24:24)

Those are helpful tips. Thank you. How do you feel about the trade offs between convenience and privacy? Is it possible to have both?

Eva Galperin (24:34)

Yes, it is possible to have both privacy and convenience because privacy is not black and white. Privacy is not one of those situations where you either have privacy or you don't. The door is locked or it is unlocked. Privacy is having control over your data and making decisions about who gets to see it and under what circumstances. Privacy is about control and I think that is something that we can deliver to people and when people have controlled, they can decide what level of convenience is important to them and what level of risk they're willing to take in different circumstances.

Dr. Samantha Amin (25:15)

Fantastic. Thank you so much Eva for joining us. I'm going to start this topic with one of the more interesting content warnings I've ever given out. Snake bites are bad. Please do not try to get bitten by a snake. Avoid venomous snake bites at all costs. Okay, now that we got that out of the way, onto the story. Venomous snake bites are a global problem that many of us are lucky enough to not have to think about on a daily basis, but we definitely should be thinking about it. For some venomous snakes, an antivenom drug can be life saving. But antivenoms aren't available for all venomous species and antivenom research hasn't kept up with the growing need. Antivenom these days is actually made basically the same way it was around 130 years ago. That's where Tim Fried comes in. Now you may have heard of him before. He's an Avid snake collector and a unique presence in the field of immunology. And when I say unique, what I mean is he collects deadly snakes and lets them bite him a lot to the tune of over 200 times in the last 25 years. And that doesn't even count the over 600 times that he's injected himself with snake venom to build his immunity. Can I say again, do not do this at home. Tim is, in his words, a non degree scientist. Tim's been in the media a lot, so over the years, a few researchers reached out to ask him to participate in antivenom studies. Nothing ever really worked out until Dr. Jacob Glanville and Dr. Peter Kwong read about Tim's story. Dr. Glanville is the chief executive of the biomedical firm Centivax. His goal is to create a universal antivenom, one that can be used for all of the roughly 600 venomous snake species. Right now, each antivenom only protects against a few species from one region at a time. Now, Dr. Glanville and his team took Tim's meticulous notes from over the years, along with some of his blood. And this goes without saying, but this was only after careful review from an ethics board and informed consent from Tim Fried. Dr. Glanville's team isolated the antibodies from Tim's blood and tested them against toxins from the Elapidae family of snakes. Elapids include mambas, death adders and various types of cobras. Their venom is used to paralyze prey. It contains both short chain and long chain alpha neurotoxins, which disrupt a receptor muscle cells use to contract, blocking communication between nerves and muscles. And that leads to muscle paralysis and as a result, respiratory failure. Then the team took the most promising of Tim Fried's antibodies and tested them on mice that were given a lethal dose of snake venom. What they found was there were two antibodies from Tim's blood that could bind to both short and long change neurotoxins. And when combined with a broad acting small molecule, the cocktail provides full protection against 13 Elapidae snake species and partial protection against the rest of the species in that snake family. This is a first step when it comes to producing a universal antivenom. But there's still a long way to go to see if it can be produced at an industrial scale and at an affordable price. So Dr. Glanville's team is heading to Australia to work with veterinary clinics who treat dogs who've been bitten by snakes. There, they can test their antivenom in a more real world scenario. And don't worry if the dogs don't respond to the treatment quickly, they'll be with a vet who can give them the traditional antivenom treatment. For now, Tim Fried says he's given up on snakebites in hopes that all his research can be used to save lives for Warner Bros. Discovery. Curiosity Weekly is produced by the team at Wheelhouse DNA. The senior producer and editorial correspondent is Teresa Carey, our producer is Chiara Noni, our audio engineer is Nick Karisimi, and head of Production for Wheelhouse DNA is Cassie Berman. And I'm Dr. Samantha Yamin. Thanks for listening.

Raj Panjabi (29:26)

Hi, I'm Raj Panjabi from HuffPost.

Noah Michelson (29:28)

And I'm Noah Michelson, also from HuffPost.

Raj Panjabi (29:30)

And we're the hosts of Am I Doing It Wrong? A new podcast that explores the all too human anxieties we have about trying to get our lives right.

Noah Michelson (29:37)

Each week on the podcast, Raj and I pick a new topic that we want to unlock, understand better, and bring a guest expert on to talk us through how to get it right.

Raj Panjabi (29:45)

And we're talking like legit credible experts.

Noah Michelson (29:48)

Doctors, PhDs all around, superheroes from HuffPost and Acast Studios. Check out Am I Doing It Wrong? Wherever you get your podcasts.