Buzzfeed's AI Ads Are a Disaster

This episode is brought to you by Life Lock.

It's Cybersecurity Awareness Month, and Lifelock has tips to protect your identity.

Use strong passwords, set up multi-factor authentication, report phishing, and update the software on your devices.

And for comprehensive identity protection, let LifeLock alert you to suspicious uses of your personal information.

LifeLock also fixes identity theft, guaranteed or your money back.

Stay smart, safe, and protected with a 30-day free trial at lifelock.com/slash podcast.

Terms apply.

Hello, and welcome to the 404 Media podcast, where we bring you unparalleled access to hidden worlds, both online and IRL.

404 Media is a journalist-founded company and needs your support.

To subscribe, go to 404media.co,

as well as bonus content every single week.

Subscribers also get access to additional episodes where we respond to their best comments.

Gain access to that content at 404media.co.

I'm your host, Joseph, and with me are 404 Media co-founders Sam Cole.

Hello.

Emmanuel Mayberg.

Hello.

And Jason Kebler.

Hi.

I'm not going to lie, I went on complete autopilot while reading out that intro.

And then you start having the metaphors of, wait, I'm still talking, but did I do the line correctly?

And then, anyway, the time has passed.

You did it great.

That's perfect.

When you've been out, I've tried to remember what you say, and

it's hard to remember.

That's why I literally read it.

One episode, I was just like, Hey,

what's up?

And intro anyone or the podcast.

Wait, you've been reading it?

I thought you did it from memory, to be totally.

No, no, no, no.

I read it every single time.

There's a Google Doc.

Got it.

Not that impressive.

Let's start with a story from Emmanuel.

AI-powered BuzzFeed ads suggest you buy hat of man who died by suicide.

Before we get into what went wrong, Emmanuel, which is obviously quite clear in the headline, but what is this AI-based advertisement system that BuzzFeed is using?

So I want to explain this by first talking about affiliate links, because I think most listeners are probably familiar with this.

Affiliate links is when you go to a website, you read a story, and whether the story is a review of a product, a bunch of products, or it's not a review of any kind, but happens to mention a few products,

you can click on a link

that takes you to an Amazon store page or some other online retailer.

And if you end up clicking those links or buying an item via those links, then Amazon makes a sale, and the publisher that included the affiliate link gets a very small cut of that sale.

And this is something that's become popular, like an effective way for publishers to monetize in recent years.

Very common.

I'm sure people have seen it

on BuzzFeed, Advice, where we used to work, other websites.

What this company called Trendy, which is based in Australia, what is that?

It spells T-I-E-N-D-I-I,

which is an interesting spelling.

Yeah, I got to do it for the SEO, you know.

So, this trendy company, they are basically taking the same scheme, but trying to do it for images rather than text.

So, you'll read a story.

The story will have images in it.

They have

an AI model that recognizes objects in images.

It tries to match match the, let's say, shirt or shoes in an image to a participating trendy retailer.

And you can click on a button on the image that says shop this image.

It will bring up a bunch of products that look like the items in the image and send you to the relevant store in order to buy them.

And in the same way,

if you make a purchase, and sometimes

if you click, it's enough for the publisher to monetize that content.

Yeah.

And I mean, that sounds harmless enough, right?

I can imagine that would have been very useful for BuzzFeed if they had that technology when they did the dress article.

You know, is it blue and gold or whatever?

Everybody's trying to

buy that dress.

That being said, this technology is obviously from this year.

2024 and it's been applied to articles that were written a lot earlier, right?

Like it's not just new stuff that's coming out, it's applied to articles that have been on the website for some time.

Is that right?

Yeah.

Yeah.

So,

you know, in the past couple of years,

a bunch of new media companies have totally collapsed.

Vice, that we have survived is one of them.

BuzzFeed is another one.

I used to read BuzzFeed all the time.

They had like a very good, vibrant newsroom that breaking news, investigative features just like really well-written award-winning articles and the way that i found out about this story the fact that they even implemented this trendy technology is a 4-4 media reader was researching this uh condition i've never heard of called empty nose syndrome um and basically

This is a condition where you feel like your airways are obstructed, even though medically

they are not.

