This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

UNKNOWN. Do you have a particular problem with Angela Merkel? Is it true you called her an unfuckable lard-ass? No, I have never had any problems with Angela Merkel. Smashing Security, Episode 311: TikTok, Wiretapping, Phishing and Your Deepfake Voice as Your Password with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 311. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, who have we got in the hot seat this week joining us?

---

CAROLE THERIAULT. We have the lovely Dinah Davis. Dinah, it's been, I don't know, a year since you've been on?

---

GRAHAM CLULEY. Couple of years.

---

DINAH DAVIS. Yeah, I think so. I'm excited though. I love listening to you guys and I love chatting with you guys, so it's gonna be good. Woo!

---

GRAHAM CLULEY. And Dinah, tell us what you get up to in the world of cybersecurity these days?

---

DINAH DAVIS. Yeah, so I've been working with an organization called the Rogers Cybersecurity Catalyst. I'm on their board, and they have been doing amazing work getting much more diverse people into cybersecurity. They're a 9-month speed program out of Toronto. And then just, you know, working with a lot of other startups and trying to help mentor them and help them get off their feet.

---

GRAHAM CLULEY. Marvelous.

---

CAROLE THERIAULT. Let's thank this week's sponsors, Bitwarden, Kolide, and Dorata. It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. Hey, it's-a me-o. I'm a wiretapper.

---

CAROLE THERIAULT. OK. Dinah, what about you?

---

DINAH DAVIS. I want to talk about the security value of biometric data.

---

CAROLE THERIAULT. Ooh, biometrics. And I'll be talking about why some adult TikTok addicts might be despairing. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, I want you to imagine the scene. There you are. You are a drug trafficker in Rome, Italy.

---

CAROLE THERIAULT. I don't know the first thing about that. How could I imagine that? You know—

---

DINAH DAVIS. I don't know, what kind of drugs here? Does that make a difference? Or—

---

CAROLE THERIAULT. Yeah, what year are we talking? What city area? Are we in a gang?

---

GRAHAM CLULEY. We're in a druggy part of Rome, Italy, right?

---

CAROLE THERIAULT. I'm sure that doesn't exist.

---

GRAHAM CLULEY. You're checking out your wife's car because you're worried there might be something going on. You find a GPS transmitter attached to your wife's car, and you think, "Oh, what's going on here? Someone is trying to track my movements." It's just embarrassing, the accents, though.

---

CAROLE THERIAULT. Seriously.

---

GRAHAM CLULEY. Right? And you're wondering, "Is this the police?" you're thinking. "What's going on?" Might your phone be tapped as well?

---

CAROLE THERIAULT. Okay, this is moving very fast for your story. So basically, we've got a drug dealer. He's worried that he's being spied upon. He checks his wife's car, finds a GPS, and now is panicking that he's being listened to by somebody.

---

GRAHAM CLULEY. Exactly. Maybe it is.

---

DINAH DAVIS. I mean, we have proved that, you know, if they're using a secure phone, that that's not going to be helpful.

---

CAROLE THERIAULT. Right. Several times on this show, I think, over the years.

---

DINAH DAVIS. Yeah.

---

GRAHAM CLULEY. So he thinks, "Could my phone be tapped?" And he calls his friend Camilla, and Camilla says, "Don't worry. I know someone who can find out if you're being tapped or not by the police. I've got a friend at the court," she says. "He does me lots of favors." This woman is 27-year-old Camilla Marlinera.

She is a trainee lawyer, and she has allegedly— allegedly, I better say that because she's a trainee lawyer— she's allegedly been finding out who the police are snooping upon in Rome. Now, Italy— you may not know this, I didn't know this until I did some investigations— Italy is apparently the most wiretapped country in Europe.

---

CAROLE THERIAULT. According to whom?

---

DINAH DAVIS. Really?

---

GRAHAM CLULEY. According to Italian politicians. Some say it is more.

---

CAROLE THERIAULT. Then it's definitely one side, one party says.

---

GRAHAM CLULEY. They're very reliable, very trustworthy, Italian politicians. Some say it's more wiretapped than anywhere else in the world.

They love tapping phones. In fact, €200 million every year is spent on bugging the phones of hundreds of thousands of mafia mobsters, drug dealers, fraudsters, ice cream salesmen, plumbers wearing dungarees, the whole caboodle of Italian people.

---

CAROLE THERIAULT. It's kind of weird.

---

DINAH DAVIS. And probably some poor innocent people.

---

CAROLE THERIAULT. Yeah, right, just scooped up in the net. But I'm just surprised there's so many gangsters living there because of tax codes in Italy.

Yeah, why wouldn't they go somewhere—

---

GRAHAM CLULEY. Have you not heard of the mafia? Have you not?

---

CAROLE THERIAULT. I have heard of the mafia.

---

GRAHAM CLULEY. There is a criminal contingent. It's not just half a dozen.

---

CAROLE THERIAULT. I've seen the movies, right?

---

DINAH DAVIS. I mean, I've never— is that actually true or is it just the movies? I really don't know.

---

CAROLE THERIAULT. I listen to podcasts, actually. Apparently it is true.

---

GRAHAM CLULEY. Let's stress to all of our lovely Italian listeners, we know there's lots of people in Italy who aren't criminals, but there is obviously a criminal issue as well, to some extent. And some of them are making a lot of money through things like drugs and human trafficking and all sorts of nastiness. And sometimes people who aren't criminals are getting tapped as well.

