u/V3R1F13D0NLY

Mike German spent 16 years as a decorated FBI special agent working deep undercover inside domestic terrorist groups. In 2002 he caught colleagues running an illegal wiretap and altering records on a counterterrorism case in Florida. He reported it up the chain, got ignored, escalated to the Inspector General and Congress. The Bureau retaliated and he walked in 2004. A later DOJ investigation substantiated everything.

He's now a fellow at the Brennan Center and co-authored "Ending Fusion Center Abuses" in 2022. Six weeks ago California voted to audit three of its fusion centers and cited his findings. He testified before the committee that ordered it.

Watch the full livestream: https://www.youtube.com/watch?v=x6owEbQZ10Q

Read the breakdown: https://s.vp.net/zVjjH

Trust is not a guarantee of privacy. It's the absence of one.

Every VPN, every encrypted email service, every "we don't log" pitch eventually boils down to: "trust me bro."

If your privacy is "protected" by a sentence on a website that can be deleted... you aren't really protected.

vp.net is the ONLY VPN that made it impossible to log & you can verify it yourself. We run WireGuard inside Intel SGX enclaves, in CPU-encrypted memory that even we cannot access.

Our no log's policy isn't "we won't." It's "we can't." And that is a HUGE difference when faced with a subpoena. "Won't" doesn't hold up in court. "Can't" does.

We don't want your trust. We want you to verify your privacy for yourself. Trust isn't enough in 2026.

Get the ONLY verifiable zero-trust VPN at https://vp.net

The 2021 Proton case is the best examples of why policy-based privacy (aka "trust me bro") fails under pressure.

Proton Mail promised not to log IP addresses. But that promise existed as editable text on a website. When a court order arrived demanding they log a users' IP address, they simply deleted that line of text. The logging got turned on, and a climate activist got arrested. The login metadata wasn't protected by encryption at all, just by a sentence Proton could change at any time.

This week on Hide & Speak the conversation gets into the architectural difference that makes this scenario unrepeatable on bmail:

• TLS terminates inside an Intel SGX enclave, not in front of it
• The client IP exists only in enclave memory during request processing
• The IP is stripped before any backend service sees the request
• Adding a logger would change the enclave's MRENCLAVE measurement, which anyone running attestation would catch immediately
• The response to an FBI request to start logging isn't "we'll update our policy," it's "we can't, and you can verify that we can't"

The contrast that's worth talking through: Proton's encryption was fine, the failure was architectural. The metadata was protected by a promise instead of by the hardware.

If you are "protected" by a line of text that can be deleted at any time without even telling you... then are you really protected?

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

Get the only TRULY private email for free: https://bmail.ag

"Encrypted email" almost always means encrypted at rest, your messages sit on disk in a locked box. But the moment you search your inbox, sort by sender, or open a thread, the server decrypts that data into live memory to process your request. In that window your data is visible. Readable. Copyable. By anyone with access to server memory: a rogue employee, a government with a warrant, or an attacker who found a way in.

That is the Glass Box. It looks secure from the outside. It is transparent at the moments that matter most.

bmail processes every message inside an Intel SGX enclave — a physically isolated region of the CPU whose contents are encrypted by the processor itself, not by software that can be bypassed. The host operating system cannot read it. Our engineers cannot read it. A hacker with full root access to the server cannot read it.

That is the Black Box. The processing happens. The content never leaves the sealed space.

Get started free at https://bmail.ag

loudflare Radar has Iranian internet traffic at under 1% of pre-war levels since the February 28th blackout. CNN is now reporting that pre-approved Iranians can buy a tier called "Internet Pro" through MCI, a carrier linked to the IRGC.

The pricing breakdown from CNN and Iran International:

• 50 GB per year: 2 million toman
• Activation fee: 28 million toman
• Average monthly wage in Iran: 20 to 35 million toman
• Black market VPN: roughly half a day's wages per 2 GB

Human rights activists inside Iran estimate the blackout has cost the economy $1.8 billion in two months. The math suggests this isn't accidental damage. It's a system where access becomes a loyalty reward and the price filter does the political work.