It just feels that way.

It kind of feels like you're drowning.

It's this really awful condition, which in some rare cases have caused people to take their own lives because they like couldn't deal

with the symptoms.

And he was researching this, and he landed on a really well-written BuzzFeed article about empty nose syndrome.

And that article opens with this really sad anecdote about one of these people

that took their own life because of this condition.

And the article includes

a very, you know, sad image of this guy with his young nephew, I think it is.

And the shop this image

button appeared on that photograph and suggested that he buy a beanie or something that looked like the beanie that he was wearing in that photograph.

And he flagged that to me.

And I went poking around, learned more about this trendy company,

checked out some other sites that they work with, but really digging into BuzzFeed because it has

so many articles and such like a

huge back catalog of articles and to see how it was implemented.

And

the short version is that it was implemented basically everywhere, which resulted in some like really inappropriate monetization of

horrible images.

Yeah, I don't think this is what trendy intended.

And I mean, we'll get to their statement in a minute, right?

But I guess it's a well, to be charitable, it's an unforeseen consequence, right?

So when you were going through the BuzzFeed archive and seeing how else Trendy had sort of been, you know, implemented on some of these articles or what Trendy was doing, what were some of the other examples?

I think there was one from the Challenger team, right?

And what was that one one and what were some of the other ones?

Yeah, so the

I would say like least appropriate implementation here is like a classic

type of BuzzFeed article.

It's titled 17 Creepy, Disturbing, and Terrifying Things I Learn about this, learned about this month that I really, really, really, really cannot keep to myself.

Classic BuzzFeed.

A great BuzzFeed article.

And this is actually from like the post-BuzzFeed News Collapse.

Right.

And it's just like a listicle with a bunch of

disturbing

factoids that are like ripped from the news or Wikipedia articles and stuff like this.

And yeah, there were some really unfortunate attempts to monetize images of, there was the famous 1986 Challenger disaster where the space shuttle exploded shortly after launch and all the astronauts died.

So there was an image of that crew and the shop this image button tried to monetize

their

blue uniform and match it to like blue puffer jackets that people can buy.

My favorite one, which is, I would say, less tragic and more funny, is this really early

medical illustration of

some of the worst symptoms of syphilis that can cause like this rot in your face.

And the trendy this image button matched that

color of the faces to like a shade of MAC lipstick.

So it's like if you want to look like you're about to die from syphilis, shop this lipstick.

Yeah, a lot of like

it's only $63.25 as well, according to the picture, you know, and it was Australian, actually, which is another thing I want to highlight here: is the company is Australian, and I contacted BuzzFeed,

and

BuzzFeed was

I would say like apologetic

and maybe horrified but also

they were like actually this is BuzzFeed Australia which has spun out into its own company which is something

that happens in the media I don't know why actually but it's we even had that with Vice right yeah it happened to Vice

I think Gawker has Moto also runs yeah Gizmodo has its own like Australian thing Some of the gaming sites that I used to work at had the same arrangement.

And that happened to Vice not to

BuzzFeed not too long ago.

So they were like, we're actually not on top of this.

It's its own company.

They implemented it in Australia.

The ads are geo-fenced to Australia, which is why I had trouble

finding them when I was looking around.

Well, what did you do?

Did you have to use a VPN or something?

We used a VPN and also the original tipster who had the ads active when he was browsing just like started sending me more and more articles and then we verified them by sending them directly to BuzzFeed and Trendy which confirmed that yeah they were implemented kind of indiscriminately across the site yeah

obviously the 404 media reader saw it and sent it to you.

You've obviously seen it.

Have any of the like normal BuzzFeed readers spotted this?

I think some left some comments, right?

Yeah, so this is interesting because I wasn't able to see the ads in the US, but what I was able to see is comments on those articles from Australian readers, which is how I was able to tell that the ads appeared in some other inappropriate places.

So BuzzFeed had this article, for example, on how

different celebrities were

reacting or not to the war in Gaza.

And one of the commenters was like, wow, it's really inappropriate that I'm looking at an image of

this completely bombed out street and a kid walking through it.