So for instance, journalists have had their conversations tapped. There have been journalists who were reporting on immigration and the handling of immigrants. They were being—

---

CAROLE THERIAULT. Yeah, this has happened in the UK as well. Right?

---

GRAHAM CLULEY. Yes.

---

DINAH DAVIS. Yes.

---

CAROLE THERIAULT. It's not the only country where this has happened. It's just you're saying it's the most—

---

DINAH DAVIS. Or shockingly, it might be happening in the US. Oh my God.

---

CAROLE THERIAULT. Dun dun dun.

---

GRAHAM CLULEY. Oh, as if. As if.

Well, according to Italian prosecutors, it's the only way they can penetrate the mafia and listen to corrupt deals being struck by white-collar crooks, financial fraud, all these sort of things. And so what they do is they ring up the phone company and say, hey, you know, it's the police here. 'Can we monitor this call?' And they say, 'Of course, no problem.'

But when the criminals use an end-to-end encrypted messaging app like Signal to communicate, or as you mentioned, Dinah, one of these many secure messaging apps created by the police—

---

DINAH DAVIS. Exactly.

---

GRAHAM CLULEY. —in order to spy on crooks. Yeah.

---

DINAH DAVIS. Well, in those cases, the police may have to infect the mobile phone with spyware to listen in instead.

---

GRAHAM CLULEY. Now, what might surprise you is normally right-wing political parties are very keen to clamp down on crime, aren't they? They say, we're tough on crime, we're tough on the causes of crime, we're going to lock people up and throw away the key.

---

CAROLE THERIAULT. OK, who says that?

---

GRAHAM CLULEY. Typically right-wing— everyone. Everyone who wants to get elected says, we're going to give criminals a hard time.

---

CAROLE THERIAULT. OK, right. Yeah. So yeah, politics 101. OK, yeah.

---

GRAHAM CLULEY. But in Italy, right-wing politicians hate wiretapping.

---

CAROLE THERIAULT. Some right-wing politicians.

---

DINAH DAVIS. Because probably they're involved with the mafia.

---

GRAHAM CLULEY. Yeah, well, that's one theory. Allegedly, allegedly. Yes, careful, Dinah, say, throw some allegedlys in. That could be a reason. Well, the reason that many people think is because they are furious that left-wing newspapers keep publishing juicy stories based on wiretaps. So the police hear all these things being said by right-wing politicians, they tip off the newspapers, who then go and print it in their tabloid newspapers, all the juicy stuff. Do you remember Silvio Berlusconi, former prime minister of Italy?

---

CAROLE THERIAULT. Yes. How could we forget, Graham?

---

GRAHAM CLULEY. Come on. He was a proto-Trump, wasn't he? He got into trouble because he used to have parties which were called bunga bunga parties with showgirls.

---

CAROLE THERIAULT. This is according to the English tabloids, of course, you're getting this information.

---

GRAHAM CLULEY. And Italian tabloids. I didn't know you read Italian.

---

CAROLE THERIAULT. Based on your accent, I assumed not, but you know.

---

GRAHAM CLULEY. 15 years ago, Berlusconi was being investigated. Yeah. And police heard him saying, amongst other things, that he didn't want to hog the attention of all the female guests at a party that he was planning, because he said the 'fuck' must go around. I'll bleep out that word. And in 2014, the BBC's Jeremy Paxman in an interview with Berlusconi, asked him to confirm reports that he had been secretly recorded on a wiretap calling Angela Merkel, who was then German Chancellor— oh yes— an unfuckable lard-ass. Oh my God, yes. Let's listen to that right now. Do you have a particular problem with Angela Merkel? Is it true you called her an unfuckable lard-ass? No, I have never had any problems with Angela Merkel.

---

DINAH DAVIS. Because that's important. Yes. That, you know, your fuckability is so important as to, you know, what kind of leader you could be. It's incredibly important.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. How many Italian people must have just put— just shaken their heads and just gone, oh my God. It's just so embarrassing.

---

GRAHAM CLULEY. So embarrassing. So many would tougher anti-wiretapping legislation to come into force. If only to keep themselves out of the headlines.

---

CAROLE THERIAULT. Okay, yeah.

---

GRAHAM CLULEY. But here is this woman. Remember this woman, Camilla Marañonera, right? Who allegedly was offering to find out if a suspected drug trafficker's phone was tapped. And guess what? His phone was tapped. Which means that the police heard her, allegedly, offering to find out if his phone was tapped.

---

DINAH DAVIS. What? Seriously? She's just incriminated herself. Yes.

---

GRAHAM CLULEY. And so the police, when they heard her alleged claim that she could find the person in the court that she'd just have to pay €300 to, to find out if the tapping was occurring or not, the police then thought, right, we're gonna have to find out who in the court is helping this woman allegedly find out who's being tapped and who isn't.

---

DINAH DAVIS. Okay, but if you're the person trying to find out if other people are tapped, why would you have any conversations on the phone.

---

CAROLE THERIAULT. Do they not watch the movies? We know that you go for a walk near a waterfall, right?

---

GRAHAM CLULEY. She did try. Yes, yes, you could do that. Yes. We know this. She did put the Hoover on. Exactly. She did go to the effort of using an encrypted messaging app. So she was using the Signal app. She was making a voice call via Signal.

