YellowKey

The Identity Lineup

Episode 28 of Impractical Privacy, hosted by Sudo, dives into the severe, real-world consequences of law enforcement's increasing reliance on flawed facial recognition algorithms. The episode highlights how this technology is structurally biased—producing significantly higher false match rates for women, the elderly, and especially people of color. Through devastating real-life examples, Sudo explains that police are bypassing fundamental investigative work due to "automation bias," choosing to treat algorithmic guesses as undeniable truth even when confronted with blatant physical evidence to the contrary. Ultimately, the host urges listeners to push back through local advocacy, legislative bans, and physical obfuscation. 📚 Chapters * Six Months for a Lookalike Kimberlee Williams spent six months in jail because investigators blindly trusted a false facial recognition match over her actual alibi. * The Warning Label Fallacy Police routinely ignore software warnings, treating unverified algorithmic "leads" as definitive identifications and forcing witnesses to validate false matches. * The Human Cost and Structural Bias Structural bias in facial recognition disproportionately misidentifies minorities, leading officers to arrest innocent people despite obvious physical discrepancies. * What Can We Actually Do? Sudo urges listeners to combat surveillance through real-world actions like demanding legislative bans, filing FOIA requests, and using physical obfuscation. 🛠️ Resources & Tools * ACLU Facial Recognition Case Registry [https://www.aclu.org/cases?issue=face-recognition-technology] * Kimberlee Williams Case [https://www.aclu.org/press-releases/woman-wrongly-jailed-for-months-based-on-faulty-facial-recognition-technology-demands-apology-from-maryland-police-departments] * Randal Quran Reid Settlement [https://www.biometricupdate.com/202506/wrongful-arrest-in-us-linked-to-facial-recognition-error-leads-to-200k-settlement] * The 2019 NIST Demographic Report (NISTIR 8280) [https://nvlpubs.nist.gov/nistpubs/ir/2019/nist.ir.8280.pdf?utm_source=google&utm_medium=website&utm_campaign=face_recognition_wise_ai] * Ongoing NIST Face Recognition Technology Evaluation [https://pages.nist.gov/frvt/html/frvt_demographics.html] 🌐 Connect * Website: https://impracticalprivacy.com/https://impracticalprivacy.com [https://impracticalprivacy.com] * The tracker-free, telemetry-free hub for the show, now including Bitcoin and Monero support options. * Patreon: https://www.patreon.com/cw/SudoBurnToasthttps://impracticalprivacy.com/patreon [https://impracticalprivacy.com/patreon] * X (Twitter): @The_IP_Podcast * Mastodon: mastodon.social/@ImpracticalPrivacy [http://mastodon.social/@ImpracticalPrivacy] * Bluesky: impracticalprivacy.bsky.social [http://impracticalprivacy.bsky.social]

YellowKey

A newly disclosed zero-day exploit called YellowKey has shattered the assumption that BitLocker — Microsoft's flagship full-disk encryption — protects Windows users from physical access attacks. By exploiting a vulnerability in the Windows Recovery Environment with nothing more than a USB stick and a key press, an attacker can bypass default BitLocker protections and gain unrestricted access to encrypted drives in seconds. The researcher who discovered it calls it one of the most insane findings of their career — and suggests it could even be an intentional backdoor. In this episode, we break down exactly how YellowKey works, why default BitLocker configurations leave millions of users exposed, the systemic problem of vendors prioritizing convenience over real security, and — most importantly — steps you can take right now to seal the hole and reclaim control of your encryption. 📚 Chapters Opens From the Outside: A USB stick, a key press, and seconds later your encrypted drive is wide open — introducing YellowKey. The Anatomy of the Break: We walk through how YellowKey exploits the Windows Recovery Environment. The Deeper Problem: Default security is the vendor's security, not yours. Sealing the Hole: Practical mitigations you can implement today. The Key Was Always Yours: The real lesson of YellowKey isn't that encryption is broken — it's that default security was never designed to protect you first. 🛠️ Resources & Tools * The Hacker News: "Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation" [https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html] * Ars Technica: "Zero-day exploit completely defeats default Windows 11 BitLocker protections" [https://arstechnica.com/security/2026/05/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections/] * TechSpot: "A security researcher says Microsoft secretly built a backdoor into BitLocker, releases an exploit to prove it" [https://www.techspot.com/news/112410-security-researcher-microsoft-secretly-built-backdoor-bitlocker-releases.html] * The Register: "Mystery Microsoft bug leaker keeps the zero-days coming" [https://www.theregister.com/security/2026/05/13/disgruntled-researcher-releases-two-more-microsoft-zero-days/5239758] * VeraCrypt Official Site [https://veracrypt.fr/en/Home.html] 🌐 Connect * Website: https://impracticalprivacy.com/https://impracticalprivacy.com [https://impracticalprivacy.com] * The tracker-free, telemetry-free hub for the show, now including Bitcoin and Monero support options. * Patreon: https://www.patreon.com/cw/SudoBurnToasthttps://impracticalprivacy.com/patreon [https://impracticalprivacy.com/patreon] * X (Twitter): @The_IP_Podcast * Mastodon: mastodon.social/@ImpracticalPrivacy [http://mastodon.social/@ImpracticalPrivacy] * Bluesky: impracticalprivacy.bsky.social [http://impracticalprivacy.bsky.social]