And the shop this image button is like, how would you like to cop this look of this, you know, Palestinian refugee?

So yeah, that's a,

in some cases, I didn't see the ads themselves, but I saw commenters as far back as a year ago being like, this is a fucked up ad.

This is a little bit speculative or more more of an open question and i think this would just be more of our opinion really but like

did this happen potentially because trendy doesn't see buzzfeed as sort of a news outlet anymore even though i don't think that's entirely fair and same as you emmanuel i i thought they actually had the best investigations team in the business for actually quite a while before it got gutted but Again, a little bit speculative, but do you think Trendy sees this as just like a content platform rather than a website that's, as you say, going to have coverage about like the war on Gaza or something or something like that?

Or even if we don't know if that's how trendy feels, is that is what is happening here?

It's like a tool for content, not a tool for news.

Do you see what I mean?

Totally.

Yeah.

I think

that's a good question.

I think

it says two things.

One is it is not clear.

And I asked specifically, I asked both BuzzFeed and Trendy, like, as the publisher, if you choose to have a relationship with Trendy, how are you choosing?

Like, how do you manage where does this appear or not?

And neither one of them wanted to comment on it, which

I would take along with the fact that it was kind of appearing everywhere, that they really weren't controlling for it at all.

That, but that's speculation.

But I think it also says something about like what BuzzFeed is at this point.

It's like this weird artifact of a once great newsroom.

And now, like, I'm sorry, I know that there's people work there, but it's just like lowest common denominator content factory that just like publishes everything and like a ton of celebrity news.

So, when I was searching the internet for other sites that work with trendy, I came upon this,

I don't know how to pronounce this.

It's a the site is DMARGE, maybe D-M-A-R-G-E.

And it's like a bunch of celebrity news, and it's what people are wearing on the red carpet and stuff like this.

And in that context, the trendy implementation, I mean, say what you will, but it's like inoffensive.

It's sort of like synergistic, right?

It's like you're reading an article about what celebrities are wearing, and then the AI tells you, like, hey, do you want to buy something like this?

Like, click on that.

And BuzzFeed has a ton of articles like that, where that implementation makes sense, but then it also has like this back catalog

of very serious, sometimes dark, sometimes tragic journalism where it doesn't fit at all.

And at this point, you know, BuzzFeed is just something that they're trying to like squeeze every dollar out of.

And they threw this AI product on it.

And this is what we get.

Yeah, I mean, that's what I was going to say is like,

it doesn't do news anymore at all, to my knowledge.

And it's like, there's zero.

respect there for the work that people did or respect for the archives or the stories that they told.

Like, this is a publication that won a Pulitzer and did really, really incredible work.

And it's like squeezing every penny out of every corner of that website is like what they're doing now.

Like, I,

this seems to me like a

not even a side effect of what they're trying to do, but like,

surely someone either forgot to turn this off on news articles or there's no way of turning it off on news articles.

But like,

the archives are like something to be ransacked for this company.

It's not something to be like respected in any way.

Yeah.

I mean, like,

not trying to do Trendy's or BuzzFeed's job for them, but theoretically, you know, when we go and publish an article, we can tag it a certain way, right?

As news, or maybe it's a subject, like AI or whatever.

Presumably, you could tag all of your news articles as news and tell Trendy, hey, please don't run fucking close efforts on this very horrible news story.

Let me just read out Trendy CEO Aaron Wolfe's statement, just so we get that up there as well.

Quote, unfortunately, this was an oversight, an accident, and obviously not what Trendy is intended to do.

We have accidentally appeared on images which are clearly not right and our intention is to continue to evolve our product so we may avoid circumstances like this happening in the future.

We truly hope we have not caused any offense to the audience of BuzzFeed.

And I am sure that you believe Trendy is all about positive, happy experiences for consumers consumers and better advertising without commoditizing consumer personal data.

End quote.

Kind of an interesting thing at the end, where it's like, well, we're not using your data from browsing.

We're just lifting

from somebody who has syphilis and recommending makeup that way.

I guess just the last question in Emmanuel is you mentioned one site that you saw as like celebrity news.

