Secure Communications Guide: Encrypted Messaging and Email for the Privacy-Conscious

Your communications reveal more about you than almost any other data. Who you talk to, when, and what you say paints a detailed picture of your life. This guide covers how to communicate securely in an age of mass surveillance and data breaches.

Threat Modeling: Who Are You Protecting Against?

Before choosing tools, understand your threat model:

• Casual privacy: Protecting against data brokers, advertisers, hackers
• Professional security: Protecting sources, clients, business communications
• High-risk activism: Protecting against state-level surveillance

Your threat model determines your tooling. Overkill creates friction that leads to abandoning security measures entirely.

Encrypted Messaging Apps

Tier 1: Recommended

Signal

• End-to-end encrypted by default
• Open source and audited
• Minimal metadata collection
• Disappearing messages feature
• Available on iOS, Android, and Desktop
• Limitation: Requires phone number to register

Best for: Most users who want secure messaging without complexity

Tier 2: Enhanced Privacy

Session

• No phone number or email required
• Decentralized network (no central server)
• Based on Signal protocol
• Anonymous account creation
• Limitation: Smaller user base, less polished UX

Briar

• Works over Tor, Wi-Fi, or Bluetooth
• Functions without internet connection
• Designed for activists and journalists
• Limitation: Android only, battery intensive

What to Avoid

• SMS/MMS: Unencrypted, stored by carriers, easily intercepted
• WhatsApp: E2E encrypted but owned by Meta, collects extensive metadata
• Telegram: Not E2E encrypted by default (only "Secret Chats"), Russian origin raises concerns
• iMessage: E2E encrypted but tied to Apple ecosystem, iCloud backups can expose messages

Secure Email

The Email Problem

Email was never designed for security. Even "encrypted" email has significant limitations:

• Metadata (who you email, when, subject lines) is not encrypted
• Both sender and recipient must use encryption for it to work
• Key management is complex for average users

Recommended Providers

ProtonMail

• End-to-end encrypted between ProtonMail users
• Based in Switzerland (strong privacy laws)
• Zero-knowledge encryption (they can't read your mail)
• Free tier available
• Encrypted email to non-ProtonMail users via password-protected links

Tutanota

• End-to-end encrypted
• Based in Germany
• Open source
• Encrypted calendar included
• More affordable than ProtonMail

Mailfence

• Based in Belgium
• OpenPGP integration
• Documents and calendar included

PGP/GPG for Existing Email

For users who need to use existing email providers:

• Mailvelope: Browser extension for webmail
• GPG4Win: Windows desktop client
• GPGTools: macOS integration

Note: PGP has a steep learning curve and is easy to misconfigure. Consider whether a secure email provider might be simpler.

Voice and Video Calls

Recommended

• Signal: Encrypted voice and video calls
• Jitsi Meet: Open source video conferencing, no account required
• Wire: Encrypted calls, EU-based

Avoid

• Regular phone calls (unencrypted, logged by carriers)
• Zoom (history of security issues, not E2E by default)
• Skype (Microsoft-owned, known cooperation with surveillance)

Operational Security (OPSEC) Principles

1. Compartmentalization

Separate your identities:

• Different email addresses for different purposes
• Don't link personal and professional communications
• Use different devices for high-risk activities if possible

2. Metadata Matters

Even if message content is encrypted, metadata reveals:

• Who you communicate with
• When and how often
• Your location (IP address)
• Device information

Use Tor or a VPN to mask IP addresses when metadata matters.

3. Verify Identity

• Compare Signal safety numbers in person when possible
• Verify PGP key fingerprints through a separate channel
• Be wary of contacts who suddenly change keys without explanation

4. Disappearing Messages

Enable disappearing messages for sensitive conversations:

• Signal: Customizable timers from 30 seconds to 4 weeks
• Reduces risk if device is compromised later
• Not foolproof (recipient can screenshot)

5. Device Security

Encrypted communications mean nothing on a compromised device:

• Keep operating system and apps updated
• Use strong device encryption and PIN/password
• Be cautious about app permissions
• Consider separate devices for sensitive communications

Quick Reference: Communication Security Levels

Need	Solution	Notes
Casual private messaging	Signal	Best balance of security and usability
Anonymous messaging	Session	No phone number required
Secure email (daily use)	ProtonMail	E2E encrypted, user-friendly
Encrypted email to anyone	ProtonMail + password	Recipient gets secure link
Video conferencing	Jitsi Meet	No account needed, open source
High-risk activism	Briar + Tor	Maximum anonymity, steeper learning curve

Getting Started

Don't try to implement everything at once. Start with:

1. Install Signal and convince your regular contacts to use it
2. Create a ProtonMail account for sensitive correspondence
3. Enable disappearing messages by default in Signal
4. Review your existing accounts for unnecessary data retention

Perfect security doesn't exist. The goal is to raise the cost of surveillance to a level appropriate for your threat model while maintaining usability.