---

DINAH DAVIS. I use Signal. Yeah, I use Signal too.

---

GRAHAM CLULEY. Yeah, right. So we all use Signal. I didn't—

---

CAROLE THERIAULT. I'm not confirming or denying anything like that. I'm not complaining about that.

---

GRAHAM CLULEY. No comment, Your Honour. No comment.

---

CAROLE THERIAULT. Yeah, that's my voice as well. He's so good at accents, eh?

---

GRAHAM CLULEY. Anyway, what she didn't realise was that just using Signal, even though Signal isn't one of those apps written by the police, as far as we know, the police had installed a Trojan app on her phone and could monitor— they managed to do that and could monitor her communications.

---

DINAH DAVIS. So they must have known something before that then.

---

GRAHAM CLULEY. Oh no, I'm sorry. I've misled you. My research was failing. So they had the guy tapped. They had the alleged drug dealer tapped.

Then they saw that he was having a call with her. And then they put spyware on her phone to see who else she was speaking to, because allegedly she was using Signal.

---

CAROLE THERIAULT. Sounds like a fun place to live, eh?

---

GRAHAM CLULEY. Well, exactly. So, she was heard, allegedly, on this call saying she'd make contact amongst the people who have the headphones on. So, she was gonna speak to the wiretappers to find out if they were wiretapping this other guy.

Meanwhile, not realising the wiretappers were listening to her. Hopefully different wiretappers.

---

DINAH DAVIS. Inception of the wiretapping.

---

CAROLE THERIAULT. You should have called this a Bungle Bungle Party Part 2.

---

GRAHAM CLULEY. So she has been, allegedly, she's refused to name her sources inside the court. She apparently has told accomplices that she's been very careful.

So she only meets her contact, she only makes contact with him when she's got a list of people that she wants to check, not just one by one. And they phone each other up, they let it ring a number of times, then they hang up, and this means, "I'm ready to receive, you know, your message or your list or whatever."

So there's all kinds of cloak-and-dagger stuff going around. Any horses' heads?

No horses' heads as far as I know.

---

CAROLE THERIAULT. What? It's from The Godfather.

Oh, right.

---

DINAH DAVIS. Yeah, yeah, yeah, yeah, yeah.

---

GRAHAM CLULEY. Okay. So— Camilla Marinera. She's now under arrest.

She denies all wrongdoing, whose father just happens to be a convicted drug dealer. That's maybe how she became a lawyer.

---

DINAH DAVIS. Oh my God.

---

GRAHAM CLULEY. Dinah, what have you got for us this week?

---

DINAH DAVIS. Yeah, so I wanted to talk about the value of biometric data. So Graham, Carole, how many kinds of biometric data are you currently using in your daily life?

---

CAROLE THERIAULT. Can you define it for me just so I make sure I don't look dumb later?

---

DINAH DAVIS. Fingerprint, iris scan, face scan, that kind of stuff.

---

GRAHAM CLULEY. I think the only one I'm doing is fingerprints on my phone. So I don't have Face ID turned on.

I don't bank with anyone who asks to hear my voice. So yeah, finger and thumbprint, I suppose.

---

CAROLE THERIAULT. I don't even use that. I have actually a password.

---

DINAH DAVIS. So I have fingerprint for my phone and my laptop and my iPad, 'cause I guess I'm lazy. And then I also have a Nexus card.

And so if you don't know what that is, it's basically a program between Canada and the US that lets me go in and out of the US much more easily.

---

CAROLE THERIAULT. It's the aisle in the airport that you watch them go to, ding, ding, ding, and you're, no, no, I hate you.

---

DINAH DAVIS. Yes. And especially since I live close to Toronto Pearson, and that place is a horror show, it is very important to have the Nexus card.

---

CAROLE THERIAULT. Yep. I can imagine.

---

DINAH DAVIS. You get through everything, but it's a very difficult airport. Yeah, they have my facial fingerprint and retinal data.

And in the past, I have also used my voice. I don't think it was for banking though. I think it was for Aeroplan points, which if you don't know what that is, it's just flying points with Air Canada.

So two weeks ago or something, I heard you guys talking with Dave Bittner and you were talking about the AI-generated voices with a company called ElevenLabs, right? And it lets you make replicas of people's voices and you know, Dave played an example and it was really good.

---

GRAHAM CLULEY. I thought it was amazing 'cause it really did sound like Dave, didn't it? I mean, you could tell it was him.

---

DINAH DAVIS. It did. It really did.

So that was interesting. And then I came across an article by Joseph Cox and he decided to see if he could break into his own bank account via the telephone system using ElevenLabs.

So long story short, he totally did it. But so he put a whole bunch of samples of his voice into ElevenLabs. Then he called the bank and only using files and audio clips from ElevenLabs, he was able to log in.

---

GRAHAM CLULEY. Welcome to Lloyds Bank.

---

CAROLE THERIAULT. So we can get you to the right place in your own words, please say the reason for your call.

---

DINAH DAVIS. Check my balance. Okay, please say or key in your date of birth. Please say, my voice is my password.

---

GRAHAM CLULEY. My voice is my password.

---

DINAH DAVIS. Thank you. He was able to check his balance, list all of his recent transactions and transfers, and I mean, who knows what else he could get up to, right?

