STOP Using Proton & Signal? Here’s the TRUTH

What's your take? Do you think I'm letting Proton and Signal off the hook here? Leave your opinion here and let's discuss. Then make sure to watch my video on the 12 Privacy & Security tools I use EVERY DAY: th-cam.com/video/XNOAOQktG6U/w-d-xo.html

There have been multiple* court cases where law enforcement agencies submitted a subpeona to signal. And signal replied "Sorry, we have no data" If it were a front for the US govt the result SHOULD be different. HOWEVER if enough people were made to believe that Signal was insecure, they might abandon an actual secure platform.

I've been using Proton services for a while now and I must say this is the only company which provides both anonymity and convenience at there highest levels.

This is what so many people don't seem to understand, a company HAS to hand over data asked of them by law otherwise they will get shut down and possibly get employees jailed. You have to minimise what data you give to ANY service.

Proton yeah, but Signal is open source I've looked at the code myself, your data is 100% safe, because Signal by design is made so that the company (even if it wanted) can't access any of your data except for your number (which the person requesting your data already needs) and account creation date.

I appreciate you talking about the big picture instead of being emotional and reactive like so many tend to be. I'm still going to use Proton. I'd also like to have people ask themselves one thing. If you're abandoning Proton due to fear of security, who exactly are you switching to? Proton is still the best available without making your own email server and making sure everything is encrypted with nothing overlooked in terms of security.
Instead of freaking out and shooting yourself in the foot, think through what you're going to do, be reasonable and rational and then make your decisions.

Thank you so much, many people need to hear this and use their minds before making judgements!

Given the open source nature of Signal I have a feeling that IF somebody's Signal messages were compromised and used against them in court, it wasn't because of a flaw in Signal, but because they made some other mistake with their OPSEC. Perhaps their device, or the device of the person they were talking to, was infected with some sort of malware that could read the messages after they arrived on the device. End-to-end encryption only means from one end to the other, but the messages have to be decrypted once they arrive on a device or else they couldn't be read, so malware running locally on the device could potentially read them. It's also possible, though less likely that they managed to add a device to somebody's Signal account and they didn't notice it because they don't regularly check which devices are authorized to send/receive messages for that account. With how modern encryption works, it's much easier to trick somebody into installing a piece of malware than it is to break the encryption.

Signal is open source and has gone through several law suits. Proton is very similar in that the law suits it is gone though proves that they will only give over what they keep, which is nothing. This is very similar to Private internet access.

Great video! Especially the last part where you state the obvious fact - something that most people in this always online world fail to realise - don't share every damn part of your life with the rest of the world.

Thanks Josh. I’m glad you speak with a voice of reason!

Thank you for thorough clarification.
Keep up the good work, you just earned a new subscriber for the amazing content!

Thank you for this! I was just thinking along those lines, you confirmed them for me!

Thank you for making this video. The message here isn't letting these vendors off the hook; it's a reality check for the digital frontier as a whole. More specifically "due process". It's the only 'real' sense of security we need to focus on, "did an agency use due process?" But also (and more importantly) are software vendors 'only' providing information under circumstances of due process? As a systems administrator, I applaud the message of User responsibilities and as a personal privacy advocate, I salute the message of due process.
Fear mongering and baseless accusations run rampant over social media outlets as it is. Thank you for providing a voice of reason and a means of laying a basic framework of the legal challenges.

Personally I still use Proton and have for over a year now. In my case it is because I wanted a service with a good reputation and does not have any notable security issues.
I also take into account that the level of security of my account is truly on me not Proton. Proton provides the service and Proton is a Swiss owned company.
If you want something secure, it is YOUR job to make it secure over the provider.

Do people not read the TOS and Privacy Policy? I recently read Proton's, and this is not new information to me.

Well reporeted, Josh! I can’t count on my fingers, toes, and other appendages how many people I have to educate that software is not a cure-all. It takes human intervention and understanding for it to work 99.9999% of the time.

I keep seeing not only news but messages from friends and other acquaintances in Linux and privacy communities that keep propagating a lot of these conspiracies. I agree most of the time that people are not just doing their jobs in the security field right.
Thanks for going over them in such a manner! 🤩

Couldn’t agree with you more.
There are a lot false information on the internet creating FUD. Be smart, question everything and do the research if you have to!

7:03 Excellent video! I'm glad you included that second part, _don't _*_send_*_ comprising pictures,_ because people shouldn't be shamed for taking compromising pictures of themselves. Don't get me wrong, I advise my friends and family against it, especially women, but I wouldn't shame them for it. On a related note, I have personally always wanted to journal. I've always wanted to have a place where I could write my most intimate thoughts. Preferably on a secure digital journal, because I've had bad experiences as a kid with the security of physical journals. But most journaling apps don't have end-to-end encryption, which is why I have never done it. I don't want to keep everything in my head because writing can be really cathartic. It can help people heal.