Shutting off the internet is evil, but then selling it back to people at a price the average citizen can't afford is just diabolical.

Full breakdown and source list here: https://s.vp.net/r9b8X

Connecticut's SB 4 cleared the House 141 to 6 and the Senate 31 to 4 back on April 23rd. Governor Lamont is expected to sign. It's being described as the strongest state privacy bill in years, and the specifics back that up.

Key provisions:

• State-run registry of data brokers operating in Connecticut
• A single deletion request mechanism that wipes a resident's data from every registered broker at once
• Ban on the sale of precise geolocation data
• Restrictions on the sharing of automated license plate reader information
• Mandatory disclosure of facial recognition use in public spaces
• Mandatory disclosure of algorithmic surveillance pricing

The unusual part is the sponsor's framing. Senator James Maroney, the lead sponsor, said the bill protects residents from data brokers, surveillance technology companies, and federal agencies. Naming federal agencies as a threat category in a state privacy bill is not standard. Most state laws stop at private-sector data handling.

The interesting question is whether the deletion mechanism actually works at scale once brokers are registered. California's Delete Act has a similar concept and the implementation has been slow. Connecticut's bill borrows from that playbook but adds the federal-agency language on top.

Full Write-Up & Source list here: https://s.vp.net/3Cfh9

This came up on last week's Hide & Speak. The framing was the steady drumbeat of password database breaches (Yahoo's 3 billion was the example, but these happen every week, multiple times) and the architectural choice that takes the whole attack class off the table for bmail.

Standard email providers store your password in some form, usually a hash. That's what gets stolen when their database leaks, and it's what fuels credential stuffing against every other site you use the same password on. The industry response has mostly been "use a stronger hash" and "rotate when breached." Both are mitigations on a fundamentally exposed surface.

bmail uses OPAQUE, a zero-knowledge password authenticated key exchange. The properties that matter here:

• The server never receives the password. Not plaintext, not hashed, not derived. The authentication happens via an exchange where the server proves nothing it learns can recover the password.
• A full server compromise yields no password material. There is no database to dump.
• Credential stuffing has no target on the server side, because the server doesn't have stuffable credentials in the first place.
• The interesting part of the discussion was framing this as a design philosophy: don't promise to guard the database better, remove the database that needs guarding.

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

Get bmail for free at: https://bmail.ag

This week on Hide & Speak, we discussed how bmail's warrant canary works versus the model every other private email provider uses. The traditional version is a signed document a provider takes down when they're served with something they can't disclose. The whole concept depends on a human being able and willing to act, which is exactly the pressure point the rest of the episode (seven email providers, case by case) shows getting exploited over and over again.

The architecture flips the model. The CPU constantly measures the code running in the enclaves and signs those measurements. If the running code doesn't match what's expected, the system stops connecting. There's no statement being made and no person communicating anything, so there's nothing for a court to compel or forbid. The shutdown is a property of the hardware behavior, not a human decision.

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

[Disclosure: I'm on the vp.net / bmail.ag team]

The "Forgot Password" button is the most dangerous link on the internet, and nobody talks about why.

It exists because your provider holds a copy of your account key. Without that copy, they can't reset your access. With it, they can be social-engineered, subpoenaed, or breached by anyone who's read enough internal docs to impersonate you. One phished helpdesk agent is all it takes. From there, every account that uses your email for recovery falls too.

bmail is built on OPAQUE, an asymmetric password protocol standardized as RFC 9807. Your password generates encryption keys locally on your device. It never crosses a network. Not at signup, not at login, not ever. Our servers hold a registration record that proves you know the password without revealing it, and from which the password cannot be reconstructed by anyone, including us.

There's no reset button because no key exists to reset. Lose your password, and your 24-word recovery phrase is the only path back. Not us, not a hacker, not a court.

