Why I don't trust so called "privacy" services

Privacy is a fad of the last decade. I call it a fad — somewhat condescending term considering that privacy concerns are more than real. Actually, you might say that privacy concerns start from the very moment your ISP leased you an IP. Once you're connected to the Internet, it's a constant uphill battle for your privacy.

Accordingly, now every web service in existence brags how private it is. Reality, of course, is merciless.

Facebook faces $101 million fine for storing passwords in plaintext. In 2023 hackers stole Microsoft Azure Active Directory certificate which basically gave them access to all Microsoft cloud services: Outlook, Office, SharePoint, Teams, etc. etc. You can say that the whole Microsoft has been compromised. They don't even disclose the details — this might tell you how bad things are.

Trusting Microsoft, Facebook, Google and any other «well-meaning» corporation with all your data is, of course, not for the faint of heart. But there are privacy-conscious services, you might say. For example, Protonmail (and all its different services: Calendar, Drive, VPN, even AI chatbot), Tutanota, Signal, Telegram (really?) and so on. They are protected by the pinky promise and local laws.

That's basically what we got in terms of guarantees of privacy: pinky promises and local laws (of Switzerland, Germany and some other European countries).

Pinky promises

What's the difference between promises of corposhell of a human being from Microsoft and CERN physicists that build Proton services? I think there is none. You can't peruse the code, you can't be sure that servers run EXACTLY THAT code, and more importantly, you can't do anything against bugs and vulnerabilities.

Qubes OS has a very good principle: «distrust infrastructure». When you apply it everywhere, life gets easier. You don't have to trust anyone, you know every system you do not control is compromised by default. My own desktop is my fortress, it well might be compromised too, but I trust it somewhat more than anything else. If I encrypt data on my own desktop with my own key, I deem them somewhat protected. Everything that went to the Internet I consider compromised and untrustworthy.

It means I can use any service I want, I just have to know which data I want to share with the whole world. I don't need your privacy measures, I have no way to ascertain they are real. Hasn't Facebook undergone strict security audits that found nothing wrong?

Local laws

Local laws that protect user data is a great thing. The problem with laws is that they aren't Twelve Tables of Rome, they aren't set in stone. They may change any time. And they actually change.

Proton was protected by strict laws of Switzerland but now it moves its services from Switzerland, and their chatbot Lumo is the first to move. They move to Germany for now.

But when ChatControl proposal will pass (not if, but when) — well, they'll have to move somewhere else or it's a Game Over situation. Check their canary often — but I think they don't have one, only Transparency Report.

Privacy services are targets

Services that brag about their privacy (real or fake, it doesn't matter) quickly become targets for governments that aren't interested in losing control over people's lives, so they quickly become banned or restricted.

We have many examples like that: VPN technology that was misused to death so that most VPN services are now banned in many countries (and turned into huge data mining machines), «private» email services like Protonmail (6378 legal orders in 2023, 11023 in 2024), Telegram that was first banned in Russia, then unbanned, and now it's on a verge of ban in the West (you gotta keep up with who's the enemy of which state, but Oceania had always been at war with Eurasia).

What should be the conclusion of this quite chaotic line of thought? I think we should look at the things simpler.

Let's not upload to the Internet things we wouldn't show to any random stranger.

Let's create, not encrypt.

And let us take care of our garden.