Well said, and thank you for your rational explanation

Never have illusions about the tools you use. It's a lesson I've learned (sometimes in hard ways) over the years.

Unless I suddenly need to run from the law, these particular things don't really worry me too much. Yes, if Proton was hacked, they could see my recovery email, but I have a strong password and use security keys to sign in to my account. I am still learning how to become better at cyber security (my anxiety suddnely made me hyper aware of it).
While I am very concerned about privacy, I would want law enforcement to be able to find a dangerous criminal.

Good job on this video! You eliminated all the diagrams or explanations for HOW these 2 companies encrypt your data, reducing or eliminating unnecessary confusion in order to make your larger points. You made the whole video accessible to a consumer level audience, The exact group who do not know how to evaluate the accusatory assaults made by telegram or by privacy advocates objecting to there being any form of legal compliance with the country you're operating in.
Good choices, resulting in very easy to understand video about something very important and critical.

How do I verify that the Signal application that I downloaded from the apple app store was built from the open source code that is published?

Thanks- Good content presented in a reasonable amount of time.

The title is a bit clickbait, but i think you videos are still very imparcial and informative.

Thank you. will you do a review on TeleGuard by SwissCows?

No surprise for me, for privacy I have my own ejabberd server and also a matrix server. Both work like a charm if you know how to proper configure them. Cheers!

One thing that I feel like people never mention is the extensive list of terms and conditions for iOS & Android, considering that’s where proton and signal appear to be used the most. Although signal and proton themselves may never store any information, how are we suppose to feel secure in the fact that the operating system we’re running these apps off of aren’t spying on us equally as bad as people would fear one of these messaging apps would? I’m curious for your take on that

So I have a question: Is there any reason to keep recovery email on if you know you won't lose the password? As in, are there other cases where you could get locked out of your account unless you use a recovery email?

Does this fact that they give over the data they have also apply for their VPN service? Proton VPN has the encryption keys would they had that over too? i have always praised Proton VPN for being the best free VPN

Can you register without an email or mobile number over tor? if the answer is no they dont care about your privacy.

Best security related advice on TH-cam, period. Nothing is black and white, you should build threat models based on what your concerns are and be aware of what you are sharing and who potentially can see it. All this commotion about "proton bad" "telegram bad" "mullvad bad" only has meaning if you understand the weaknesses of each tool and how they apply to your situation. Thank you and have a sub

WOW you really hit the nail on this. Things I overlooked myself, especially with legal stuff. Hey, great video sir!

Great video! Subscribed to your channel.

very well explained.

Shoot. So what services to use ? What VPN service use for anonimity and no logs policy ?? Because I am protons user for a while...

Do you have personal reco? If signal is not safe anymore.

Hi there there first thank you for the amazing content I learn a lot by watching your content
I would add that you have to understand the core of the technology you are using.
You have to know exactly what happens when you send an email. You have to know how does encryption work. And it’s always evolving so you have to update your knowledge as well. Only there it make sense to choose proton or signal or whatever so it would have been cherry on the cake if you link in the description videos where you talk about the technical aspect of it.
I was wondering though.. is it possible that an open source software has a different code than advertised and nobody realises it ?

How many people review the open source code, and then compile it themselves? If not, how do you know the installed code matches the open source version?

@AllThingsSecured Hi there! Have you utilised or noticed Spark, myMail, and Airmail? Are they safe in terms of privacy and what are the best ways to use them?

I understand very lil lol but was questioning proton.

Enjoyed your take on this matter.

There are 2 majors problem, the error 18 aka between keyboard and chair, and the platform used to access websites or run applications. And in case of anything related to messaging, the same problems on the other counterparts of these exchanges.
Put differently one might be the problem, no end-to-end encryption tools.

Hey Josh, I can't afford a security key, however i have a usb flash drive.
Is there's any way I can turn my usb flash drive into a security key? If you can then please make a video on that.

Why and How should always be asked. It's just part of critical thinking. Thanks Josh for being a critical thinker!

Good information!

Thank you for sharing and breaking this down for the average users so many misconceptions and myths floating around out there.

Hi I keep getting this message in my Google authenticator "Syncing will continue when your device is online and you refresh your Authenticator codes"
I just can't figure out what is the issue. It would be great if you make a video addressing this issue.

And this will always be the case with centralised systems. If there is somebody to call, they can pressure/bully them into giving up the information.

Great video. People now days react with the first thing they hear without looking at all aspects. Is mind boggling how the truth can be misconstructed these days.

