STOP Using Proton & Signal? Here’s the TRUTH
Summary
TLDRThe video discusses recent claims questioning the security of Proton and Signal, highlighting the importance of understanding legal frameworks and operational security. It clarifies that while companies must comply with legal requests, end-to-end encryption protects user data. The video emphasizes the need for users to take personal responsibility for their privacy by using tools like VPNs and being cautious with shared information.
Takeaways
- 🔒 Proton and Signal, once considered secure platforms, are now under scrutiny due to recent events and media coverage.
- 📜 Proton complied with a legal request from Spanish authorities, highlighting the legal obligations companies have to comply with government requests.
- 🔗 The importance of understanding that companies can only provide data they possess, and end-to-end encryption limits what can be handed over.
- 📧 Email and recovery email addresses are inherently not encrypted to ensure delivery, which is a necessary compromise for functionality.
- 🏛️ Companies like Proton must operate within the legal frameworks of their host countries, even if they prioritize user privacy.
- 🧐 The founder of Telegram questioned Signal's encryption, suggesting potential bias and a need for concrete evidence to support such claims.
- 💼 Concerns about Signal's board chairman's history and connections, though the open-source nature of Signal's code provides some reassurance.
- 🛡️ The strength of privacy apps and services depends on the user's operational security (OPSEC) and how they use these tools.
- 🔄 Users can take steps like changing recovery email addresses or using VPNs to enhance their privacy, demonstrating personal responsibility in security.
- 🚫 Even within end-to-end encryption, users must be cautious about what they share, as digital sharing can lead to unintended consequences.
Q & A
What is the main concern raised by the media about Proton and Signal?
-The media claims that Proton and Signal are no longer secure platforms. Proton was reported to have complied with a request to hand over a recovery email address to Spanish police, and there are allegations that Signal is a front for the US government.
Why do some people react negatively to news about privacy companies cooperating with government requests?
-People often have a confirmation bias, believing that privacy and security are illusions. When they hear about privacy companies complying with government requests, they tend to dismiss the idea of privacy altogether without examining the details.
What is the legal framework that companies like Proton have to operate within?
-Companies must operate within the legal frameworks of their respective countries. If a government makes a legal, court-approved request for data, companies are required to comply, regardless of their privacy policies.
What limitations do companies have in terms of the data they can provide to authorities?
-Companies can only provide data that they actually have. Data that is end-to-end encrypted is useless to authorities without the encryption keys, which are held by the users themselves.
Why is it necessary for email sender and recipient information to be unencrypted?
-Sender and recipient information must be unencrypted for the email to be delivered. If this information were encrypted, the email could never be delivered, as it would not be recognizable by the email system.
What was Proton's response to the Spanish law enforcement request?
-Proton complied with the request from Swiss authorities to provide a recovery email address. However, they did not provide the user's name or any of their emails because they did not have that information.
What is the controversy surrounding Signal's encryption and its board of directors?
-There are claims that Signal's encryption has been exploited in US courts or media, and concerns about the chairman's history of promoting censorship and connections with the intelligence community. However, Signal is open source, and its code has been scrutinized by security researchers.
What is the primary message the speaker wants the audience to take away from the discussion?
-The speaker emphasizes that privacy apps and services are only as strong as the user who uses them. Users need to practice good operational security (OPSEC) and be responsible for their own privacy and security.
How can users enhance their operational security with Proton Mail?
-Users can remove or change their recovery email address in Proton Mail settings, use a burner email address, or turn off the allow recovery by email option. They can also use a VPN or TOR to hide their IP address when logging on.
What is the speaker's advice on sharing sensitive information within end-to-end encrypted platforms?
-The speaker advises caution, suggesting that the best way to keep information private is not to share it digitally in the first place. Users should be mindful of what they share, even within secure platforms.
Outlines
🔒 Privacy Concerns Over Proton and Signal
This paragraph discusses the recent allegations against Proton and Signal, two privacy-focused platforms. Media outlets and social media have claimed that these platforms are no longer secure. Proton was reportedly compelled to provide a recovery email address to Spanish police, while Signal is accused of being a front for the US government. The speaker emphasizes the importance of understanding the legal frameworks within which these companies operate and the limitations they face in protecting user data. The paragraph also highlights the role of end-to-end encryption and the fact that companies can only provide data they possess, which in the case of Proton and Signal, excludes encrypted data without the user's encryption keys. The speaker challenges the sensationalism in the media and encourages viewers to look beyond the headlines to understand the true nature of these incidents.
