Episode 58 - The Price of Being Watched

Encourage curiosity - This week ties together a single thread: someone else holds your data, and therefore holds the power. From algorithmic pricing to supply-chain malware to government scanning to cloud-AI assistants — and the hopeful counter-move, taking your data back. The episode theme is curiosity: in every story, one extra question would have changed the outcome.

Segment 1 — Surveillance Pricing

Inspired by More Perfect Union, “We Found the Radical Solution to Surveillance Pricing”

Surveillance pricing (a.k.a. personalized / surveillance-based pricing) = charging you an individual price based on sensitive data about you — purchase history, browsing, geolocation, social activity, even biometric and financial signals. The economic endgame is “perfect price discrimination”: charging each person their exact maximum.

DoorDash holds a patent describing promotions based on a user’s stress level.
Delta Air Lines (with AI firm Fetcherr) has talked about expanding generative-AI pricing to ~20% of domestic fares, with ambitions to go further. Senators (Gallego, Blumenthal, Warner) and House members demanded answers.
A Groundwork Collaborative / Consumer Reports / More Perfect Union study found different shoppers charged different prices for identical Instacart items. Former FTC chair Lina Khan has voiced concern.
The “radical” fix is a law: New York’s proposed One Fair Price Act would ban surveillance pricing outright — one posted price for everyone.

Defensive moves (partial): private/container browsing, block cookies, disable ad personalization, use a VPN, compare logged-out vs. logged-in prices. Honest caveat: this is a structural problem — regulation, not browser tricks, is the real fix.

Curious question: Is this price the market — or is it me being read?

Segment 2 — “Arch malware btw”: the AUR supply-chain attack

Inspired by Michael Tunnell and Switched to Linux — developing story, June 2026.

The Arch User Repository (AUR) is community-maintained, unvetted package build scripts (PKGBUILDs). In a ~24-hour window, a coordinated attack poisoned a large number of packages — reports cite 1,500+ touched, with community trackers confirming ~400–500 malicious package names and rising.

How: Attackers adopted orphaned packages (abandoned by maintainers — anyone can claim them) and edited the PKGBUILD to add a pre/post-install hook that pulls a malicious npm package, atomic-lockfile (Sonatype tracked one strand as the “Atomic Arch” campaign).

Payload: A Linux infostealer + optional root-only eBPF rootkit. Targets developer secrets — browser creds/cookies, SSH keys, GitHub creds, Vault/npm tokens, Docker/Podman, VPN configs, shell history, Slack/Teams/Discord/Telegram, crypto wallets. eBPF lets it run in-kernel and hide processes/files/connections.

If you were hit and the rootkit deployed: rotate every credential (from a clean machine) and reinstall from scratch. A normal uninstall is not enough.

Status: Maintainers are removing malicious commits and banning accounts; the official repos of Arch-based distros (CachyOS, Garuda, Chaotic-AUR) were not infected — only users who installed/upgraded a compromised AUR package during the window. Community checker script + affected-package list were published within hours.

Action checklist (Arch users):

pacman -Qm → list your foreign (AUR) packages.
Compare against the community list / run the checker script (CachyOS advisory).
If matched → rotate credentials from a clean machine, then clean-reinstall.

Curious habit: Before installing, ask who maintains this, when did it last legitimately update, and did ownership recently change? On the AUR, read the PKGBUILD — the malicious line was visible to anyone who looked.

Segment 3 — UK Device Scanning: 90 Days to Comply

Inspired by “Signal’s Warning: The UK’s Phone Scanning Plan Just Got Real”

The UK government signaled that phone makers (Apple, Google) will get ~90 days to start scanning photos on young people’s devices for nude images. Running alongside: Online Safety Act powers for Ofcom aimed at encrypted messaging (key report expected ~April). The mechanism: client-side scanning — every message/image checked on your device, before encryption.