Have you seen it anywhere else?

And

do you see other companies other media companies trying to do something like this i just mean do could you see that happening yeah it has a bunch of very notable partners and i would say most of those partners make a lot more sense so you have vogue and marie claire and other fashion brands i believe pop sugar was in there i'm not sure all of those are active but they did work with them at some point and that seems i think fine.

I just want to add one more thing.

And that is, because we are talking about an AI product, I want to make clear that, like, it basically doesn't work.

Like, it will recommend,

like, okay, so I'm looking at an image.

I'm on this DMarge

website right now where

the shop this image button is implemented.

And it's a picture of Ryan Gosling from, I don't know, this looks like early 2000s.

And he's wearing a t-shirt that has

like the tuxedo

look like printed on it.

He's not wearing a tuxedo.

he's wearing a tuxedo t-shirt.

And the shop this image button is recommending that I buy a black Allberds t-shirt.

And what I mean by it doesn't work is that it's like, and I did the same thing.

I was looking at like an image of Kanye, who is wearing always like these really crazy designer striking clothes.

And it recommends that you buy stuff in the image, but it's not what he's actually wearing.

It's just doing its best to match something from a participating participating retailer, right?

Because the reason I'm seeing an Allberds t-shirt is because Allbergs decided to make a deal with Trendy and advertise its t-shirts this way.

So it's not showing you the actual product.

It's showing you something that looks like the product.

And it's like, if you want to dress like Kanye, you're not going to be able to do it by following whatever Trendy recommends.

It's just like sort of...

putting something in front of you that looks like it.

It's not, you're not actually shopping the image.

You know what I mean?

Yeah, which I think makes it

again.

I know you said it's not clear if it's like active with Vogue or whatever, but they say it was.

And it's like, oh, you can get like, you know, a runway look or something.

That might not be readily available.

And like, then it's not going to work then either, necessarily.

I mean, again, I don't know if that's a use case or not, but yeah, that makes completely.

Yeah.

All right, let's leave that there.

And then when we come back, we're going to talk about an unprecedented leak out of the phone phone forensics tech Grakey.

We'll be right back after

this.

We're heading into the best time for deals, that most joyous time of year.

But I love it most when the deals come directly to me.

That's why I'm so excited to tell you about Mint Mobile's 15 bucks a month deal with the purchase of a three-month month plan.

Turns out the deal really does just come to you.

The longest part of this whole process is the time you'll spend waiting to break up with your old provider.

And Mint Mobile's website makes it super easy for you to port your device and your phone number over to Mint Mobile's network without changing your wireless experience.

To get started, go to mintmobile.com slash 404media.

There you'll see that right now, all three-month plans are only 15 bucks a month, including the unlimited plan.

All plans come with high-speed data and unlimited talk and text delivered on the nation's largest 5G network.

You can use your own phone with any Mint Mobile plan and bring your phone number along with all your existing contacts.

Find out how easy it is to switch at Mintmobile and get three months of premium wireless service for $15 a month.

To get this new customer offer and your new three-month premium wireless plan for just $15 a month, go to mintmobile.com slash 404 Media.

That's mintmobile.com/slash slash 404 media cut your wireless bill to 15 bucks a month at mintmobile.com slash 404 media 45 upfront payment required equivalent to 15 a month new customers on first three month plan only speed slower above 40 gigabytes on unlimited plan additional taxes fees and restrictions apply see mint mobile for details

Black Friday and the holiday season is coming up.

It's a big time for any online store, ours included.

And it's a good time to make sure that yours is set up in the right way.

404 Media uses Shopify to sell our merch, and it's one decision we made that has simplified everything for us.

Whenever I need to restock items, offer a new item for sale, which, by the way, lots of new items for sale on our Shopify, or manage our inventory.

Everything I need is just a click or two away in Shopify's simple but really powerful backend.

It gives me everything I need to start and manage our store so that I can spend less time researching and more time selling.

I can't stress enough how easy it is to use Shopify.

You can upgrade your business and get the same checkout that we use with Shopify.