Great video and you bring up a lot of good points. FWIW, Tucker Carlson said the US gov found out about his trip to Russia via Signal...

Pavel criticising Signal is pretty ironic when he's turning his own platform into a Facebook-like nightmare

thanks for clarifying that, good point.

Well explained. The biggest security vulnerability of all time is the user.

In the video, you brought up the point about being careful of what recovery email you specify. If the recovery email is from iCloud or Microsoft or Google, then I understand the point that the authorities will have to hand any email id to the authorities. What if it was another Proton email account itself?

About encryption, there are sometimes backdoors built-in, so even if the software itself open-source the choice of some parameters that are supposed to be random on the site where the software is running can heavily jeopardize the encryption strength. So in here we have to trust that Signal and Proton have not allowed external agents to push them to leave some holes that we may not even know about (Crypto AG being the most iconic example, Tetra is another one).

2 Things:
1. The people who had their "Private Signal Messages" compromised probably had it all on their phone and either the phone was compromised and swiped or the authorities gained physical access to the phone when they arrested the person in question, none of which are signals fault - good OPSEC here would be to not leave signal logged in on your phone.
2. FUD is interesting, I treat FUD as a means and reason to look deeper into claims - false or not, and learn more about the issues they have. FUD has such negative connotations, but really is a great means of criticism and a good reason to improve something - yours or not. Ignoring FUD just proves that a person is both Arrogant and Ignorant.

I think there's a difference between privacy and anonymity....you can use this services for privacy and not for anonymity

Searching for privacy while using third-party networks, devices, or operating systems is essentially wishful thinking.
Consider three neighbors living side by side. The first and third neighbors want to have a conversation in their backyards. As they start talking from their respective gardens, the second neighbor, situated in the middle, can always hear their conversation. This analogy illustrates the basic principle: you can build a temporary communication channel (like a pipe) for the neighbors to talk privately, but this pipe must be entirely your own construction, not provided by services like NordVPN or OpenVPN.
Once people grasp this concept, the issue becomes clearer. As long as you rely on third-party systems, true privacy is unattainable, which is the case for 99% of users. Genuine privacy is nearly impossible in these scenarios.
If you truly desire privacy, consider having face-to-face conversations, perhaps during a walk in nature or while swimming.

@AllThingsSecured What are your thoughts on Next DNS? I been using it for a while and it served me well so far AUD$3/mth worth it.

Looks like some people here in the comments think privacy and anonymity are same banana.
Unfortunately Josh even with the great clarification you gave there are people that are stubborn with their beliefs where no one can change them

great take

There are 2 fundamental points on Proton: (1) Even if you use a VPN or TOR whenever you access Proton's website to configure or read emails ... as soon as you run one of their apps, e.g. ProtonVPN or Proton Drive as local app on your machine ... Proton will automatically get your IP address (unless you additionally use TOR or onion service) Isn't it? (2) Most people think, that Proton or Signal have no possibility to get your private key, which is used for their end-to-end encryption, but it could be easily sent encrypted... and whether this actually is done or not... fully relies on how well their Open Source code is audited in this regard, isn't it?

Nice analogy there❤❤

The primary message you should be taking away from this is if have something private to say, do it face to face, in an appropriate place.

You could do a one way encryption or hash on a recovery e-mail address and then only 'check' when supplied rather than have the recovery e-mail in plain text. Could be enumerated obviously so a bit more complex but can be fixed if someone wanted to.

what do you think about telegram?

The same people complaining about companies legally being required to hand over data they have are here in a TH-cam channels comment section… a Google app.

Stories like these just let me know what I should avoid, and help me keep in the loop. It also lets me know the lengths authorities have to go if they need your recovery address and and a 3rd party to help them get your data. If anything that's ensuring, and just lets me know that recovery email is flawed to begin with, just like email is flawed and I should use E2EE messaging apps instead of email for sensitive data.

so how do you prove the open source code is the code that is actually being implemented

It's absolutely silly that people have this notion that private email services will provide you with total anonymity. In my opinion people fear monger when these companies get subpoenaed for information as if Google would not hand over every bit of data they have when asked. If your goal is complete and total anonymity then a subscription based email service clearly isn't going to be a part of your threat model. Or they fundamentally misunderstand what exactly a service like this is supposed to do for you.
It's like some of these content creators forget who exactly these products are marketed toward and that's average everyday users who are simply looking for a slightly better alternative to the all seeing eye that is Google and it's web of tech. When you look at these services through that lens Protonmail is fantastic. I appreciate your level headed take about this. Too many fear mongers

Zero metadata messaging, is it possible? I sat down and thought about exactly what is gathered in messages and how to remove it from the equation.
I believe it is possible but it's a little complex and involves individual and different 'mx' servers for each 'contact pairing' - messages are sent to hashes of unique id pubkeys only known to the users in the contact pairing.
You would need to independently conduct a key exchange with a contact through some kind of centralized server and assign an external messageing exchange server to each contact - at these individual 'mx' servers only hahses of pubkeys that are not quite so public would be used. I did not develop the idea any further, just a thought experiment. Storing initial id and encryption keys on a blockchain type system would allow initial id keys to be distributed through registered 'services' which could be on Tor for example.
It's a rabbit hole for sure

Seems like pidgeons will be the secure protocol of the future.

