Proxies and VPNs seem like the most obvious targets. They mostly prey on people who don't understand the technical workings thereof (had my mom ask if she needed to get a VPN bc firefox opened on ad for theirs, claiming it enhanced privacy), and serve little benefit to people who are doing the kind of illegal activities that make governments take notice. They serve as a single point of compromise for anyone, and they work worldwide so that all your traffic can be monitored even when you're on a different ISP/in a different country. It's like the perfect MITM, and people are even willing to pay to have themselves monitored.

The truth is that at best they benefit people who only don't want their network-provider watching, but don't care who else may be. It's the perfect setup for a 3-letter agency to just sit and monitor everything anyone does, waiting for someone who's just a little too careless to access illegal content thinking they're anonymous.

All of the "delete my information from data brokers" services IMO, especially the ones that advertise on YouTube. Always smelled fishy to me.

Either that or they're just more data brokers trying to get exclusivity.

Of course, nobody is going to have evidence here, if there was any the cover would be lifted. But one can guess chances here:

Proton: "Unlikely"... but there is a but. They never cater for the ultimate privacy and they make typical blunders of a company wanted to growth really fast. Now, that they want to be a behemoth in Privacy makes it more vulnerable to requests from law enforcement. Also, law enforcement and intelligence agencies have it easier to penetrate within Proton massive headcount growth.

Tuta: "Very Unlikely". The people behind started very young and had a sustainable growth. The people are very visible (unlike Crypto AG) so least likely to be working for an "agency".

Mullvad: "Very Unlikely". I think their story is similar to Tuta (haven´t followed it that much though).

GrapheneOS: "Very Unlikely". But in the last year I have raised some minor concerns, but I haven change my rating yet....

/e/: "Very Unlikely". I know the dude behind for 2 decades, he wouldn´t. However, /e/ never claimed full privacy and from the beginning says he would comply 100% with "lawful" requests, but it is not a honeypot, not that would make much difference to an intelligence agency if they wanted it.

Signal: "Potentially"... yes, yes... audited, solid privacy code... but still does not make sense to me many aspects; financially solvent from day one, the extreme unquestioned massive and vast support from launching till today... if i have to bet in all of these providers, this platform would have been my take as potential compromised one. I still use it to communicate with family since I trust better than WhatsApp, but I would not use it for critical journalistic info.

Unpopular takes incoming.

Signal.

Way too many red flags.

• Why ask for mandatory phone numbers? You could at least make it opt in.
• Why we can't inspect the latest server code?
• Why not make it easy for people to run their own servers?

Do you truly believe that a company that wants to preserve your privacy would take this direction?

And i don't care how secure the protocol is, how well the code is audited. They can still map your social graph.

Anyways, because of my threat model, i still use Signal. But if i were an activist i wouldnt touch it.

More unpopular takes:

Tor and Mullvad probably compromised too. If a service gets too mainstream, I dont believe for a second that they would let it run without care. They would take it down, or control it.

Now, these services are still usefull. For example mt threat model is to deny my shit to the big tech. So they are useful if you want to escape data collection for adversiment purposes.

I don't think they would burn the reputation of these services for low hanging fruit like selling data for ads.

If you're online then you're cooked.

The Crypto AG story shows that the location of a company doesn't matter that much. The US simply made legal what they were already doing behind the scenes. Intelligence services have always been and still are above the law.

This thread basically illustrates the challenges for a beginner, such as myself.

I've been locked into the Google ecosystem for nearly two decades and am now trying to free myself.

I'd like to migrate to a hybrid solution that involves self-hosted NextCloud synchronized with a cloud provider that I can trust more than Google.

However:

Proton apparently makes false, or at least misleading, marketing claims and doesn't fight a vast majority of its inbound government requests.

Tuta has been publicly accused by a member of the intelligence community of being a honeypot.

The rest of the email providers seem to implement even fewer protections, relative to these two.

So, what's a guy to do?

Now, to be clear, I'm not saying that either of these companies are bad or that I believe that they're actually honeypots. I'm just trying to illustrate the challenges faced by newcomers (and probably all of us).

While I'd prefer to absolutely maximize privacy and security on all fronts, given that my first goal is de-googling, I will probably start with Proton and NextCloud and re-evaluate from there, but I'm open to suggestions.

Thank you all -- I really appreciate this community.

The Proton CEO did make suspicious US political statements despite being Swiss. That combined with their misleading marketing on social media.

Most likely all free vpns

Any VPN that isn't actively being sued by world gov/agencies to try and get their data is suspicious.

Alternatively any VPN company with the ability to store data is untrustworthy.

Also every cryptocurrency that exsts.

Not a privacy app, but you should definitely not think anything said on discord is private in any sense whatsoever

Maybe not a honeypot, but definitely too large for my taste by now: Proton. With Mail, VPN, password manager, file storage, AI and whatnot, it's one ginormous basket to put all of your eggs into, hopping it'll hold.

Often ignored, online games. Non of the VPN which logs the history, TOR also isn't the panacea (network made by US secret service). Mandatory monitoring the traffic with Portmaster, PiHole or similar. FOSS from GitHub with a grain of salt. Good to have analytic tools in the bookmarks, eg Blacklight, Webbkoll, Exodus Privacy, Browserleaks, etc., preferable to use european alternatives. Using decentralized or /and selfhosted services. Common sense and always read TOS and PP before using the app or service.

Be careful of accepting some of the criticism of Signal in this thread. For most of us, we have to make choices about secure comms from subject matter experts. Almost all the criticism I see of Signal comes from anonymous or otherwise random users online. If you believe in such a thing as expertise, please seek it out when evaluating something like this.

Tor comes to mind.

Technologically it's private, but if you're America and have the resources to create and control sufficiently many nodes you can undermine the protections.

I know your example is the opposite, but any service that is run and hosted in the US.

It's one of the major issues with Signal.

Probably various VPNs on the market

Signal I think. I don't mean that the end2end algorithm or messaging itself are itself unsafe, the algo has been shown to be secure. This is what people usually rebuke this with, with the reminder of Signal's OSS nature.

The issue the servers and the social networking data that can be harvested. The server code only partially exists in public and we just have to trust that that is actually what is running on whatever AWS server without tampering and self hosting is nearly impossible in practice if technically possible and nobody does it. The social network data (who talks to who) is more valuable than the actual messages logs, which give a massive, but mainly useless datasets. Until LLMs, like 10-15 years ago they were basically impossible to parse for any useful info without using large quantities of eye pairs. Basically if you are an organizer, criminal, government, part of a hunted opposition, you will leak the whole core group structure of your org with attached phone numbers. Whoever with that data can then target their devices and persons with other means. Plus it's literally built on top of CIA money. I think signal is totally safe and adequate for friends and family type of use, but not much else, but then all in all so is whatsapp, mostly since signal and Whattsapp share the same end to end algorithm.