IE like Crypto AG:
In 2020, it was revealed that the Swiss company, Crypto AG, which provided secure communications services to ~120 governments throughout the 20th century, was secretly ran by the CIA and West German Intelligence. The CIA and later NSA were able to read encrypted communications for many countries such as Saudi Arabia, Iran, Italy, Indonesia, Iraq, Libya, Jordan and South Korea.
Proxies and VPNs seem like the most obvious targets. They mostly prey on people who don’t understand the technical workings thereof (had my mom ask if she needed to get a VPN bc firefox opened on ad for theirs, claiming it enhanced privacy), and serve little benefit to people who are doing the kind of illegal activities that make governments take notice. They serve as a single point of compromise for anyone, and they work worldwide so that all your traffic can be monitored even when you’re on a different ISP/in a different country. It’s like the perfect MITM, and people are even willing to pay to have themselves monitored.
The truth is that at best they benefit people who only don’t want their network-provider watching, but don’t care who else may be. It’s the perfect setup for a 3-letter agency to just sit and monitor everything anyone does, waiting for someone who’s just a little too careless to access illegal content thinking they’re anonymous.
All of the “delete my information from data brokers” services IMO, especially the ones that advertise on YouTube. Always smelled fishy to me.
Either that or they’re just more data brokers trying to get exclusivity.
Reject Convenience did a pretty thorough rundown on what they’re doing: https://www.youtube.com/watch?v=iX3JT6q3AxA
It’s been a minute since I watched, but my key takeaways were that they just reach out to one type of broker which barely scratches the surface of the Data Economy iceberg, and since there’s no legal precedent outside of California and the EU, it’s purely up to the brokers to decide whether or not they want to comply.
So I think it’s probably more likely they really are just private companies preying on people’s anxieties about privacy and relative ignorance about the topic, rather than some kind of governmental conspiracy
Of course, nobody is going to have evidence here, if there was any the cover would be lifted. But one can guess chances here:
Proton: “Unlikely”… but there is a but. They never cater for the ultimate privacy and they make typical blunders of a company wanted to growth really fast. Now, that they want to be a behemoth in Privacy makes it more vulnerable to requests from law enforcement. Also, law enforcement and intelligence agencies have it easier to penetrate within Proton massive headcount growth.
Tuta: “Very Unlikely”. The people behind started very young and had a sustainable growth. The people are very visible (unlike Crypto AG) so least likely to be working for an “agency”.
Mullvad: “Very Unlikely”. I think their story is similar to Tuta (haven´t followed it that much though).
GrapheneOS: “Very Unlikely”. But in the last year I have raised some minor concerns, but I haven change my rating yet…
/e/: “Very Unlikely”. I know the dude behind for 2 decades, he wouldn´t. However, /e/ never claimed full privacy and from the beginning says he would comply 100% with “lawful” requests, but it is not a honeypot, not that would make much difference to an intelligence agency if they wanted it.
Signal: “Potentially”… yes, yes… audited, solid privacy code… but still does not make sense to me many aspects; financially solvent from day one, the extreme unquestioned massive and vast support from launching till today… if i have to bet in all of these providers, this platform would have been my take as potential compromised one. I still use it to communicate with family since I trust better than WhatsApp, but I would not use it for critical journalistic info.
Mullvad: “Very Unlikely”. I think their story is similar to Tuta (haven´t followed it that much though).
https://tmctmt.com/posts/mullvad-exit-ips-as-a-fingerprinting-vector/
Thanks so much, this looks worth a deep look! Iĺl need time to interpret this properly.
Unpopular takes incoming.
Signal.
Way too many red flags.
- Why ask for mandatory phone numbers? You could at least make it opt in.
- Why we can’t inspect the latest server code?
- Why not make it easy for people to run their own servers?
Do you truly believe that a company that wants to preserve your privacy would take this direction?
And i don’t care how secure the protocol is, how well the code is audited. They can still map your social graph.
Anyways, because of my threat model, i still use Signal. But if i were an activist i wouldnt touch it.
More unpopular takes:
Tor and Mullvad probably compromised too. If a service gets too mainstream, I dont believe for a second that they would let it run without care. They would take it down, or control it.
