Communications
One of the most important digital sections for you to secure is your communications. This covers everything from email, to messaging, and to calls. In order to fix these issues, you have to vet everything you use and cut out anything (within reason for your use case) that violates your privacy. Generally speaking, the amount of time a service has been around and the amount of verifiable user feedback is a good way to gauge whether or not a service or app is good for use.
Let's start with a case study on the topic first by covering EncroChat. This was a European based network that offered phones with a customized OS based on Android. It was meant for people with a higher level of risk such as celebrities, but was also used by criminals. Police from multiple EU countries were able to infiltrate the service and figure out who many of the criminals were who used the service, which lead to several thousand arrests. The people who started it are still unknown after almost 10 years.
The above example is the one reason why I said the time a project has been around and the userbase it has are important to determining whether it is a good idea to use. Phones for example are hard to properly make due to the numerous security and privacy issues that have to be addressed. If you saw a new player in the field offering an amazing option for privacy, but you couldn't find out who they were and the OS wasn't open source, it would be a hazard to trust it. To put it another way, CalyxOS and GrapheneOS are two of the best mobile OS options for privacy and security and both have large communities that are actively involved in development. They also provide no hardware whatsoever, and recommend buying from a known player already; the Pixel devices being what works for both OS's.
If you're new to the topic of privacy and security and are wondering why any of this is necessary - some people have a mindset of these topics that if a person isn't doing anything wrong, they shouldn't have anything to hide and they successfully brainwash a percentage of others into the same beliefs. Let's use this classic example - a person with that mindset should show all their texts, emails, and other private moments to someone upon request. When that example is given, it's clear how ridiculous the concept is to not want privacy. This is a fundamental human right that nosy people (usually from governments and corporations) think they have the ability to take away.
Generally speaking, there's a handful of requirements that need to be met to have secure communications. The basics of security apply - if you have malware on your device for example, then everything on there is automatically compromised, even if the app itself is secure. Understand what metadata is and what apps will collect, either for farming data or for the service to function at all (e.g. Signal stores when messages were sent, Big Tech email providers know everything from the "to" and "from" and contents of the email itself, and so on). All comms apps should have E2EE. You'll also need to plan your threat model to determine what apps to use and how to communicate with people you know. Also, apps and the OS need to have security updates applied to fix zero day vulnerabilities (research the WebP vulnerability as an example of a high threat zero day).
Email¶
It's important to know what email is and isn't good for from a privacy perspective. As with all forms of communicating, it's not a good idea to share anything with a person you can't trust due to the risk of leaks. Email isn't the greatest choice due to the level of data collection that's possible with many providers. Here's some examples of issues with email - metadata is a great way to collect info, even if the email itself is encrypted (e.g. to and from email addresses, what time the email was sent, the subject line, and so on). If you send an email from a privacy provider such as Proton to an Outlook inbox, the benefits of privacy are almost completely stripped, since a Big Tech provider can see the message contents. This isn't to say you shouldn't use email - rather that you need to know the pitfalls of it.
Your strategy for using email will be determined by your threat model. For example, a small business owner might have 10 software subscriptions and get emails from all of them to an inbox. In a case like that, having a business email account through a provider such as Microsoft or Google would be fine, because many platforms have KYC (know your customer) laws and trying to obfuscate that info with a private email would be pointless. You could then use a Proton account for any online activity you don't want tracked and use an alias you haven't used with any other service as the address, which is enhanced further on a paid plan, since you can use alias emails that funnel to your mail email address. There's no one size fits all approach, and for you to determine what'll work best will require some planning on your part.
When choosing a provider, I recommend one who's been in the game for a while and has been shown to not violate the standards of what's expected from a privacy service. An example of an issue that came up was from the email provider, Skiff, who sold to Notion. They had a userbase who trusted them to provide private email and the sale was seen as a violation of that. I try to give the benefit of the doubt to new players entering the market, but due to the sensitivity of privacy and security, it requires a great deal of caution. If I were to consider a new provider in the privacy niche, I'd want one that wasn't taking VC backing (since the VCs are the bosses of the company, not the owner), the owners publicly known, and no shady connections to other companies. There could be some great products from companies who don't match that, but it becomes a bigger risk. If a business takes VC money, they could be forced to sell their company eventually to someone who doesn't respect privacy and security, among other issues.
There's some great options for those looking for privacy focused email providers. My top recommendations are Proton and Tutanota.