---

CAROLE THERIAULT. Do you continue banking with a bank after you've done that? Because that must piss them off that someone, a journo, does this and then writes about it. I wonder if you clean out your account before you publish, just in case.

---

DINAH DAVIS. I don't know. I mean, I feel I would. I think I would too.

---

CAROLE THERIAULT. I bet he did.

---

DINAH DAVIS. Yeah. So that made me think about okay, but what should we be using biometric data for? And when is it okay?

And the thing is I can't change my fingerprint, right? If somebody's got it, it's gone. It's gone for life.

And you know, I've seen it happen 'cause when I worked at BlackBerry, we were putting fingerprint scanners into these smart card readers we were building for the government. And we would try and practice to see how many times we could get a gummy bear to lift a fingerprint and then use it.

'Cause we thought I mean, is this a real attack vector or not? I mean, things have gotten a little bit better, but still, it's not good. The security of just a fingerprint alone is not strong.

---

CAROLE THERIAULT. Right? Yeah, that's so scary. And so many people are in prison based on that. You know, I'm just saying, forensically.

---

DINAH DAVIS. Right. And so I thought, okay, well, I use it. I do use it all the time.

My daughter even can access my phone because I put one of her fingerprints in it so she can change the music while we're driving. Okay, well, why is that okay or not okay? You know, somebody close to me could easily get into my phone, right? If I had Face ID or fingerprint while I'm sleeping, no problem.

---

CAROLE THERIAULT. They can get in. You have the phone in front of them and then you scare them so their eyes open and then you catch it. That's what you gotta do.

---

GRAHAM CLULEY. Or if you're drunk as a skunk and, you know, careering around your living room. Yeah, they could do, yeah.

---

DINAH DAVIS. But presumably I trust these people anyway, right? They are my family. So I trust them anyway.

---

CAROLE THERIAULT. You're lucky. No, I'm kidding. I was kidding. My husband's gorgeous. I'm just kidding.

---

DINAH DAVIS. I'm just kidding. But what happens if you leave your phone on a plane? Which, by the way, I did this year, which is a horror show. You don't ever want to experience 16 days without a telephone.

---

GRAHAM CLULEY. Forget Snakes on a Plane. But yeah, forgetting your phone on a plane is even worse.

---

DINAH DAVIS. Yeah, in New Zealand. In New Zealand on your way home. Oh, yeah. I got it back. I got it back. And I wiped everything remotely. Yeah. So I was okay. I wasn't worried someone was getting in with my fingerprint ID. Right. So if I randomly leave it someplace, I'm not worried about that. And it's more likely they would try to, you know, brute force the password on it or whatever. Yeah. So I feel that okay, convenience is possibly a good use of it. It makes it super easy for me to get in. There's always this balance of cybersecurity and usability. We all know that the best thing would be this amazing 12 to 18-digit password that no one else knows. But that's not very convenient to put into your phone all the time.

---

CAROLE THERIAULT. So, no, it's irritating actually. I can tell you from my own.

---

DINAH DAVIS. Yeah.

---

GRAHAM CLULEY. Oh yeah. Carole, if it's irritating, I've got a great suggestion for you. You could just have 12 letters A or something, or, you know, you don't have to have a complicated password. Yeah. Just have a really easy one.

---

DINAH DAVIS. And then I was thinking, okay, what about my Face ID for country entry? Right. That seems maybe it should be more serious, right? What happens then? But then I'm thinking, okay, well I have to walk up to these booths, right, that scan my face. I put my passport in and so I need to be there in person. So unless you're gonna go all Mission Impossible, you 3D print somebody's face, put the mask on, and then use my passport, I think it's okay.

---

CAROLE THERIAULT. I thought when you said Mission Impossible that you would actually use some wires to go above that whole fiasco and just fly over the border control.

---

DINAH DAVIS. Remember, they're always peeling off a face. That's true. I was peeling off the face. So I think for some things biometric data is perfectly fine. I think getting into your bank account, things for that are online only, I think maybe no. The voice, I think it's a total no now. Maybe only as a two-factor, but I wouldn't—I would totally not be cool if my bank account—

---

GRAHAM CLULEY. What if they made you do a funny accent for the voice when you log into your bank accounts.

---

DINAH DAVIS. I don't think that matters, does it?

---

CAROLE THERIAULT. So—yeah, your Italian accent. That would be really good. Exactly, exactly.

---

GRAHAM CLULEY. If they've only got samples of your regular accent, and they don't know what you sound like if you're pretending to be French, for instance, Dinah, then I'm just thinking the bank could record that. And I'm similarly thinking with facial recognition. If they asked you to gurn, pull a particularly ugly face. So again, if your real face is something which is shared with the public, you're not normally gurning or doing some really ugly thing. I can picture people doing that as they try and get through passport control. Just a thought. Just a thought. These are just ideas. I'm just sharing them with the world.

---

DINAH DAVIS. I don't think it actually works that way.

---

GRAHAM CLULEY. It does not? Carole, what have you got for us this week?

---

CAROLE THERIAULT. Before I start, do either of you TikTok? No. Okay, you laugh. You laugh, okay?

---

DINAH DAVIS. I'm thoroughly addicted to Instagram, and I know that if I went into the TikTok world, I would not escape it. So yeah, I loaded it once on my phone and realized how addictive it was, and I'm like, nope, this can't be on my phone.