Now, these services are still usefull. For example mt threat model is to deny my shit to the big tech. So they are useful if you want to escape data collection for adversiment purposes.
I don’t think they would burn the reputation of these services for low hanging fruit like selling data for ads.
Signal, I agree… it has flags for me in so many ways.
Tor. Unlikely though. For sure many nodes are controlled and now they are using massive power to unlock the traffic, but was not set up as a honeypot per se, it is now, probably, technologically quite compromised though.
Mullvad. Funny, your suspicions probably got enhanced when Mullvad makes a browser based on Tor’s. But I still not highly suspect of Mullvad. Quite steady organic growth, profitable, no much pronouncements or catering to certain “targeted” groups… No mayor red flags for me.
The Crypto AG story shows that the location of a company doesn’t matter that much. The US simply made legal what they were already doing behind the scenes. Intelligence services have always been and still are above the law.
Absolutely! Location does not guaranteed anything. The only case against US, four eyes… etc is that they have the power to shut it down easily so they can use it as a threat. Switzerland has, for years now, showed the same drive as any other country to do just that.
Now, I have seen very principled individuals in the US, I would say even more than in the Europe! It is not surprise that we see cases like Lavabit where a right owner chooses to close shop rather than compromise its customers. I hope GrapheneOS will do the same.
If you’re online then you’re cooked.
The Proton CEO did make suspicious US political statements despite being Swiss. That combined with their misleading marketing on social media.
This thread basically illustrates the challenges for a beginner, such as myself.
I’ve been locked into the Google ecosystem for nearly two decades and am now trying to free myself.
I’d like to migrate to a hybrid solution that involves self-hosted NextCloud synchronized with a cloud provider that I can trust more than Google.
However:
Proton apparently makes false, or at least misleading, marketing claims and doesn’t fight a vast majority of its inbound government requests.
Tuta has been publicly accused by a member of the intelligence community of being a honeypot.
The rest of the email providers seem to implement even fewer protections, relative to these two.
So, what’s a guy to do?
Now, to be clear, I’m not saying that either of these companies are bad or that I believe that they’re actually honeypots. I’m just trying to illustrate the challenges faced by newcomers (and probably all of us).
While I’d prefer to absolutely maximize privacy and security on all fronts, given that my first goal is de-googling, I will probably start with Proton and NextCloud and re-evaluate from there, but I’m open to suggestions.
Thank you all – I really appreciate this community.
Email is a really tough one especially, because it wasn’t designed with security in mind, and of course even if you’re on a secure email service, 99% of the emails you send and receive are going to be with non-secure services hoovered up by google or AWS.
Anything is better than google at least.
Tbh for email I’d say don’t bother with privacy as it wasn’t meant to be private, as Dessalines said. If you care about data sovereignty (which is different to privacy, though often hand-in-hand), you can self-host email—it’s not as hard as it’s reputed to be. I’ve self-hosted my main email address for a couple years now and not had major hiccups. For the most part, after initial setup, it just runs. And if you’re daunted by configuring it, there are out-of-the-box solutions like Mailcow you can use. I’d only really recommend it if you already have a VPS/home lab/etc where you already self-host things.
I intend to do that but basically wanted to have an off site copy, for both backup and deliverability purposes.
I don’t have much in the way of privacy expectations for email, but I figure that Proton or Tuta are probably still safer than Google.
I self-host on a VPS, so my off-site copy is the VPS, and my on-site copy is the emails downloaded to my email clients.
I figure that Proton or Tuta are probably still safer than Google.
Define “safer”. If you are receiving unencrypted emails (which is the case in the vast majority of cases), there is nothing stopping Proton or Tuta from reading them. Fundamentally, if something arrives at a server unencrypted, the server can read it—nothing can be done about that.
If you’re exchanging e2ee emails, then it doesn’t matter if you use Google, because the body of the email can’t be read by Google. A lot of metadata is required to be unencrypted though (this is the case for Proton and Tuta too).