The Digital Tollbooth

In this episode of Impractical Privacy, Sudo exposes Google's latest maneuver to gatekeep the open web: the rollout of a new reCAPTCHA system that mandates Google Play Services for verification. Analyzing how this update effectively locks out users of privacy-focused, de-Googled Android operating systems like GrapheneOS and LineageOS, the episode traces the lineage of this change back to Google's withdrawn "Web Environment Integrity" proposal. Beyond diagnosing the problem, the show provides a practical survival guide for users facing these digital barriers and offers a robust toolkit of privacy-first alternatives for developers, arguing that bot protection does not require device attestation. Ultimately, this is a call to action for the privacy community to recognize this shift as a threat to digital sovereignty and to mobilize in defense of an internet that belongs to everyone, not just those who carry Google's software. 📚 Chapters * The Backstory: Introduces the new reality where Google's reCAPTCHA acts as a digital bouncer, denying web access to anyone whose phone lacks Google Play Services. * The Backstory: Reveals that this update is essentially Google's withdrawn "Web Environment Integrity" (WEI) proposal repackaged as a fraud defense tool. * The Impact: Details how this change disproportionately affects users of custom ROMs and de-Googled devices while creating a new phishing vector by normalizing QR-code scanning, all while failing to stop sophisticated bot farms. * The Practical Path Forward: Offers actionable survival tactics for locked-out users. * The Hopeful Conclusion: Reframes the struggle as a battle for digital sovereignty. 🛠️ Resources & Tools * Google reCAPTCHA Update Blocks Privacy-Focused Android Users From Sites [https://cybersecuritynews.com/google-recaptcha-update/] * Google Cloud Fraud Defense is just WEI repackaged [https://app.daily.dev/posts/google-cloud-fraud-defence-is-just-wei-repackaged-d01yrarhx] * reCAPTCHA update adds mobile verification, requiring Google Play Services [https://discuss.grapheneos.org/d/35332-recaptcha-update-adds-mobile-verification-requiring-google-play-services] * Friendly Captcha: Privacy-First CAPTCHA [https://friendlycaptcha.com/] 🌐 Connect * Website: https://impracticalprivacy.comhttps://impracticalprivacy.com [https://impracticalprivacy.com] * The tracker-free, telemetry-free hub for the show, now including Bitcoin and Monero support options. * Patreon: https://www.patreon.com/cw/SudoBurnToasthttps://impracticalprivacy.com/patreon [https://impracticalprivacy.com/patreon] * X (Twitter): @The_IP_Podcast * Mastodon: http://mastodon.social/@ImpracticalPrivacymastodon.social/@ImpracticalPrivacy [http://mastodon.social/@ImpracticalPrivacy] * Bluesky: impracticalprivacy.bsky.social [http://impracticalprivacy.bsky.social]