---

GRAHAM CLULEY. Yeah, I don't think anyone wants to see me dancing, so I'm not going to become a TikToker.

---

CAROLE THERIAULT. Yeah, but not even a TikToker, but someone who also just hoovers all that stuff up, one of these talker stalkers.

---

DINAH DAVIS. Realistically, I am still seeing all the TikTok content on Instagram, so I guess republished, I see.

---

CAROLE THERIAULT. Yeah, well, the thing is, I would call it an internet sensation, right? But it's starting to worry governments and institutions. And we're going to endeavor to try and answer the hot question, what they are worried about. What are you guys worrying about?

---

DINAH DAVIS. Are they worried that it's run by a Chinese company?

---

GRAHAM CLULEY. I would be. China seems to come up a lot, doesn't it, as a complaint about it?

---

CAROLE THERIAULT. Yes, because it started off as Musical.ly, right? And it was a platform to share lip-syncing services in 2014. But 4 years later, Chinese firm ByteDance acquired Musical.ly and renamed it to TikTok. And it became more than just a platform to lip sync, right?

It's now called a short-form video hosting service, and it's used by millions.

---

GRAHAM CLULEY. My niece is an athlete, and she competes at hurdles and she's very good. And she told me she put up a video on TikTok the other day and it had half a million views. It's unbelievable.

---

DINAH DAVIS. That's a lot. Wow. So it is extraordinary.

---

GRAHAM CLULEY. Now it may be that they repeat themselves all the time and maybe she left it on all night. So it was just playing. I don't, but still, I mean, she got to half a million.

---

CAROLE THERIAULT. Wow. Yeah, that's amazing maths there.

---

DINAH DAVIS. I think that'd be a bit hard to manufacture, but okay. All the bots, all the bots.

---

CAROLE THERIAULT. All the bots in the whole world. Well, you know, according to Cloudflare back in 2021, it was actually, it made it to number one position ahead of Google too. Can you believe that?

---

DINAH DAVIS. Yeah, I mean, we were all really bored in the pandemic, so I think there was a serious amount of TikToking happening, right?

---

CAROLE THERIAULT. And it's gone back down, so it's now below the other main socials— the Instas, the Twitters, the Facebooks, right? As a non-TikToker, I was okay, well, let me just see what's hot right now. What's going on in the TikTok world?

And so I saw one news piece about a TikToker who quits every job she's ever had over the most minor inconveniences. This is what her channel focuses on, apparently. Quote, I started doing this thing where I could clock in and I would sit in the break room for 10 hours every single day. And I did this for a month until I got caught. And then they wanted me to explain myself. So I just quit. So, you know, this is intense.

---

DINAH DAVIS. It's a high quality kind of person there, you know, right.

---

CAROLE THERIAULT. And the other one was this UK TikTok star radio presenter attempted to do the world's highest pancake flip. And in the article I saw, it didn't even explain if he managed it or not. He went up the I360 in Brighton and then flipped a pancake while up sailing down the viewing tower. So, you know, I'm just thinking really important stuff, right?

---

DINAH DAVIS. Yeah, I'm pretty sure TikTok's just full of all of that because my Instagram feed is full of all that stuff too, right?

---

CAROLE THERIAULT. So why the heck are some high-powered folks not happy? Because this week the European Commission announced its ban of TikTok from government-issued devices. So more than 35,000 workers to remove TikTok from official handsets as well as personal phones with access to EU Council services. And it cites, as you predicted, growing concerns about the Chinese-owned video sharing app.

---

DINAH DAVIS. Well, think about this though. Think about this. What permissions does TikTok need for you to be able to post TikToks, right? It needs microphone, it needs video. It probably needs access to storage folders to pick up videos you've already played.

And you're not a savvy person and say only while in this app. And even then, what else are they doing? They've got the permissions. They can be going through the rest of your document folders. So I think it's not necessarily what the app can do or what it's supposed to do, but what it can do clandestine, behind the scenes. Totally, 100%.

---

CAROLE THERIAULT. And the EU Commission agrees with you, I think. So they say that workers are required to remove the app at their earliest convenience, quote unquote, as long as that's before March 15th, at which point devices with the app installed will be considered non-compliant within the corporate environment.

---

GRAHAM CLULEY. And blown up, exploded, destroyed.

---

CAROLE THERIAULT. Well, if they miss this 2.5-week deadline, the Commission's email and Skype for Business will be bricked, apparently. No, they're not playing around.

---

DINAH DAVIS. So do none of these devices have MDM on them?

---

GRAHAM CLULEY. I don't know. Yeah, to do it remotely.

---

CAROLE THERIAULT. Yeah. See, I wonder if it's in some environments it's your personal phone but it has more capabilities. So there, that's the one. So if it's the work phone, if it's a device provided you by work and you then install TikTok on it, yeah, that's easy. They can say, and they say take it off. That's kind of, you can understand that. But if it's your own personal phone that they've asked you to bring into the office and access certain device, you know, through certain apps, it's a different kettle of fish.

---

DINAH DAVIS. Can they legally do that? Can they legally tell you what can be on your own personal phone? Because I know that's come up a lot at different places that I've worked, right, where you bring your own phone and then you basically— they have a management tool that allows you to work apps onto your phone and then nothing from your phone can talk to those work apps, right? They were always very clear to say, we cannot see anything on your phone, we cannot delete anything on your phone that's not inside the work app part.

