Proton and Signal are no longer secure
platforms…or at least that’s been the message shared by multiple media outlets and
social media accounts. Proton Privacy complied with a request to hand over a recovery
email address to Spanish police and a new hit piece is making the rounds claiming that
Signal is just a front for the US government. What are we supposed to do with this kind
of information? I want to explain what’s really happening here, but more importantly, this
highlights one critical part of personal security and privacy that we need to address and that often
gets ignored for the sake of sensational news. Most of us are already skeptical of government
surveillance and big tech companies. So when we read that a privacy company just handed over
user data or is in bed with government agencies, there’s a confirmation bias that I think
tends to happen. Instead of asking questions and figuring out what’s really going on, some
people just throw up their hands and say “See, I knew it. There simply is no such thing as
privacy and security anymore. We’re screwed.” I’ve seen this happen multiple times over the
years, and the story is usually the same thing whether you’re watching this right now in
May of 2024 or whether it’s years later. So let’s look at these cases specifically
- and please do me a favor and watch to the end, because I also want to explain
exactly how this affects YOU directly. Let’s start with the case of Proton. Spanish law
enforcement made a request to Swiss authorities to identify somebody they claimed to be a
terrorist. Now whether or not a government abuses this authority to label somebody as a
terrorist doesn’t matter here. Companies like Proton do have a legal remedy to fight
these requests, and sometimes they do. Sometimes they don’t. But at the end of
the day, every single company is required to operate within the legal frameworks
of the country in which they are based. If you’re a US company and the US government makes
a legal, court approved request for you to hand over data, you have to do it, whether you agree
with it or not. The same goes for Switzerland and every other country in the world. Just because a
company says they protect your privacy does not mean they can just go and ignore these requests.
That’s really important to understand and one of things that media outlets seem to overlook
each time they cover these news events. But what’s also important to know is that
companies can only give over the data that they actually have. All of the data that’s
end-to-end encrypted can be handed over, but it’s of no use without the encryption keys that,
in the case of Proton and Signal, only you hold. And when it comes to email, you also
have to realize that in order for an email to be sent - like any mail -
it needs to have sender and recipient information. That can’t be encrypted or
else the it could never be delivered. The same goes for a recovery email address on any
online account you create. If that were encrypted, the company wouldn’t be able to see the email
address in order to help you recover the account. In other words, in order to function,
certain information can’t be hidden. “Oh, but you’re just trying to
defend a company that you like and that has sponsored your channel in the past!” No, I’m not. I’m trying to be realistic
here. In this Spanish terrorist case, Proton didn’t hand over the name of the user
or any of his email. They couldn’t because they didn’t have that information to give. They
were compelled by Swiss authorities to hand over the recovery email address, which they did. In
this case, it was an Apple email address and it was Apple who then handed over the name of the
person associated with the recovery email address. At worst, you could maybe accuse Proton
of not doing a good enough job letting users know that this recovery address isn’t
private. But we’ll get to that in a moment. Switching gears to Signal, we’ve got an
entirely different situation happening but one that I’ve seen countless times as well.
The founder of Telegram, a competitor of Signal, shared a message questioning Signal’s encryption.
I wonder what his motivation is? Well in this message he states that “an alarming number
of important people I’ve spoken to remarked that their private signal messages had been
exploited against them in US courts or media.” Notice that there’s no
source to back up this claim, and the numerous people who reshared
this conveniently ignored the fact that these are competitors. In other
words, there’s undeniable bias here. Here’s the thing: anybody can claim that
encryption can be or has been broken. But the burden of proof is not on you, it’s
on the one who makes the claim. So if the Telegram CEO is going to claim that their
competitor Signal has had their encryption broken - and I don’t know, that could
be true - but you’re going to have to provide more than hearsay evidence in
order for me to take you seriously. The other part of the complaint against
Signal has to do with their board of directors. Apparently the current
chairman has a history of promoting censorship and has concerning connections
with the intelligence community. And I get it - that’s a bad look for Signal and
one that should probably be addressed. But Signal, like Proton, is open source,
which means that over the past 10 plus years, security researches have had access to the code
base of these apps. Leadership certainly matters, but the code is the code. The board
chair’s opinion doesn’t change that. Ok, here’s the primary message I want you to
take away from all of this. It’s not that you should ignore FUD, it’s not that you should
blindly trust me to use Proton and Signal. The primary message is this: privacy apps and services are only
as strong as the user who uses them. You can purchase and install the strongest
lock on the front door of your house, but if you leave the window unlocked,
that’s not the door’s fault, it’s yours. This is something called personal
OPSEC, or operational security. This is everything that you do that includes
the usage of apps like Proton and Signal. So, for example, did you know that you can
remove or change the recovery email address in Proton Mail? In the settings of your
Proton account, click on “Recovery” and then right here under Account Recovery you
can either turn off the allow recovery by email option or you can change it to a burner
email address that you’ve created. Mind you, if you turn it off, you won’t be able to
recover your account if you lose your password, but that’s on you. That’s part
of your operational security. At the very least, you should turn on data recovery via a recovery phrase and
keep that stored somewhere safe. And if you don’t want Proton to have
access to, let’s say, your IP address, which is the identifier assigned
to your device on the internet, simply use a VPN or TOR when you’re
logging on, which hides your IP address. Honestly, most of this only applies to those
who have reason to be highly concerned about their privacy or security, but even if you’re
just the average internet user, you can’t rely solely on software to protect you. It’s your
responsibility to build strong privacy habits. And one final thought: be careful what you
share, even within the walls of end-to-end encryption. Sometimes we get lulled into
this false sense of security and that’s when the mistakes happen. If you don’t
want compromising pictures of you shared online, then here’s a wild idea for you -
don’t take compromising pictures and send them to your boyfriend! I know it’s not always
as black and white as that, but sometimes the best and easiest way to hide information is
to not share it digitally in the first place. Should you stop using Proton and
Signal? That’s up to you. This kind of news doesn’t change the fact that
I still use and recommend them, but no matter what software or app you end up using,
you need to recognize that your operational security - how you use these apps, how you store
your personal information, how you share data, etc. - is just as important, if not more
important, than the tools you use to do it. Thanks for watching, and if you want to see the privacy and security tools I use
every day, watch this video next.