The Landlord's Key

Episode 25, dives into the "Smart Building" trap, where your rental apartment becomes a surveillance node. From smart locks that log your comings and goings to thermostats that infer your daily habits, the infrastructure of modern housing is quietly collecting intimate data about your life. We explore the legal gray zones that leave tenants powerless, the risks of algorithmic eviction, and the bystander problem affecting everyone who crosses your threshold. But it's not all doom; we equip you with five practical defense strategies to reclaim your sanctuary, from analog overrides to demanding privacy clauses. Deep dive into the invisible landlord watching you from the cloud, and how to lock them out. 📚 Chapters * Cold Open: Sets the scene of moving into a "smart" apartment and reveals the hidden data logging behind the convenience. * The "Smart" Trap: Breaks down the specific hardware stack and the alarming flow of tenant data to brokers and law enforcement. * The Bystander Problem: Examines how this surveillance extends beyond the tenant to guests and family, creating a pattern-of-life profile that risks eviction. * The Legal Gray Zone: Explores the legal void where tenant data lacks protection and the "right to repair" barriers that force reliance on landlord-controlled tech. * The Impractical Defense: Offers five actionable strategies for tenants to obscure their data, protect guests, and demand accountability from property management. * Outro The Sanctuary Reclaimed: Ends on a hopeful note about privacy-first housing and challenges listeners to vet their leases before signing. 🛠️ Resources & Tools * Housing Privacy Resources [https://privacyrights.org/housing] * Smart Water Metering as a Non-Invasive Tool to Infer Dwelling Type and Occupancy [https://www.sciencedirect.com/science/article/pii/S0198971523000911] * The Surprising Data About Smart Apartments [https://smartrent.com/news/smart-apartment-data/] * ACLU Sues San Francisco Landlords over AI-Powered Surveillance in Tenants' Homes [https://www.aclunorcal.org/cases/san-francisco-tenants-union-v-smart-rent/] * Smart Locks Endanger Tenants' Privacy and Should Be Regulated [https://www.eff.org/deeplinks/2023/04/smart-locks-endanger-tenants-privacy-and-should-be-regulated] 🌐 Connect * Website: https://impracticalprivacy.comhttps://impracticalprivacy.com [https://impracticalprivacy.com] * The tracker-free, telemetry-free hub for the show, now including Bitcoin and Monero support options. * Patreon: https://www.patreon.com/cw/SudoBurnToasthttps://impracticalprivacy.com/patreon [https://impracticalprivacy.com/patreon] * X (Twitter): @The_IP_Podcast * Mastodon: http://mastodon.social/@ImpracticalPrivacymastodon.social/@ImpracticalPrivacy [http://mastodon.social/@ImpracticalPrivacy] * Bluesky: impracticalprivacy.bsky.social [http://impracticalprivacy.bsky.social]

Tagged in the City

This episode of Impractical Privacy investigates the increasingly common practice of parking apps requiring users to download an app and grant location data to simply park a car. Sudo argues that this seemingly convenient system amounts to a “Parking Lot Panopticon,” a surveillance setup where users’ daily movements are tracked and monetized without their full consent or understanding. The episode breaks down the data harvested – location, device fingerprints, and license plate information – highlighting the potential for identity theft, targeted advertising, and law enforcement overreach. Ultimately, Sudo advocates proactive steps, like using burner payment methods and meticulously managing app permissions, and encourages a demand for greater privacy protections from city councils and parking app vendors. 📚 Chapters * The Illusion of Choice: Sudo explains that the parking app market isn't a free market, but a controlled system enforced by city contracts and the threat of fines, focusing on how city councils outsource their enforcement mechanisms to private data brokers.* * The Data Harvest: This chapter details the specific data points collected by parking apps – granular location data, device fingerprints, and linked license plate information – and how this data can be used for profiling and tracking.* * The Breach Reality: Sudo illustrates the potential consequences of data breaches through the example of the ParkMobile data breach, emphasizing how compromised data can be used for phishing, robocalls, and data sales.* * The Practical Defense: This chapter provides actionable steps for listeners to protect their privacy, including using burner payment methods, meticulously managing app permissions, and advocating for stricter privacy regulations.* * The Future of Public Space: Sudo discusses the broader implications of this surveillance system—how it shifts the relationship between citizens and public space and emphasizes the importance of collective action to reclaim control over our movement and data. 🛠️ Resources & Tools * EFF-Privacy on the Map [https://www.eff.org/deeplinks/2025/04/privacy-map-how-states-are-fighting-location-surveillance] * EFF-Govt using targeted ads to track [https://www.eff.org/deeplinks/2026/03/targeted-advertising-gives-your-location-government-just-ask-cbp] * ParkMobile Data Breach [https://support.parkmobile.io/hc/en-us/articles/36854685401243-Update-Security-Notification-March-2021-Settlement] 🌐 Connect * Website: https://impracticalprivacy.comhttps://impracticalprivacy.com [https://impracticalprivacy.com] * The tracker-free, telemetry-free hub for the show, now including Bitcoin and Monero support options. * Patreon: https://www.patreon.com/cw/SudoBurnToasthttps://impracticalprivacy.com/patreon [https://impracticalprivacy.com/patreon] * X (Twitter): @The_IP_Podcast * Mastodon: http://mastodon.social/@ImpracticalPrivacymastodon.social/@ImpracticalPrivacy [http://mastodon.social/@ImpracticalPrivacy] * Bluesky: impracticalprivacy.bsky.social [http://impracticalprivacy.bsky.social]