Last updated: March 2026. Originally published February 2017. Skype references removed (shut down May 2025), LastPass replaced with Bitwarden, Signal desktop updated to standalone app.
Last week, a friend emailed me with a simple request for input: “Some friends of mine and I were talking about different options for encrypted emails and/or chat options. Social media is so public and easily accessed by anyone who knows how to hack, same with gmail or other email options. Since this is your area of expertise, I thought I would ask you for some recommendations.”
It was an interesting question. Now, I know where this friend was coming from, as I suspect you do. A lot of people are worried or even scared about current events. There’s a lot of misinformation, FUD, manipulation, and assumptions. Fortunately, I’m not going to talk about any of that! You’re welcome. Instead, I want to discuss steps that anyone can and should be taking to protect themselves from their worst-case scenario in this digital age.
Here is my response, edited slightly for posting:
Wait! Let’s back up a second. It’s important to point out that social media, Gmail, chat services, etc. are not actually “easily accessed”. To be more accurate: people are consistently the weakest link, and mistakes by users are usually what makes those services easy to access. In practice, this means an attacker usually doesn’t need to pull off some amazing technical wizardry to gain access to your info. Here are a couple of scenarios:
First approach: an attacker goes through a Forgot Password flow and tries to answer the security questions. Unfortunately, people tend to select easy questions like “What is your favorite flavor of ice cream?” — trivial to guess. Or they’ll use publicly available “private” information, like a pet’s name posted all over Instagram.
Solution: use specific nonsense answers. Mother’s maiden name? “Rick And Morty!” Favorite ice cream flavor? “Motor oil.” Model of first car? “General George Washington.” Treat security questions as a second password field — the answer doesn’t have to be true, it just has to be something only you know (and have stored somewhere safe).
Second approach: an attacker tries passwords leaked in a previous breach on another site. Lists of credentials from breaches like Adobe, LinkedIn, and others are readily available. If you use the same email and password everywhere, getting into your account is trivial. Wonder if your credentials have been stolen? Check at Have I Been Pwned — you can even sign up for alerts.
Solution: use a password manager. 1Password and Bitwarden are both solid choices — Bitwarden is open source and free, 1Password is polished and worth the subscription. They generate strong unique passwords for every site. If a password manager is truly not an option, use a passphrase — four random words beats one complex short password every time.
Secure from whom?
This is the most important question. Who do you want to keep your information from?
- Corporations (e.g., ad targeting based on your conversations)
- Law Enforcement (investigation into your activities)
- Government (surveillance, especially relevant outside the US)
Most people are primarily concerned with corporations and casual snooping. True operational security against a nation-state is a different conversation entirely and beyond the scope of this post.
Email options
- GPG encrypted email. Using GPG or OpenPGP, you create a public/private key pair. Anyone can encrypt a message to you using your public key; only your private key decrypts it. Integrates with most desktop mail clients. Caveat: the key is associated with your email address, so it’s not anonymous. Mobile support exists but friction is high.
- Proton Mail (formerly ProtonMail). End-to-end encrypted, hosted in Switzerland, requires no personal info to register. Has a solid mobile app. If you need a private email address with no strings attached, this is the go-to. Free tier is functional; paid tiers add features.
- Gmail. Not anonymous — Google logs everything and uses it for ad targeting. That said, Google’s security practices are strong and all Gmail-to-Gmail traffic is encrypted. If you’re not doing anything sensitive, Gmail is fine. Just don’t use it if you need genuine privacy.
Secure chat options
- Signal. Still the gold standard. Available for iOS, Android, and as a standalone desktop app for Windows, Mac, and Linux — no Chrome required anymore. End-to-end encrypted messages and voice calls, open source, audited, and consistently recommended by security researchers including Bruce Schneier. Disappearing messages are built in. If you only install one thing from this list, make it Signal.
A note I made in 2017 that I’ll repeat: even if you don’t think you need Signal, download it anyway and use it occasionally. Every additional user makes it harder for authoritarian governments to identify and target the activists and dissidents who genuinely depend on it for their safety.
- Proton Mail also offers Proton Chat (via SimpleLogin integration and their broader suite). Worth looking at if you’re already in the Proton ecosystem.
- Apple Messages (iMessage). Fine for Apple-to-Apple communication — end-to-end encrypted and seamless. Falls back to unencrypted SMS when messaging non-Apple users, which is a meaningful caveat. Not cross-platform.
What do I actually use?
For everyday communication I’m mostly on iMessage (Apple-to-Apple) and Signal. For anything that should be genuinely private, Signal exclusively. For email, I use Gmail for most things and have a Proton Mail address for anything I want kept separate from Google. I have a GPG public key published if you need it.
One principle that overrides all of this: if there would be serious fallout from something being revealed, do not write it down or type it out at all. No app is perfectly secure. The best security is not creating the record in the first place.
Want more? The EFF’s Surveillance Self-Defense guide is excellent and kept up to date.
Full disclosure: I have no financial interest in any of the products mentioned here.