For the purposes of the average person the tech guy in your op is absolutely 100% correct.
All the platforms listed use transport encryption and that’s enough to avoid mitm surveillance which is enough for most people.
Most people’s “threat model” is the police or a pi. All the apps listed including signal have to comply with orders from American police and have “sidechain attacks” that involve stuff like getting some member of the groupchat’s device and scrolling up or tricking someone into giving up sensitive information.
Privacy from whom?
I ask because the easiest way to do what you’re asking is to have your local record store sell you shit and pay in cash (that you’ve laundered so the serial numbers don’t match the atm). You can even be like “I’m trying to get away from computers man, can you order me this off eBay?” And guaranteed if you spent a hundred bucks or so on used releases they’ll say “absolutely!”
Of course, you’ll stick out like a sore thumb and have a lie to keep up with, so you’ll not have any real measure of anonymity.
There’s a lot of arguments for one solution or the other based on security or privacy, but let me present a different scenario:
Imagine you’re in a natural disaster. Your home based self hosted server is down because of a general rolling network outage or just irrecoverably destroyed. Your offsite on the other side of the county is in a similar state. Can your cloud hosted backup be accessed at generic, public computer in a shelter or public building?
Bitwarden can. It has specific instructions for doing so as safely as possible.
If the op has their information in emails and doesn’t want to move it somewhere else then pgp is a good way to at least secure those emails a little.
I don’t think it’s a panacea, but as methods of encrypting email go it’s widely supported enough that a person whose private information is stored in email will be able to figure something out.
Yeah people affected by this would have to turn on adp (iCloud recovery key) and be vigilant about how precisely Apple chooses to remove that feature assuming the uk government doesn’t back down.
Worst case scenario you’d need to be doing local backups and have iCloud turned off.
Metadata is a bigger worry at that point though.
SMTP is only encrypted if the second server responds correctly to the first servers starttls.
The striptls type of attack, which prevents the servers from getting a valid starttls exchange, was in use over a decade ago by some telcom against its own customers.
Even if you know the person you’re emailing has a correctly configured client you can’t control a man in the middle attack between servers which has been in widespread use for years.
Here’s hoping Apple sticks to their guns and pulls adp instead of caving.
In case you didn’t see it a few weeks ago, 3.3 million servers are doing unencrypted transport.
The way email delivery is handled also means you’re not safe just because you aren’t talking to those servers.
Set an iCloud recovery passcode. It removes the ability to recover your iCloud account by verifying that you’re the owner but it also removes the ability of Apple to be compelled to access it.
Op: read about pgp/gpg. Do it now. When you don’t understand something ask questions about it instead of giving up.
Email was never intended to be private. It was never designed with privacy in mind and your use of a client employing an encrypted connection to your mail server does not solve the problem because tens of thousands of mail servers use unencrypted connections.
No one needs your iCloud to read your email, they can just look at the plaintext mail coming to and from the server.
Go get involved and you’ll see pretty quick how people generally handle organizing. They’ll be some kind of low stakes event like a reading or art gallery or concert or something and people will say “come out to this protest tomorrow”.
If there’s a signal or something it’s not usually a necessary link.
All that is to say: don’t use computers to organize. If you want to use social media to raise awareness of an event that’s a different thing altogether.
It’s not p2p but at least many years ago:
SMS.
If the Internet outage is local then the towers would still work and you’d be able to get texts. I went through a few storms where wired home internet was down, the towers weren’t giving me a data connection (no mobile web browsing or anything), but I was able to send and receive texts.
If you really care about what you’re asking after, do what someone else said and get a radio license. It’s 150 year old technology and every time something happens radio operators pop up some kind of emergency communications or bridge to the internet through repeaters or something.
It’s just as well, rcs in America only has guarantees of features if you’re on the same servers as the other people, so there’s a big split between the Samsung and google rcses with all kinds of weird mixed media stuff if you’re both on gchat or the Samsung fork and nothing but maybe higher resolution pictures if you’re not.
It’s part of why I’m so willing to recommend imessage because for better or worse in America it’s the defacto standard.
Yeah per text charges are really uncommon in the anglosphere, although the pay as you go carriers and plans have data limits.
If you’re on contract or renewing contract with an American carrier they’ll usually take literally any phone you have in trade for their lowest cost ios or android device, your choice. I took them up on it several years ago because the gimmie device was the only physically small iphone at the time. Sometimes it adds a couple of bucks to your monthly bill if you pick one with a little more storage or whatever but that amounts to them selling you the phone for fifty bucks or so over two years.
Hell, usually if you’re signing up for a new account they’ll offer some android and ios phones for free to get you on contract.
Half of each person is getting them to use encrypted chat with you one on one and half is getting the group chats to use it. If you can knock out half the battle most of the time then you should do it.
In my experience ios and android users are equally open/resistant to using some new thing.
I recognize that for a particular type of threat model or ideology all proprietary software amounts to the same level of vulnerability. The op only asked about encrypted chat. The implication that I picked up on and responded to was that the op is in America or concerned about American cell network compromises and wanted to address that.