🛡️ Personal Security and the Importance of Operational Security
The second paragraph focuses on the concept of personal operational security (OPSEC) and the responsibility of users in maintaining their privacy. The speaker argues that privacy apps and services are only as strong as the users who use them, using the analogy of a lock on a door. They explain that users can take steps to enhance their security, such as changing or removing recovery email addresses in Proton Mail, using a VPN or TOR to hide their IP address, and being cautious about what they share even within encrypted platforms. The speaker also addresses the criticism against Signal's board of directors and the need for users to be aware of the potential biases in claims about encryption vulnerabilities. The paragraph concludes with a reminder that no matter what tools are used, it is the user's responsibility to build strong privacy habits and practice good OPSEC.
Mindmap
Keywords
💡Proton
💡Signal
💡End-to-End Encryption
💡Recovery Email Address
💡Legal Frameworks
💡Confirmation Bias
💡Operational Security (OPSEC)
💡VPN
💡TOR
💡Recovery Phrase
💡FUD
Highlights
Proton and Signal are no longer considered secure platforms due to recent events and media claims.
Proton Privacy complied with a request to hand over a recovery email address to Spanish police.
Media often overlooks the legal frameworks within which companies operate when reporting on privacy breaches.
End-to-end encrypted data can be handed over, but without encryption keys, it is useless.
Email sender and recipient information cannot be encrypted for delivery purposes.
Recovery email addresses on online accounts are not private and can be compelled to be handed over.
Proton handed over a recovery email address under compulsion from Swiss authorities, not user data.
Signal's encryption has been questioned by the founder of a competing app, Telegram, without substantial evidence.
The burden of proof lies with those who claim encryption has been broken, not the users.
Signal's board chairman has a history that could raise concerns, but the app remains open source.
Privacy apps and services are only as strong as the user who uses them.
Users can change or remove their recovery email address in Proton Mail settings.
Using a VPN or TOR can help hide your IP address when logging on to privacy services.
Operational security is crucial and involves more than just using privacy apps.
Users should be cautious about what they share, even within end-to-end encrypted platforms.
Operational security is as important as the tools used for privacy protection.
Transcripts
Proton and Signal are no longer secure platforms…or at least that’s been the
message shared by multiple media outlets and social media accounts. Proton Privacy complied
with a request to hand over a recovery email address to Spanish police and a new
hit piece is making the rounds claiming that Signal is just a front for the US government.
What are we supposed to do with this kind of information? I want to explain what’s
really happening here, but more importantly, this highlights one critical part of personal security
and privacy that we need to address and that often gets ignored for the sake of sensational news.
Most of us are already skeptical of government surveillance and big tech companies. So when
we read that a privacy company just handed over user data or is in bed with government agencies,
there’s a confirmation bias that I think tends to happen. Instead of asking questions
and figuring out what’s really going on, some people just throw up their hands and say “See,
I knew it. There simply is no such thing as privacy and security anymore. We’re screwed.”
I’ve seen this happen multiple times over the years, and the story is usually the same thing
whether you’re watching this right now in May of 2024 or whether it’s years later.
So let’s look at these cases specifically - and please do me a favor and watch to
the end, because I also want to explain exactly how this affects YOU directly.
Let’s start with the case of Proton. Spanish law enforcement made a request to Swiss authorities
to identify somebody they claimed to be a terrorist. Now whether or not a government
abuses this authority to label somebody as a terrorist doesn’t matter here. Companies like
Proton do have a legal remedy to fight these requests, and sometimes they do.
Sometimes they don’t. But at the end of the day, every single company is required
to operate within the legal frameworks of the country in which they are based.
If you’re a US company and the US government makes a legal, court approved request for you to hand
over data, you have to do it, whether you agree with it or not. The same goes for Switzerland and
every other country in the world. Just because a company says they protect your privacy does not
mean they can just go and ignore these requests. That’s really important to understand and one of
things that media outlets seem to overlook each time they cover these news events.
But what’s also important to know is that companies can only give over the data that
they actually have. All of the data that’s end-to-end encrypted can be handed over, but
it’s of no use without the encryption keys that, in the case of Proton and Signal, only you hold.
And when it comes to email, you also have to realize that in order for
an email to be sent - like any mail - it needs to have sender and recipient
information. That can’t be encrypted or else the it could never be delivered.
The same goes for a recovery email address on any online account you create. If that were encrypted,
the company wouldn’t be able to see the email address in order to help you recover the account.