---

CAROLE THERIAULT. So that's until bossware came along.

---

DINAH DAVIS. Well, I mean, that's what they were saying because they probably presumably want to at least appear to be good companies and be good companies, right? So that's interesting. Can they force you to do stuff with your own personal items?

I mean, they can just go all NSA and CSE on you and make you leave your phone at the door and not allow you to take any personal device into the office at all.

---

CAROLE THERIAULT. And that's true. And the EU Commission is not the first governmental organization to do this. The FCC last year called on Apple and Google to remove TikTok from the app stores. Do you remember?

---

DINAH DAVIS. Yeah. I do remember that.

---

CAROLE THERIAULT. Yeah, over its pattern of surreptitious data practices following a report which revealed that ByteDance officials in Beijing had repeatedly accessed TikTok sensitive data that it had collected on US citizens. I suspect these balloons that have been floating around are probably getting people even more nervous about it. The Wi-Fi beeps.

---

DINAH DAVIS. Are they just to help the TikTok service? Is that what they are? They connect to TikTok?

---

GRAHAM CLULEY. I thought the balloons controlled by TikTokers who were taking drone footage of themselves flipping pancakes while they abseiled down buildings.

---

CAROLE THERIAULT. The thing is though, TikTok is trying its darndest to avoid this type of situation because a few days ago they announced two more data centers will be placed in Europe to really underline the fact that European data put on TikTok will stay in Europe. But they may have been too late because also in the news this week is Canada, Dinah, you're in my homeland.

Yeah, because soon after the EU Commission's announcement, Canada's privacy protection regulators launched an investigation into TikTok over its collection of user data. So, and they initiated it in the wake of now settled class action lawsuits in the United States and Canada, as well as numerous media reports related to TikTok's collection, use, and disclosure of personal information. So they're basically saying we have total right to do this based on the evidence we have collected so far.

---

DINAH DAVIS. Okay, but here's another question.

---

CAROLE THERIAULT. Go.

---

DINAH DAVIS. How is this any different from what Facebook or Google or Apple—

---

CAROLE THERIAULT. Not owned by ByteDance, not owned by ByteDance, not owned by ByteDance.

---

DINAH DAVIS. Yeah, I think it's just, it's not a Chinese company. Is that— is it? So it's okay as long as it's not a Chinese company?

Oh God, we live in a weird world.

---

CAROLE THERIAULT. I hear you. But if we come back to what we were saying before, right, it does collect a lot of information. Those other apps do it too, right?

Microphones, phone access, all that stuff. But weirdly, and it's just interesting to watch right now, so politically, that BBC report that the UK is not yet following suit.

So UK Prime Minister Rishi Sunak is resisting calls to ban government officials from using TikTok amid renewed concerns from some conservative MPs. So Alicia Kearns, she's the Common Foreign Affairs Committee chairwoman.

She's leading the call for the UK government to follow the European Commission. So it's hot waters right now for TikTok, right?

Yeah. The thing is, what are they worried about? The other question, I guess, because I asked you at the beginning, if you had TikTok, if you were TikTokers, what adults in very important jobs in government actually have TikTok on their phone?

Oh, probably lots actually.

---

GRAHAM CLULEY. I think you'd be surprised, Carole.

---

DINAH DAVIS. Yeah, I think so. I mean, you asked some security-conscious people, right, about it, and I knew about the China thing, so I haven't loaded it as well as I think it will be too addictive for me.

But I'm also— but so we are not— I don't think we're the target audience here.

---

CAROLE THERIAULT. I know, but you could just imagine you're walking down the halls of power and you're seeing people reading memos on their phone. No, no, they're just giggling cats bouncing on trampolines in time to Bonnie Tyler or something.

---

GRAHAM CLULEY. Hang on, I'm joining TikTok if they've got stuff like that on it.

---

DINAH DAVIS. That sounds great. No wonder we're freaking doomed, guys.

---

CAROLE THERIAULT. Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem.

It's that simple. Collide patches one of the major holes in zero-trust architecture: device compliance. Without Collide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.

Insecure devices are logging into your company's apps, but there's nothing there to stop them. Collide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.

The moment Collide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.

Collide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more?

Of course you do. Visit collide.com/smashing. That's collide.com/smashing. And thanks to Collide for sponsoring the show.

---

GRAHAM CLULEY. Our friends at Bitwarden have been busy this month adding some fab new features to their open-source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password?

Well, now you do! Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.

With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool.

And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level.

These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashing.

That's bitwarden.com/smashing.

---

CAROLE THERIAULT. When do you have insight into your compliance, security, and risk postures? If it's right before an audit, you're in the same boat as many other organizations.

With Drata, G2's highest-rated cloud compliance software, you'll have continuous monitoring and visibility into your risk security controls and audit readiness. For standards like SOC 2, ISO 27001, GDPR, HIPAA, and more.

Plus, Drata can streamline compliance for over 14 frameworks and even automate the custom frameworks and controls you create to meet your organization's unique security needs. With more than 75 native integrations and a risk management solution, you'll have a tool that will scale with you.

Professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it has been to have Drata as their trusted compliance partner. Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata.

That's D-R-A-T-A.

---

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show? The part of the show that we call Pick of the Week.

---

DINAH DAVIS. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app.

Whatever they wish. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week is not security related. Good.

I want to cast my mind back to when I was a young man going to school in 1980. There I was, I was out of shorts.

