STOP Using Proton & Signal? Here’s the TRUTH

00:00

Proton and Signal are no longer secure  platforms…or at least that’s been the  

00:04

message shared by multiple media outlets and  social media accounts. Proton Privacy complied  

00:09

with a request to hand over a recovery  email address to Spanish police and a new  

00:14

hit piece is making the rounds claiming that  Signal is just a front for the US government.

00:19

What are we supposed to do with this kind  of information? I want to explain what’s  

00:24

really happening here, but more importantly, this  highlights one critical part of personal security  

00:28

and privacy that we need to address and that often  gets ignored for the sake of sensational news.

00:36

Most of us are already skeptical of government  surveillance and big tech companies. So when  

00:41

we read that a privacy company just handed over  user data or is in bed with government agencies,  

00:46

there’s a confirmation bias that I think  tends to happen. Instead of asking questions  

00:51

and figuring out what’s really going on, some  people just throw up their hands and say “See,  

00:55

I knew it. There simply is no such thing as  privacy and security anymore. We’re screwed.”

01:01

I’ve seen this happen multiple times over the  years, and the story is usually the same thing  

01:06

whether you’re watching this right now in  May of 2024 or whether it’s years later.  

01:11

So let’s look at these cases specifically  - and please do me a favor and watch to  

01:16

the end, because I also want to explain  exactly how this affects YOU directly.

01:20

Let’s start with the case of Proton. Spanish law  enforcement made a request to Swiss authorities  

01:24

to identify somebody they claimed to be a  terrorist. Now whether or not a government  

01:30

abuses this authority to label somebody as a  terrorist doesn’t matter here. Companies like  

01:35

Proton do have a legal remedy to fight  these requests, and sometimes they do.  

01:41

Sometimes they don’t. But at the end of  the day, every single company is required  

01:45

to operate within the legal frameworks  of the country in which they are based.

01:50

If you’re a US company and the US government makes  a legal, court approved request for you to hand  

01:55

over data, you have to do it, whether you agree  with it or not. The same goes for Switzerland and  

02:00

every other country in the world. Just because a  company says they protect your privacy does not  

02:05

mean they can just go and ignore these requests.  That’s really important to understand and one of  

02:10

things that media outlets seem to overlook  each time they cover these news events.

02:15

But what’s also important to know is that  companies can only give over the data that  

02:19

they actually have. All of the data that’s  end-to-end encrypted can be handed over, but  

02:24

it’s of no use without the encryption keys that,  in the case of Proton and Signal, only you hold.

02:31

And when it comes to email, you also  have to realize that in order for  

02:34

an email to be sent - like any mail -  it needs to have sender and recipient  

02:39

information. That can’t be encrypted or  else the it could never be delivered.

02:45

The same goes for a recovery email address on any  online account you create. If that were encrypted,  

02:50

the company wouldn’t be able to see the email  address in order to help you recover the account.

02:54

In other words, in order to function,  certain information can’t be hidden.

03:00

“Oh, but you’re just trying to  defend a company that you like  

03:02

and that has sponsored your channel in the past!”

03:05

No, I’m not. I’m trying to be realistic  here. In this Spanish terrorist case,  

03:10

Proton didn’t hand over the name of the user  or any of his email. They couldn’t because  

03:16

they didn’t have that information to give. They  were compelled by Swiss authorities to hand over  

03:21

the recovery email address, which they did. In  this case, it was an Apple email address and  

03:26

it was Apple who then handed over the name of the  person associated with the recovery email address.

03:31

At worst, you could maybe accuse Proton  of not doing a good enough job letting  

03:36

users know that this recovery address isn’t  private. But we’ll get to that in a moment.

03:41

Switching gears to Signal, we’ve got an  entirely different situation happening  

03:45

but one that I’ve seen countless times as well.  The founder of Telegram, a competitor of Signal,  

03:50

shared a message questioning Signal’s encryption.  I wonder what his motivation is? Well in this  

03:56

message he states that “an alarming number  of important people I’ve spoken to remarked  

04:00

that their private signal messages had been  exploited against them in US courts or media.”