Proton: They've been in the game for years and have an excellent stack of services they offer (email, VPN, cloud storage, etc). They offer portions of their service for free as a tasting of the paid offers. Their email for example comes with all the privacy benefits of a paid plan, but paying will get you access to aliases, custom domains, and more storage.
If you've never used a private email service before, you have the option of setting up a recovery email address. If you don't use that option and you forget your password, you permanently lose access to your email. Keep in mind that if a recovery email address is set to a Big Tech email, they'll associate your real identity to your private email. For a real life example of this happening, refer to the FBI's investigation into threats made against an election official, Claire Woodall-Vogg. If you read through the entire search warrant sent to Proton, you'll see how it's easy for a nation state actor to tie your real identity to aliases. Proton does not allow illegal activity on their platform and anyone who tries to do anything like this will get themselves caught.
One critique I've seen from a handful of people is that Proton can't be trusted for a number of reasons - one being that they collect some metadata (which is required for services to operate properly) to instances like the FBI investigation (this had nothing to do with Proton doing anything wrong). I've never seen legitimate criticism of Proton in a way that suggests they can't be trusted, and unless anything happens to suggest that, I'll continue recommending their services.
Tutanota: This is another longstanding player in the private email field. Similar to Proton, you can use email for free, or upgrade for more storage and alias abilities. As of the time of me writing this, there's a big difference between Tutanota and Proton, which is that Tutanota accepts Monero (although it's not direct, it still works with a couple extra steps through the Proxystore). If you have not yet done so, add the cryptocurrency section to your reading list to understand why I'm bullish on Monero as a privacy focused payment method. Proton GM, David Peterson, said he'll get Monero added to the Proton roadmap if the Change.org petition reaches 1k signatures, so it's likely it could happen by 2026.
For those wondering why this wasn't done already, it's due to the apprehension of some companies to embrace Monero. It's seen as a murky way to do business with people due to the private nature of it and because some criminals use it. I find the reason to be ridiculous but I'm not a corpo either. Many centralized exchanges don't even allow Monero to be traded on their platforms because of the scrutiny it gets. You can find more info about this in the crypto section.
Messaging/Calls¶
There's not many great options for apps that can do messaging and calls. Most of the big options are not good for privacy, such as Discord, where all activity is recorded and there's no E2EE option. What I said about emails also applies here, in that you need to use discretion in your messages being sent to other people. Just because something is encrypted doesn't mean the receiver of the message can't leak it to others.
Signal: This is the #1 go-to I recommend to people. It's E2EE by default, supports one-on-one, group chats, and voice/video calls. I'll address some criticisms then go to recommended changes to the settings. Some people have an issue with Signal requiring a phone number. Since it's intended as an SMS replacement, I don't have an issue with it personally. There are other apps to use if the phone number requirement is a problem. The second issue commonly mentioned is the associations Signal has to the government and the fact that agencies in the past have recommended Signal (e.g. in reference to the Salt Typhoon hack). This is a non issue, since they've proven themselves in court, which Signal has also publicly talked about. Third, user adoption. This is a legitimate criticism, but it comes down to people having a better understanding why they should use apps like this to begin with - it's not an issue with Signal themselves.
If you're going to use Signal, it needs some changes to the default settings to make it better:
Username: Set up a username and make sure it doesn't identify you by your real identity. Once this is done, go to the phone number section in the privacy menu and change it so that no one can see your number or find you by your number.
Typing: If you don't want people to know when you're active in a chat, turn off read receipts (this works both ways) and the typing indicator.
Disappearing messages: You can set messages to delete after a certain period of time once they've been read. You can select a preset or make your own timer.
Safety numbers: If you're going to use Signal, I strongly recommend reading all their technical documents to understand the mechanics of how the app works. Safety numbers are one of the most important features to understand. Each person you message will have their own safety number and you can verify the numbers for one another and mark them verified. If your contact ever reinstalls the app or if they change phones, Signal will let you know the safety number changed. One case where this can be helpful is if someone you knew had their phone number get taken over by a SIM swap; it could allow an attacker to install Signal on the new phone and impersonate the victim. If you see the safety number change, you should verify the contact before resuming communications.
Wire: If you're running a business and want to switch away from Zoom/Teams/other video apps, Wire is a solid choice. If you're a home user, Signal would suit video call functionality well, but this could work if you wanted something more robust for the video aspect. There's not much else to say about the app - if you've used Zoom, this is going to feel familiar.