I don’t really see the benefit to using an email service like Proton or Tuta from a perspective of meaningful data privacy. If it were between e.g. Proton and Google I’d probably pick Proton to avoid my emails being used to serve me ads from Google, but I wouldn’t have any illusions about Proton being able to read unencrypted incoming mail.
Yes, I know and agree that the mail providers can read unencrypted email. I’d just rather use a provider that probably isn’t intentionally using it to build profiles about myself and others.
VPS/home lab
VPS is probably fine, hosting something this important on your own hardware sounds like a recipe for disaster though
the worse part is that; by the time security professionals’ tribal knowledge is known to the general public; it’s already outdated enough to keep you ensnared.
they say that you have to become your own lawyer to protect yourself and you have to become your own dentist/doctor to heal yourself; now you have to be your own secops to guard your information.
No company is in a position to resist lawful orders from government (not good orders, lawful).
It’s why every company that sells security makes a big show about planning to leave some western country when they say they’re gonna do mass surveillance. It’s all they can do.
Email is not secure and cannot be made secure.
Do not ever send anything through email that you rely on being private.
I’m certainly not suggesting that email providers should resist lawful orders, but if Proton complies with 89% of requests while Tuta complies with 25%, it suggests a difference in methodology, no?
It could, of course, be the case that the Swiss are just much more skilled at sending lawful requests relative to the Germans, but that seems unlikely.
So you have two different countries, two different sets of laws, and two different services with wildly different offerings.
You can’t really compare a drilled down percentage of compliance and reach the conclusion that there’s a difference in methodology under those conditions.
Just the much broader spectrum of services that proton offers makes it more likely that they will be in a position where they are required to comply with a larger portion of requests than tuta.
This is not intended to be a defense of proton, just a recognition that metrics are hard to take seriously in a comparison.
Often ignored, online games. Non of the VPN which logs the history, TOR also isn’t the panacea (network made by US secret service). Mandatory monitoring the traffic with Portmaster, PiHole or similar. FOSS from GitHub with a grain of salt. Good to have analytic tools in the bookmarks, eg Blacklight, Webbkoll, Exodus Privacy, Browserleaks, etc., preferable to use european alternatives. Using decentralized or /and selfhosted services. Common sense and always read TOS and PP before using the app or service.
Any VPN that isn’t actively being sued by world gov/agencies to try and get their data is suspicious.
Alternatively any VPN company with the ability to store data is untrustworthy.
Also every cryptocurrency that exsts.
How do you feel about Tailscale?
they were talking about proxy VPNs, whereas tailscale is for building actual virtual networks to connect your devices, which is a completely different thing (besides sharing the same approval foundation).
If you were to distrust tailscale (and you’re not simply self hosting headscale), an attacker might be able to access for otherwise non-public devices(’ ports), reroute/MitM your traffic and monitor which device connects to which.
Most likely all free vpns
Israeli actually, like express VPN
Signal for one.
Not a privacy app, but you should definitely not think anything said on discord is private in any sense whatsoever
Tor comes to mind.
Technologically it’s private, but if you’re America and have the resources to create and control sufficiently many nodes you can undermine the protections.
The tor rabbit hole goes pretty deep, but ya based on the evidence I’d have to say its more a US developed counter-insurgency tool, rather than a privacy tool.
Wait 'til you hear who invented it…
That said, considering how many illegal services continue to run on it, I don’t think it’s as porous as some make it out. Definitely has well-documented weaknesses but the project maintainers tend to address them fairly straightforward.
Of course, you’re also just as likely to be buying drugs off an Onion market that the FBI seized and kept running just to catch more bad guys, despite it also hosting illegal content itself.
Maybe not a honeypot, but definitely too large for my taste by now: Proton. With Mail, VPN, password manager, file storage, AI and whatnot, it’s one ginormous basket to put all of your eggs into, hopping it’ll hold.
the owner is fine with fascism because fascism makes his product more lucrative
Did he say that? :o
not exactly. the more nuanced inspection of what he said was that donald trump’s plans to deregulate the tech industry he expected to benefit his company. however, that deregulation is in service of allowing more surveillance capitalism, environmental degredation, and worker mistreatment. the wording i provided is what that ultimately means as an analysis of how and why proton would make more money in that type of environment