---

CAROLE THERIAULT. I was thinking of the '30s there for some reason.

---

GRAHAM CLULEY. I know, but there I was in short trousers walking into school.

---

DINAH DAVIS. What I want to know is what kind of hairdo did you have in those nights?

---

GRAHAM CLULEY. I was probably a mullet.

---

DINAH DAVIS. Did you have the mullet?

---

GRAHAM CLULEY. I was very, very square. I was the only kid at school who had a briefcase.

---

DINAH DAVIS. Did you really? Cool.

---

CAROLE THERIAULT. I had a briefcase, yes, and a shoelace for a zipper as well. But that's for another show.

---

GRAHAM CLULEY. That's the best. Anyway, I remember that one of the pressing issues at the time in the very early 1980s was, of course, the threat of imminent nuclear war. And there were sort of infomercials on the TV.

---

DINAH DAVIS. That just took a dark turn.

---

CAROLE THERIAULT. Yeah, no, comedy show, comedy show.

---

GRAHAM CLULEY. Well, that's what it was. That's what it was. When I was about 11 or 12, there was lots of talk about that and painting your windows to stop the radiation blast, hiding under the table, that kind of thing. And it was something we were quite worried about. This was sort of pre-Gorbachev, and it seemed to be quite a possibility.

---

CAROLE THERIAULT. You listen to a lot of Sting?

---

GRAHAM CLULEY. No, things were never that bad, Carole. But in 1980, Tyne Tees Television in the UK, they put out a magazine show for teenagers called Check It Out.

You know, those sort of TV shows they put on for teenagers where they're all really hip and they're wearing multicoloured dungarees and things like that, being very friendly. Hello, everybody. Hello. And today we're going to tell kids in the northeast of England the lowdown on nuclear war.

And so you can watch this 20-minute programme. This actually happened. This actually happened. You can watch this programme on YouTube.

It's a delight from start to finish. The entire glorious episode is up there and you will see them in all their multicolours being very upbeat. As they explain how to use a chemical toilet and packing your baked beans and things which you can.

And this was put out at sort of tea time for teenagers. If there was a nuclear war, what horrors could we expect? Well, imagine a 1-megaton bomb hitting Tyneside as a ground burst and the same size bomb on Teesside exploding as an air burst.

What? On Tyneside, everyone in a mile of the blast would be killed, and there would be heavy damage for up to 2.5-mile radius. This pamphlet would be given to every household if war threatened, with hints on turning your home into a shelter.

And this was put out at sort of tea time for teenagers. And I was watching this thinking, wow, what a wonderful thing that we're not living in that era.

Well, maybe we are actually. Maybe we are. We're just blind to it. Maybe we should be worried about this.

Do you like the screenshots I've included there? Someone described it as like having a nuclear holocaust explained to you by Rod, Jane, and Freddie from rainbow.

---

CAROLE THERIAULT. I did. Oh my God, those are—

---

DINAH DAVIS. Oh my God, yes, yeah, yes, that's incredible. But look at that chemical toilet is made out of a garbage can.

---

GRAHAM CLULEY. Yeah, it's a cat litter chair where they've taken the—

---

DINAH DAVIS. They've taken the top of the chair off and they've got pink toilet paper beside it because apparently you need pink toilet paper, which is probably something you could get in the '80s because, you know, people like to coordinate their bathroom colors.

---

GRAHAM CLULEY. But it is a fascinating time capsule. And so that, and I'll link to it in the show notes, is my pick of the week. Check it out.

The TV programme for teenagers in 1980. Wonderful. Dinah. No words. What's your pick of the week?

---

DINAH DAVIS. I have to follow that one up. And it's a more serious topic, but okay. So, I grew up in Winnipeg, Manitoba, which is in Canada. Manitoba has the highest proportion of indigenous people of any province in Canada.

So I definitely, I grew up amongst and around a lot of different indigenous people. And there's an indigenous group of people that is really unique to what they call the Red River Valley, which is this area of Manitoba, Saskatchewan, North Dakota, and they're called the Métis Nation.

And yeah, the Métis Nation. And their experience is much different from that of the Inuit or First Nations groups. They are descendants of First Nations women and a group of European men called les voyageurs.

---

CAROLE THERIAULT. Oh, and for our non-French speakers, it just means voyagers.

---

DINAH DAVIS. Yeah, the term voyageurs originally described all explorers that came, you know, to Canada for exploring, fur trade, all that kind of stuff. Trees. Yeah. To freeze, to hopefully not die of scurvy.

Eventually they became, it centered on one specific group that were basically these groups of mostly French Canadians, very young in their early twenties and stuff. And they would be in these big canoes of 20 people in a canoe.

And one of the things in—and basically I'm gonna recommend a book here, but in this book that I've been reading, I'm all over the place. It's all good.

But in this book, one super cool thing that they talk about is that they used to go and canoe and travel for 16 hours a day at a paddle rate of 60 paddles per minute.

---

GRAHAM CLULEY. No crumbs.

---

DINAH DAVIS. For 16 to 20 hours, right? And the way they kept up this beat or whatever was they sang. And so they have this really rich history, right?

And it's often romanticized in places like Manitoba. We have I have fond memories of the Festival du Bois-Jal as a kid and eating bannock, which is this awesome bread that the indigenous people make over a fire. And of course maple syrup snow popsicles.