Sign up for your $1 per month trial period at shopify.com slash media, all lowercase.

Go to shopify.com slash media to upgrade your selling today.

Shopify.com slash media.

This show is sponsored by BetterHelp.

It's Thanksgiving, Thanksgiving, so I wanted to take a moment to thank all of our subscribers and listeners.

We couldn't do this without you.

This month is all about gratitude, and sometimes I think that we're not patient or grateful for ourselves and what we deal with every day.

It's important to remind ourselves that we're trying our best to navigate an increasingly complicated and difficult world.

Therapy can help.

I found that it's been really helpful to talk with a licensed therapist about my feelings, which has made me a more patient, less anxious, and more balanced person.

Therapy has taught me coping skills, how to set boundaries, and how to care about myself, empowering me to be the best version of myself.

If you're thinking of starting therapy, give BetterHelp a try.

It's entirely online, designed to be convenient, flexible, and suited to your schedule.

Just fill out a brief questionnaire to get matched with a licensed therapist and switch therapists at any time for no additional charge.

Let the gratitude flow with BetterHelp.

Visit betterhelp.com/slash 404media today to get 10% off your first month.

That's betterhelp h-e-l-p.com slash 404 media.

Hackers and cyber criminals have always held this kind of special fascination.

Obviously, I can't tell you too much about what I do.

It's a game.

Who's the best hacker?

And I was like, well, this is child's play.

I'm Dina Temple Reston.

And on the Click Here podcast, you'll meet them and the people trying to stop them.

We're not afraid of the attack.

we're afraid of the creativity and the intelligence of the human being behind it.

Click here: stories about the people making and breaking our digital world.

AI machines, satellites, and telegraph.

Click here, and listen.

Click here every Tuesday and Friday, wherever you get your podcasts.

All right, and we are back.

This is one I wrote called Leaked Documents Show What Phones Secretive Tech Grey Key Can Unlock.

And before Jason asks me a few questions, I do just want to stress

this is really complicated.

It's really, really difficult.

It was really hard for me to get my head around.

Jason and Emmanuel very carefully edited it,

caught stuff that I missed, and there are a lot of questions remaining

because this is a super secretive company, Greykey and Magnet, Magnet, the company that now owns it.

But there's some pretty interesting stuff.

So, what we got

is two spreadsheets, and they are a granular list of what iPhone and Android devices Greykey is able to retrieve

data from.

And before I throw it to Jason, I'll say that the top line is basically that Grey Key is only able to retrieve quote, partial end quote data from all modern iPhones, that's the iPhone 12 up to the 16, that run iOS 18 or 18.0.1.

We don't quite know about 18.1, which is the current, most recent version of iOS that was released on October 28th.

The documents look like they're from October, but just before October 28th.

So we don't have that bit.

Okay.

So, Joseph, what is the Grey Key?

Grey Key is a very small device that can sit on a law enforcement officer's desk.

Or I think there's a mobile version, or maybe they've integrated that in there as well.

But it really came on the scene in around 2016, 2017, 2018, like around then, post-San Bernardino.

And everybody will remember that it was really, really hard for the FBI to get into the San Bernardino iPhone, big court case, asthma security eventually hacked the device.

We actually touched on that last week.

In the wake of that, this company called Grey Shift launched this tiny little product called the Grey Key, and it was something like 15 to 30,000.

The price has actually changed a little bit over the years, and there's sort of an annual subscription as well with a number of unlocks, that sort of thing.

But Forbes, Tom Brewster over at Forbes, he first revealed the existence of it.

And it basically sent shockwaves through the law enforcement and the forensic.

communities, right?

After all these years of iPhones being uncrackable, it now appeared that, hey, here's a box that if you give them tens of thousands of dollars, cops will be able to get into there.

And it has a little USB-C cable on the front or a lightning, depending on what you're trying to do.

You plug it in and it does two things, right?

The first is that it will try to get the passcode.

And maybe you'll do that through brute forcing or maybe it will extract a keychain and maybe there'll be clues in there.

I've seen some other documents where it'll extract information like messages, and it will then try to find clues on other passwords or other pins, maybe because, oh, I found something that looks like a birthday, and now maybe that could be a pin code or something like that.