04:07

Notice that there’s no  source to back up this claim,  

04:09

and the numerous people who reshared  this conveniently ignored the fact  

04:12

that these are competitors. In other  words, there’s undeniable bias here.

04:17

Here’s the thing: anybody can claim that  encryption can be or has been broken. But  

04:22

the burden of proof is not on you, it’s  on the one who makes the claim. So if the  

04:27

Telegram CEO is going to claim that their  competitor Signal has had their encryption  

04:31

broken - and I don’t know, that could  be true - but you’re going to have to  

04:34

provide more than hearsay evidence in  order for me to take you seriously.

04:38

The other part of the complaint against  Signal has to do with their board of  

04:42

directors. Apparently the current  chairman has a history of promoting  

04:46

censorship and has concerning connections  with the intelligence community. And I get  

04:50

it - that’s a bad look for Signal and  one that should probably be addressed.

04:55

But Signal, like Proton, is open source,  which means that over the past 10 plus years,  

05:01

security researches have had access to the code  base of these apps. Leadership certainly matters,  

05:08

but the code is the code. The board  chair’s opinion doesn’t change that.

05:12

Ok, here’s the primary message I want you to  take away from all of this. It’s not that you  

05:16

should ignore FUD, it’s not that you should  blindly trust me to use Proton and Signal.

05:22

The primary message is this:  

05:25

privacy apps and services are only  as strong as the user who uses them.

05:31

You can purchase and install the strongest  lock on the front door of your house,  

05:35

but if you leave the window unlocked,  that’s not the door’s fault, it’s yours.

05:40

This is something called personal  OPSEC, or operational security. This  

05:45

is everything that you do that includes  the usage of apps like Proton and Signal.

05:49

So, for example, did you know that you can  remove or change the recovery email address  

05:54

in Proton Mail? In the settings of your  Proton account, click on “Recovery” and  

05:58

then right here under Account Recovery you  can either turn off the allow recovery by  

06:03

email option or you can change it to a burner  email address that you’ve created. Mind you,  

06:09

if you turn it off, you won’t be able to  recover your account if you lose your password,  

06:13

but that’s on you. That’s part  of your operational security.

06:17

At the very least, you should turn on data  

06:19

recovery via a recovery phrase and  keep that stored somewhere safe.

06:23

And if you don’t want Proton to have  access to, let’s say, your IP address,  

06:27

which is the identifier assigned  to your device on the internet,  

06:31

simply use a VPN or TOR when you’re  logging on, which hides your IP address.

06:36

Honestly, most of this only applies to those  who have reason to be highly concerned about  

06:41

their privacy or security, but even if you’re  just the average internet user, you can’t  

06:45

rely solely on software to protect you. It’s your  responsibility to build strong privacy habits.

06:51

And one final thought: be careful what you  share, even within the walls of end-to-end  

06:56

encryption. Sometimes we get lulled into  this false sense of security and that’s  

07:01

when the mistakes happen. If you don’t  want compromising pictures of you shared  

07:05

online, then here’s a wild idea for you -  don’t take compromising pictures and send  

07:11

them to your boyfriend! I know it’s not always  as black and white as that, but sometimes the  

07:15

best and easiest way to hide information is  to not share it digitally in the first place.

07:20

Should you stop using Proton and  Signal? That’s up to you. This kind  

07:25

of news doesn’t change the fact that  I still use and recommend them, but  

07:29

no matter what software or app you end up using,  you need to recognize that your operational  

07:35

security - how you use these apps, how you store  your personal information, how you share data,  

07:40

etc. - is just as important, if not more  important, than the tools you use to do it.

07:47

Thanks for watching, and if you want to see the  

07:48

privacy and security tools I use  every day, watch this video next.