If you don't know what that is, you basically pour maple syrup on snow.

---

CAROLE THERIAULT. Yeah. Not yellow snow.

---

DINAH DAVIS. No, not yellow snow. We learned that very young. But I also remember doing a report on Louis Riel in high school, and he's kind of this, I mean, in the end he's a martyr basically of the Métis Nation, but he was a very strong political person.

And they weren't treated very well. They weren't First Nations, so, you know, they didn't fit in there. They weren't Inuit, they weren't European, they didn't fit in there.

And the best way to describe how the British, French, and later definitely the Canadian is that they basically, it was a genocide. And it, you can't even describe it in any other.

So this book is written by Jean Teillet. I hope I said her name right. I don't know.

But she is the great-grandniece of Louis Riel. She is an indigenous rights lawyer and highly respected in Indigenous community, goes through and talks about it basically from early 1800s all the way to today and how this group of people was treated. And I just think for any Canadian, it's almost a must.

---

CAROLE THERIAULT. Guilt trip.

---

DINAH DAVIS. No, I'm kidding. And it's just really interesting. So, the book is called—I never even said that—The Northwest Is Our So that's my pick of the week.

---

CAROLE THERIAULT. Hey, so it's "The Northwest Is Our Mother," and the author is? Jean Teillet.

---

DINAH DAVIS. I guess it's T-E-I-L-L-E-T. Cool.

Fantastic. I've sorted out Carole's Christmas present.

---

GRAHAM CLULEY. As a Canadian, she should be listening to that. Yeah. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Yeah, well, before I get into that, I'd just like to thank you both for teeing me up with, you know, nuclear holocaust and genocide. So thanks very much.

We're very cheery today. My pick of the week, listeners, is a new streaming series.

It's basically for those people who like smart relationship dramas. It's called Fleishman Is in Trouble.

It's based on a book, right? I wish so much I had read the book before I'd watched the series.

The book, I just never got into my echo chamber, and then the series was there and I just ran to it. So, just setting the scene, Toby Fleishman is played by Jesse Eisenberg.

He's a recently divorced New Yorker in his 40s, and he starts using dating apps for the first time. And while he finds lots and lots and lots of romantic success, surprisingly amount of romantic success, that he never achieved, you know, in his youth before that, his ex-wife Rachel, played by Claire Danes, disappears.

---

DINAH DAVIS. This took a turn I did not expect.

---

CAROLE THERIAULT. Okay, right, right. So, and I'm hoping that's not giving anything away, but I don't think it is.

I think that happens fairly early in the show. And but there's a lot of twists and turns in this, and you have to watch a man learn how to multitask more than he ever had to before because, you know, he's got the children, he works at a hospital, he has all these sexual partners, right?

In Manhattan. So, it's hard to balance and juggle all that.

But, you know, he also is really wanting to find where his wife is. So, that's the story.

And the whole thing is narrated by Toby's uni friend. So, you're not ever sure whether she's reliable or not.

You see what I'm saying? And I think that's the secret sauce of the whole show.

Because you watch it closely and you're "Ooh, that sounds interesting. That makes sense.

But is she reading that? Or does she know that?"

So that's what I think keeps you going. Anyway, I thought it was great.

Except for there's a lot of sex. So, oh, God.

Or nude scenes. A lot of, yeah, a lot of self-love.

A lot of self-love. Oh my goodness.

But the show is good. It has an unusual rhythm.

It feels— it has nice honesty to it. So two thumbs up.

That's not a euphemism from me. Fleishman Is in Trouble streaming on FX and Hulu.

And it's my pick of the week. Fantastic.

---

GRAHAM CLULEY. It's the guy from The Social Network, isn't it?

---

CAROLE THERIAULT. Yeah, The Social Network. Yeah.

See, I don't find him at all attractive physically.

---

GRAHAM CLULEY. No? You wouldn't give him two thumbs up?

---

CAROLE THERIAULT. No. Not in that— I would kick him out of bed for eating crackers.

---

GRAHAM CLULEY. Anyway, that just about wraps up the show for this week. I think we should get out of here before we're arrested.

Dinah, I'm sure lots of our listeners would love to follow you online and find out what great stuff you're up to.

---

DINAH DAVIS. What's the best way for folks to do that? LinkedIn, Dinah Davis, and also you can follow codelikeagirl.io, which is my online publication where there's lots of different women telling their stories in technology.

Cool. Super.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity. No G, Twitter @smashingsecurity.

We also have a Mastodon account. You can find it most easily by going to smashingsecurity.com/mastodon.

And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Spotify.

---

CAROLE THERIAULT. And huge, huge shout out to this episode's sponsors, Kolide, Bitwarden, Andrada, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 310 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye-bye.

---

CAROLE THERIAULT. Woo! Well done, Dinah. Thanks so much. Thank you, Dinah.

---

DINAH DAVIS. Yeah, no problem. Thanks for having me on. I really love it. It's so much fun. Oh, yay.

---

CAROLE THERIAULT. Well, now that we know that you're free and easy, we'll have loads of time. She's not working. She's free and easy.

---

GRAHAM CLULEY. She's still doing stuff, girl.

---

CAROLE THERIAULT. Sure.

---

GRAHAM CLULEY. She understands what I mean. I don't think she's worried. Yeah.

-- TRANSCRIPT ENDS --