So, you have the trying to break into the phone, which is one of the most important parts.

And then you have, well, it's also extracting, or I think very fair, as Emmanuel said when he edited it, it retrieves the data from the device and then makes it, um,

it presents it to law enforcement officer.

It's not just a big file.

You go.

It's like an interface that'll be like, here is messages from a specific app or here, here are photos, like stuff like that, right?

Like it's a, it's a back end that you can kind of like browse through.

Yeah, it makes it much, much, much easier to dig through iPhone and now Android

images of devices.

And yeah, as I said, it started with iPhones, but then a few years ago, they branched into Android because of course its main competitor is Celebrite, which I'm sure everybody's familiar with.

I was going to ask about that, actually.

I don't even know the answer or if you know the answer, but do like by and large, are Celebrite and Grey Key like more or less the same thing?

As in, like,

do the one offer things that the other does not?

to our knowledge or are they both just are they like direct competitors offering like essentially overlapping products yeah i would say they're basically direct competitors you then have other ones that are a bit smaller like elkomsoft i think a russian company and they do look into mobile forensics as well so there's that sort of thing you then have these other companies that are more just focused sort of on the visualization side like oh you already have the data now we'll interpret it for you but grey key and celebrate it's supposed to be an all-in-one solution, right?

You buy the box or you buy the service, you plug the phone in, you unlock it or get what data you can and then interpret it.

I think a slight difference of Celebrate is that they have this advanced program where, at least this was the case a few years ago, and the leaks Celebrate documents we got touch on this a little bit.

But in some cases, you send the phone to Celebrate and then they do it.

And I think that's in part to look after their capabilities.

You know, hey, if it's on a box, even if that's phoning home, there's a world in which someone could get hold of that and try to reverse engineer it, right?

That could be one reason for it.

The other is just that when it comes to mobile phone forensics, there are so many variables that it could be better for someone to do it internally rather than a tool of the cop's forensics lab or whatever.

And by that, I mean more stuff like the screen is broken or the battery got hot and expanded and like completely screwed up the phone or something like that.

And that's when you send it to Celebrite or someone to look over.

Yeah, okay.

So

as far as so I remember Grey Key came on the scene like a few years after Celebrite and it was this pretty mysterious start like upstart in the industry.

As far as I know, there have been like very few leaks about Grey Key.

Like there, we've learned about them through like FOIA documents and sometimes court cases and things like that.

But in terms of like big leaks about how it works and its capabilities and what phones it can unlock, so on and so forth, I'm not aware of any others.

There may be a few at some point, but this is one of the biggest ones I think

that has ever happened.

So what did you get and what do the documents show?

Yeah, I think it's, as I said, unprecedented.

We've had similar leaks from Celebrate, the ones we've reported on, the ones that other people have obtained.

And then even way back at Motherboard, you know, we covered the hack of Celebrite as well, where I think I got like 500 gigabytes of data from Celebrite and did what we could there.

But yes, Greykey, it doesn't leak very often.

They treat their material very, very carefully, where if you do a freedom of information request for emails, they don't send this sort of material,

at least ordinarily, as like an attachment to an email, you know, and I foyered tons of material material over Greykey, and I've never seen something like this.

And this was a leak that somebody gave to me.

It wasn't through a FOIA.

But as for what they actually show,

basically,

if you update your iPhone, you're probably pretty good.

Again, I'm looking at the table now, which shows Greykey's capabilities against iOS 18 and 18.0.1.

And everything from the iPhone 12 through to the 16 Pro Max says if you're running either 18 or 0.0.1, it can only get partial data.

We don't know whether that is after first unlock or before first unlock.

AFU, BFU.

AFU being that the owner has already unlocked the device at least once since it was powered on, and that can make it a little bit easier, or BFU is obviously the opposite of that, and that hasn't been the case.

We don't know.

But I think it's still very, a massive takeaway is that simply the spreadsheet does not say full.

It's a fact that Greykey just cannot get full data from a modern iPhone.

I think that's the main sort of takeaway.