That’s a real simple threat to get past, just go to whatever is encrypted that the most people use.
Most people use imessage, so that’s what I suggested.
It seems like I’m not being clear. The goal is to get 100% on to encrypted chat.
Right now in America, about sixty percent of the phones are running ios. ios has imessage by default. The application which those people use to do imessage is called messages (very unconfusing!) and also does texts. When you’re using imessage in messages the text bubbles are blue, rcs and sms are green. Imessage is an encrypted chat.
If a person running android wants to use imessage they need to bridge it to their phone from a mac (messages and imessage are available on mac) using the bluebubbles application.
So three out of five of the people you know are already using encrypted chat. If you, the op, can get on their level then you only have to convince the other two to use some other chat thing that they can do. Maybe signal or something.
So the cost of running a mac computer as a bridge so you can use imessage through the bluebubbles android app is for you, the op, to get on the encrypted chat application those three out of five people are already on. You’d still need to use xmpp or something for everyone else but now you only need to worry about two out of five people.
I’m pretty poor and a hundred bucks isn’t a terrible price to pay for being sixty percent there. If I could have done that with pgp back in the day (when a hundred bucks was worth something!) I would have jumped at the chance.
Just avoiding having to explain to people that email was transmitted in plaintext and what that meant and not either have to talk them down from taking a pickaxe to their computer or convince them that it doesn’t matter that they have nothing to hide would have been worth it back then.
It’s also a completely hypothetical cost that assumes you don’t just stumble into an old mac and won’t trade your phone in for one running ios to save that cash.
As I said, use signal for everything else.
If immediately getting sixty percent of your chats encrypted isn’t worth a hundred bucks to you I don’t know what to say. We’re looking at this from fundamentally different perspectives. I’m trying to meet a goal to solve a problem and you’re trying to find the fair solution.
It’s good to try to find the fair solution.
If you’re in america almost sixty percent of phones are ios.
If you’re choosing an encrypted chat and sixty percent of people are already using it then that’s the one you choose. The hardest thing is compliance and you’re almost two thirds of the way there if you just pay a hundred bucks (or scrounge up an old mac) and run the bridge app. Then you use signal for everything else.
I think we’re looking at this from fundamentally different perspectives. I’m not worried about a universal solution because I know I’m not getting to 100% compliance with any solution so I suggested the one that immediately fixes the majority of the problem. Having had to convince people to exchange pgp keys twenty five years ago, I’d pay a hundred bucks to not have to deal with that for two thirds of the people I know.
Think about it this way: if you were starting from scratch would you rather have to convince all your contacts to move their chats with you to signal or matrix or whatever or would you rather have to convince four out of ten to do that?
Obviously you’d pick the easier thing because no matter how committed you may be to not using proprietary software or big corporate apps or fragmented ecosystems you actually have to accomplish the goal of chatting with people using encryption and all the process compliance and wheedling and convincing and tech support for family members is time you could be spending talking about gardening, sharing baby pictures, plotting to overthrow the government or whatever you would normally be doing.
The barrier to entry was intended to refer to others since it’s already installed on over half their phones to start with and most people are gonna be using a messaging program on their phone.
When there’s above a 50% chance the person you’re talking to is already using a particular encrypted messaging program that’s the lowest barrier to entry.
The barrier to entry always refers to other people because the hardest part of establishing private communications has always been convincing other people to actually do it.
If you really wanted to get on imessage for the least amount of cash out of pocket possible, the bluebubble bridge application random letters person mentioned is ~$100 for an old mac, and tbh that’s a high estimate in my experience. People are just giving those things away nowadays.
People will dislike this:
The most basic one with little barrier to entry is imessage. Theres a good chance your friends and family already have it and with a few setting changes (no sms fallback, set icloud recovery key, probably some stuff I forgot) you’re damn near at parity with signal.
All without dad having to download a new app onto his phone and make a new identity!
Of course you’ll need signal or something for people who don’t use it.
I use that combination and it’s excellent. If you can be on imessage with someone you’re good and everything works, if not you do signal.
There will be people you gotta use sms with. They just won’t be able or willing to do something new. Sometimes there’s an equipment problem, their super old provider version of android can’t get an app you both agree on. Sometimes they’re using a Nokia.
Interacting with sms often may help keep you on your toes about it. I know I’m more careful over text now.
That combination, imessage and signal, also has a benefit of reducing the chances that you’ll broadcast an awareness of and desire for privacy and security to the whole world all the time.
In the us, there’s a 50% chance you just look like a normal person and that’s nothing to sneeze at.
Make sure it meets your needs of course
As of the time I’m writing this comment literally none of the suggestions made actually matter for the ambiguous goal of “general security and privacy” more than building in a neighborhood or community that meets the occupants desires.
Pick a place with people you want to be around who you trust to look out for you.
If you’re mechanically inclined and can work with small parts, the old Sony branded walkmans are generally good quality and have a decent supply of replacement parts. Some of the new portables have awful wow and flutter that will make it seem like that two step is a polyrhythm!
I listen on my phone in the world, cd and tape when I’m driving and on whatever at home. Today it was goat and escape-ism.