Why it matters: Client-side scanning doesn’t break encryption directly — it inspects content before the lock clicks shut. The “end-to-end encrypted” label survives, but the privacy guarantee (nobody is looking) is gone.

Signal’s position: scanning won’t protect children and builds surveillance infrastructure that “endangers us all.”

Security: once scanning exists on every device, the match-database can be expanded — swap it and you’re scanning for slogans, documents, faces. Signal would withdraw from the UK rather than build a backdoor. Mullvad raised parallel alarms.
Misdiagnosis: real child safety = better-funded education, social services, AI-platform guardrails — not default scanning. Rallying phrase: “Surveillance is not safety.”

Bigger picture: This is a template (cf. the EU’s “Chat Control”). Sympathetic justification + a mechanism that, once built, can point anywhere.

Curious question: Not is the goal good? (it usually is) but what else can this machine do once built, and who decides what it points at next?

Segment 4 — iOS 27 at WWDC: the Privacy Fine Print

Apple WWDC 2026 keynote coverage.

Genuine wins: New Siri AI (next-gen Apple Intelligence) uses a tiered architecture — simple requests on-device, moderate ones via Private Cloud Compute (inspectable, hardened). Plus stronger family safety: child-account setup, parental controls, redesigned Screen Time, new Safari safeguards.

The fine print (two concerns):

Total context access. Siri AI indexes across your messages, emails, photos, and apps — a unified, queryable view of your whole digital life. Conversation history syncs via iCloud (“with privacy protections”), but strength depends on whether you’ve enabled Advanced Data Protection (Apple’s E2EE for iCloud — not on by default).
New Google dependency. Apple made official a Gemini partnership — the heaviest reasoning routes to Google Cloud. Apple says queries are anonymized and tokenized so neither Apple nor Google can link them to you (Federighi: “privacy in AI is non-negotiable”). Critics counter that PCC/anonymization is “only as private as the weakest link” — if Google retains any path to usage data for training/debugging, the guarantee weakens.

Takeaway: Apple’s defaults are still among the best of the mainstream — but don’t let “privacy” in a keynote switch off your curiosity. On update: review Siri AI indexing settings, turn on Advanced Data Protection, and understand where your hardest queries travel.

Curious question: A magical assistant that knows everything about you is, by definition, a system granted everything about you. Did you make that trade on purpose?

Segment 5 — Self-Hosting 101: What to Migrate First

Original recurring segment — Part 1 (scope). Part 2 next week: hands-on photos build.

Self-hosting = run the services yourself, on hardware you own, instead of renting space on a company’s servers. It’s the deliberate counter-move to every other story this week. Honest caveat: you become your own IT department (backups, updates, downtime). Don’t eat the elephant at once — scope first.

The five candidates (ranked by impact-to-effort):

Photos — highest emotional and surveillance value (faces, locations, timestamps). Self-host with Immich (Google-Photos-like: app, auto camera-roll backup, face/object search). Difficulty: moderate; biggest single win.
Calendar — a forward-looking map of your life. CalDAV via Radicale or Nextcloud; syncs to your existing calendar app. Easy–moderate; great first project.
Contacts — your social graph (everyone else’s data too). CardDAV on the same Radicale/Nextcloud server — bundle it with calendar. Easy.
File backups — documents and digital paperwork. Often Nextcloud. Follow 3-2-1: 3 copies, 2 media types, 1 off-site. Self-hosting files ≠ backups. Moderate setup; discipline is the hard part.
Application data — notes, passwords, to-dos, RSS, app state. Vaultwarden (passwords), Joplin/Standard Notes (notes), etc. Most advanced — many small migrations; do last, one at a time.

The plan: (1) This week, take inventory — list which categories you trust to which companies. (2) Start with contacts + calendar (one easy, low-stakes project). (3) Graduate to photos. (4) Then files with proper 3-2-1. (5) Pick away at application data over time.

Curious question / DIY threat model: For each piece of your digital life — who holds it, and what could they do with it that you wouldn’t want?