When you look at Android, it is obviously way more varied.

There are, I don't know, a squillion different Android phones.

Squillion.

Squillion.

I mean, I don't think I've heard that one before.

Maybe fact-check me on that one.

But, you know, they're all made by different OEMs, different manufacturers,

all these different forks of Androids.

Maybe you have a Samsung, maybe you have a Google

some phone made from somewhere else in the world as well.

And

although the Google Pixel devices, according to the spreadsheet, can have data extracted if they're a partial AFU status and they get a bit of data in AFU state, the rest is a massive mix of all data, no data.

It's a hoshbosh.

I feel we talked about AFU, BFU

last week, but I think we should do a very quick reminder of what before first unlock and after first unlock is for people just joining us.

Yeah.

So

I touched on it, but to spell it out a little bit more, BFU before first unlock, that would be if, let's say, the phone is off, the iPhone is off for whatever reason, the police officer turns it on to forensically extract it.

And that obviously means that the actual owner of the device has not entered the passcode, which would

decrypt a lot of the information on there.

That's a BFU state before first unlock.

AFU, the opposite of that, and that's going to be when the user has unlocked the device at some point in time.

That is especially important for a number of different reasons.

I mean, let's say police officers

raid somebody's apartment.

I'm just going to say a drug trafficker for sake of example, and they're on their phone and they want to preserve evidence, the police will probably try to grab that phone while it's on

and so it hasn't been turned off by the user because that would probably be in an AFU state and then easier to unlock.

Now, let's say,

I don't know, tragically, a child goes missing and they had a phone on them and it runs that battery and it powers down that would then be a BFU state and then that could be more difficult there are sort of like real world consequences to how and when the phone is seized which will dictate whether it can be unlocked or not essentially I want to hear you go through like increasingly tragic hypotheticals in your mind

okay so There's been kind of a lot of leaks lately, and you've gotten, I think, pretty much all of them in this world where, where, you know, last week you had the new iOS feature about the sort of like reboot after a phone's been idle for a while.

A few months ago, you had a Celebrite leak.

Now you have this gray key leak.

What is sort of like the current state of play for iPhone hacking by law enforcement?

And

I guess what is sort of like the status quo here?

Like it seems to me like it's a super uneven

uh like playing field more or less i don't know if playing field is the right word but it's not it's an uneven situation where some phones they can break into like really quickly really easily with these tools others not so much

yeah i think that's right and it's always going to be messy and i think many members of law enforcement wouldn't want that they would want a more permanent solution that's of course what we had with apple versus fbi where really they weren't trying to get access to one phone.

They were trying to develop a capability that would ensure access for future cases as well.

Right.

And then Azimuth hacks the phone, and then Graiki comes along.

And it seems to be like there's this cycle where Apple will do some sort of security upgrade.

You know, I mentioned USB restricted mode, which a few years back, that meant that you couldn't plug the phone

into a computer and get data from it, essentially, because the port would just turn into a a charging port rather than a data one.

That comes along.

There's all of this, you know, it feels like the sky is falling down for forensic investigators.

And then Greykey and/or Celebrite find workarounds, and then it continues.

And then we get, as you say, this really interesting iOS 18 reboot, where if the phone has been left idle for three full days or, you know, turning onto the fourth day, it will reboot and go to a BFU state.

Now investigators have to find a way to deal with that as well.

That is just how this goes.

It's a constant cycle.

They find exploits.

There are workarounds, that sort of thing.

That's not to say it'll be like this forever.

In the same way that custom encrypted phones of criminals became such a massive headache for cops that the FBI decided to run its own encrypted phone company,

it came to a head there.

I think it's absolutely possible that if it becomes too hard to get data out of iPhones or Androids or any devices, and there's a really, really, really important case, of course, it could come up again where the FBI is like, we need a more permanent solution.

And it's not just a US thing, right?

The UK has demanded sort of technical capability access as well.

Australia does some things as well.

Europe is part of the discussion too.

But at least right now, it looks like Greykey and Celebrite, they're a little bit behind, and then a couple of months later, they catch up, at least in some way.