What protects the phone from hackers Norton?

Well done! Thank you!

Proton; yup. - Heard about that.
*But Signal?* -
When did I miss that? O.o

Open source won't help for the masses in this case as you can't check if the app from the store is running that code or a slightly modified version. Unless you compile it yourself of course.

Thanx for the Video, I'm fine with Proton but after what happened with Tucker Carlson i just can't trust Signal anymore...🤷‍♂

Thanks Josh!

Yeah, still gonna use Proton. Love what they do. True heros.

Never create text of any compromising information. Share that info in person without your phones around for maximum privacy.

Do you have GAPPS or anything FB on your phone with Signal? Then no app is secure.

A frustratingly number of times people miss the fact that someone ... nefarious, shall we say, may not *need* to have the encryption key if the endpoint is compromised.

Being open source doesn’t mean anything without a guarantee that the code submitted by signal or protonmail to the Apple App Store or Google Play Store is the same exact code that they show the sources code for.

In this case. If the user always used a VPN when signing into Proton and created an account with no identifying "records", as recovery email and name etc. The Proton email account name would exist but if you call it "Gibberish@ proton.. Then nothing would come of it. The IP would just lead to some VPN server. The data is encrypted and Proton say they cannot decrypt it. So it would be Gibberish. This coupled with Proton only as to abide by Swiss government that has good privacy laws. Then there is not much to worry about.

I suggest that the next episode be about the best artificial intelligence services (such as GPT chat and...) that respect user privacy (alternatives to Google Bard)

If you know you are going into nefarious activities, you must already understand your communications pathways are already compromised to various degrees thus you have to practice opsec, comsec and offline encryption one time pads. Nature of the old school operative game, tradecraft.

The biggest problem with Signal is that you need a real phone number to register. A phone number is registered to a person.
Use Session. This gets around this problem.

The reality is this: If you are online, there is no way to be completely secure from online threats.
Proton and Signal give you better tools to safeguard your privacy than others, by a significant margin. They are still however online.
It took a multi-national government order with proof of terrorism to just get the recovery email address. If that isn't secure, then what is?
Well created video, thanks for sharing.

Simple. Just make your proton account through the tor network on an unrelated device than your main at a local crowded hot spot.

The problem with proton is that they are based in the USA, which means there are cases we have not or will not hear about, through the use of gag orders. Once upon a time people that owned companies had integrity, but the last company that decided to shit its company down that to betray them over a gag order was 20 years. The other problem is that proton mail, just like whats app can retrieve your messages if they are ordered bu a court to so. How? Because they have a copy of your private key. The only way to be 100 percent sure nobody can read your email is to create your public/private key , encrypt the message yourself, and never give anyone your private key. A beginner could do this all in about 10 minutes.And yes there is a lot of evidence that proton is a honeypot.

i use those not because i need to be absolutely anonymous from the gov, but because i dont want to deal and be spied on by the big tech
also privacy and security isnt supposed to shield you for doing illegal stuff

I AGREE COMPLETELY

yea, none this effects the platforms for me. all I care about is my messages being read by companies workers/ad targeting, my IP is public, and ect. all this hysteria over nothing.

It amazes me how many ‘experts’ jump on the lack of metadata encryption when using Proton Mail….email simply doesn’t exist without it.
If privacy is that important to you, why are you using a method of communication that is - by design - not private?

It amuses me how people seem to be worried that Proton provided an email address in response to a court order and yet didn't seem to care about the subsequent apprehension of a terrorist 🤔 I also saw a TH-camr recently bemoaning the fact that Proton do NOT mine and analyse your emails so that they can serve targetted ads 🤦🏻‍♂ Thank you Josh for being a voice of reason in an increasingly crazy world!

law is law and they must comply
full privacy is impossible, i recommend you if you want to send private messages, to encrypt it with the public pgp key of the receiver

Proton isn't quite transparent in more than one thing. I hoped to get 1GB data on the free plan just by signing up. That I had to fulfil 4 more conditions within 15 days, that wasn't obvious on the sign up website and anywhere. Without that I only have half of it.