In other words, in order to function, certain information can’t be hidden.
“Oh, but you’re just trying to defend a company that you like
and that has sponsored your channel in the past!”
No, I’m not. I’m trying to be realistic here. In this Spanish terrorist case,
Proton didn’t hand over the name of the user or any of his email. They couldn’t because
they didn’t have that information to give. They were compelled by Swiss authorities to hand over
the recovery email address, which they did. In this case, it was an Apple email address and
it was Apple who then handed over the name of the person associated with the recovery email address.
At worst, you could maybe accuse Proton of not doing a good enough job letting
users know that this recovery address isn’t private. But we’ll get to that in a moment.
Switching gears to Signal, we’ve got an entirely different situation happening
but one that I’ve seen countless times as well. The founder of Telegram, a competitor of Signal,
shared a message questioning Signal’s encryption. I wonder what his motivation is? Well in this
message he states that “an alarming number of important people I’ve spoken to remarked
that their private signal messages had been exploited against them in US courts or media.”
Notice that there’s no source to back up this claim,
and the numerous people who reshared this conveniently ignored the fact
that these are competitors. In other words, there’s undeniable bias here.
Here’s the thing: anybody can claim that encryption can be or has been broken. But
the burden of proof is not on you, it’s on the one who makes the claim. So if the
Telegram CEO is going to claim that their competitor Signal has had their encryption
broken - and I don’t know, that could be true - but you’re going to have to
provide more than hearsay evidence in order for me to take you seriously.
The other part of the complaint against Signal has to do with their board of
directors. Apparently the current chairman has a history of promoting
censorship and has concerning connections with the intelligence community. And I get
it - that’s a bad look for Signal and one that should probably be addressed.
But Signal, like Proton, is open source, which means that over the past 10 plus years,
security researches have had access to the code base of these apps. Leadership certainly matters,
but the code is the code. The board chair’s opinion doesn’t change that.
Ok, here’s the primary message I want you to take away from all of this. It’s not that you
should ignore FUD, it’s not that you should blindly trust me to use Proton and Signal.
The primary message is this:
privacy apps and services are only as strong as the user who uses them.
You can purchase and install the strongest lock on the front door of your house,
but if you leave the window unlocked, that’s not the door’s fault, it’s yours.
This is something called personal OPSEC, or operational security. This
is everything that you do that includes the usage of apps like Proton and Signal.
So, for example, did you know that you can remove or change the recovery email address
in Proton Mail? In the settings of your Proton account, click on “Recovery” and
then right here under Account Recovery you can either turn off the allow recovery by
email option or you can change it to a burner email address that you’ve created. Mind you,
if you turn it off, you won’t be able to recover your account if you lose your password,
but that’s on you. That’s part of your operational security.
At the very least, you should turn on data
recovery via a recovery phrase and keep that stored somewhere safe.
And if you don’t want Proton to have access to, let’s say, your IP address,
which is the identifier assigned to your device on the internet,
simply use a VPN or TOR when you’re logging on, which hides your IP address.
Honestly, most of this only applies to those who have reason to be highly concerned about
their privacy or security, but even if you’re just the average internet user, you can’t
rely solely on software to protect you. It’s your responsibility to build strong privacy habits.
And one final thought: be careful what you share, even within the walls of end-to-end
encryption. Sometimes we get lulled into this false sense of security and that’s
when the mistakes happen. If you don’t want compromising pictures of you shared
online, then here’s a wild idea for you - don’t take compromising pictures and send
them to your boyfriend! I know it’s not always as black and white as that, but sometimes the
best and easiest way to hide information is to not share it digitally in the first place.
Should you stop using Proton and Signal? That’s up to you. This kind
of news doesn’t change the fact that I still use and recommend them, but
no matter what software or app you end up using, you need to recognize that your operational
security - how you use these apps, how you store your personal information, how you share data,
etc. - is just as important, if not more important, than the tools you use to do it.
Thanks for watching, and if you want to see the
privacy and security tools I use every day, watch this video next.
浏览更多相关视频
КАК ЗАЩИТИТЬ ДАННЫЕ | Руководство по основам безопасности
How To Stay Safe On Telegram : The TRUTH About Security On The App
Precautions You MUST Take
ChatGPT: come tutelare la tua PRIVACY [Tutorial]
One Of The Biggest Antivirus Companies Just Got Banned...
Encrypting Data - CompTIA Security+ SY0-701 - 1.4
5.0 / 5 (0 votes)