It seems to me, speaking only about the iPhone, it seems to me like for a few years now, basically the takeaway from all of these leaks is

if you keep updating your phone as soon as the security updates drop, you're probably okay.

And if that is the case, I am wondering, what do you think the value of a Grey key is to law enforcement?

Is it that they

know

that

enough phones that they're trying to get into are not updated?

Are they paying for

those short points in the cycle where Grey Key is ahead of Apple?

I think they're paying for those windows.

And we don't know like the 18 adoption rate or the 18.1 adoption rate, or we know that Tim Tim Cook, Tim Apple, said that it is going very, very quickly and people are moving up to it.

So there are those windows.

I do think that, yes, even though they can only get partial data from iPhones, that's not no data.

So there is something there.

And it's kind of what we were talking about earlier, where it can be visualized, it can be mapped with other data,

they can still perform investigations.

And obviously, I don't know if this is fully fair because I'm not a police officer, but I would say probably the value proposition has probably gone down if it's not unlocking the phones, which doesn't say it's not worthless, but maybe the value has gone down a little bit.

You know what?

That raises something that we didn't talk about last week, but kind of plays with your story last week about the new iOS update and the phone rebooting, which is

like cops sometimes confiscate phones and

they might not not break into it right away or they might not try to break into it right away.

And I wonder if these are often sitting in evidence, like storage lockers, for quite some time until Grey Key or Celebrite is able to make a new exploit and then, or is able to update whatever they're doing.

And then there's like a frenzy of, you know, unlocking a bunch of phones.

And I wonder if

that is,

I guess, like when we talked about this last week, I was like, oh, well, they're just going to do it right away now.

But in some cases, they might not be able to unlock these phones right away.

They might be waiting for that window where

there is a period where they're able to unlock these phones before Apple gets a new update.

And I don't know.

Have you thought about that?

Do you even understand what I'm saying?

I feel like I'm rambling a little bit.

No, no, no.

Yeah.

I get it.

Because, yeah, I've spoken to people, even for my book, when I was talking to people who like had to get data from PGP Blackberries that were used by criminals, you would sometimes open a device and you would see a certain sticker and you go, well, that's a phantom secure device.

I'm not getting anything out of that.

You basically throw it in the trash because they're, well, what's the point?

I can't get anything from it.

But if it was another sort of phone.

you would leave it there and it would be like on the conveyor belt or in storage and you would come back to it later and cops absolutely do that they're just waiting for oh okay well Grey Key just needs to update to the latest version.

When we get that, we'll be able to get into that device and they'll be great.

And I think that is why the iOS 18 reboot timer is so, such a big deal for law enforcement or, you know, other people trying to get into the data like fees potentially.

But I do think the main context in which it's introduced is law enforcement.

No longer can they just have a phone waiting there for Grey Key to hurry up and push an update.

It's like, we have four days and then we're screwed, basically.

So I imagine Greykey is going to try to find a way somehow

and celebrate to keep the phone in that non-reboot stage.

Maybe there's a way in which the timer going down, there's a way to fuck with that or something.

I mean, I have no idea, but that's going to be what they're going to try to do, I imagine.

Just need an artificial finger touching the screen sometimes and moving it around.

Yeah, like

a mouse jiggler.

Yeah, exactly.

Or just a guy, you know?

Just a guy touching all the phones.

The phone toucher.

Yeah.

All right.

We will leave that there.

If you are listening to the free version of the podcast, I'll now play us out.

But if you are a paying 404 media subscriber, we're going to talk a ton about AI and the publishing industry and books.

Sam has a couple of really interesting stories about that.

You can subscribe and gain access to that content at 404media.co.

As a reminder, 404 Media is journalist-founded and supported by subscribers.

If you wish to subscribe to 404 Media and directly support our work, please go to 404media.co.

You'll get unlimited access to our articles and an ad-free version of this podcast.

You'll also get to listen to the subscribers only section where we talk about a bonus story each week.

This podcast is made in partnership with Kaleidoscope.

Another way to support us is by leaving a five-star rating and review for the podcast.

That stuff really helps us out.

This has been 404 Media.

We will see you again next week.