Get the only TRULY private email service for FREE at https://bmail.ag

The EU's new age verification app went live on April 29th. When an Italian journalist asked European Commission Executive Vice President Henna Virkkunen how the system would handle kids using a VPN to get around it, her on-the-record response was that "addressing circumvention is an important part of next steps." A Belgian cryptographer described that as the slippery slope experts have been flagging. The European Parliament's own think tank has reportedly already prepared briefing material on a VPN crackdown for MEPs, which suggests the policy work predates Virkkunen's comment.

Background reading with the full quote in context, sourced reporting, and the Utah and France timing: https://s.vp.net/OOFR7

This came up on Hide & Speak this week and the timeline is worth laying out, because it gets cited a lot but rarely with the actual details.

In 2020, the Cologne Regional Court ordered Tuta (then Tutanota) to build a function that copied one user's unencrypted incoming and outgoing emails, before encryption, and handed them to the state criminal police. A blackmail email triggered the case. Tuta fought the order. They appealed. They argued under EU Court of Justice rulings that they were not a telecom provider, which under EU case law was correct. The regional appeal went against them anyway. The co-founder publicly called the ruling absurd. By year end, the wiretap was built.

• The operator was willing to fight. Willingness wasn't the bottleneck.
• The legal argument was correct under existing case law. Being right wasn't enough.
• The user never saw it coming. There is no client-side signal when server code changes.
• E2E encryption protected stored mail. The plaintext gap on inbound SMTP was the attack surface.

If an operator with a correct legal argument can be forced to compromise one specific user silently, then I don't know how anyone could consider an email service private if it's isn't zero-knowledge / zero-trust. If the data exists and the operator can access it, it can be compelled. It's really that simple.

bmail.ag runs the SMTP pipeline inside secure enclaves in memory encrypted by the CPU, making it impossible for us to see your IP address, subject lines, metadata or email messages. If we can't access the data, a legal court order produces nothing of value.

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

In September 2007, federal court documents from a US prosecution of alleged steroid dealers revealed that Hushmail had complied with a Canadian court order issued via the US-Canada mutual legal assistance treaty. The company turned over 12 CDs of plaintext emails from three targeted accounts.

Hushmail's site at the time read: "not even a Hushmail employee with access to our servers can read your encrypted e-mail." The technical reality contradicted that. Hushmail's popular web client performed private-key and passphrase operations on the server side. The user's passphrase landed briefly in server memory each session. Under court order, Hushmail was compelled to retain that passphrase, decrypt the targeted mailboxes, and hand over the contents.

Hushmail's CTO Brian Smith confirmed the mechanism in interviews with Wired and The Register. He also acknowledged that the alternative Java applet mode could in principle be backdoored by serving the targeted user a modified applet, which most users would not detect.

The point is not that Hushmail was uniquely careless. The point is structural. Any encrypted email architecture that handles plaintext on a normal server, even briefly, can be compelled to capture it. The architecture defines the upper bound on what the operator can refuse to do.

bmail's Paper I closes this gap. Inbound mail terminates TLS inside an Intel SGX enclave. The pipeline (TLS decryption, SPF/DKIM/DMARC, spam filtering, encryption to the recipient's key) runs entirely inside hardware-isolated memory the host operating system cannot read. There is no point in the lifecycle at which an operator could retain a passphrase or copy plaintext, because plaintext never exists outside SGX-encrypted memory.

Authentication uses OPAQUE (RFC 9807). The user's password is never sent to the server in any form. There is no server-side passphrase to capture under court order.

Any modification to the enclave changes its MRENCLAVE measurement. A modified "logging" build is detected cryptographically by every client on every connection. A compelled operator has three options: refuse the order, ship modified code and be immediately caught, or shut down. Silent compliance is not on the menu.

This is what verifiable privacy means. The claim is not "we promise we won't decrypt your mail." The claim is "we cannot, and you can verify it yourself."

Source: https://www.theregister.com/2007/11/08/hushmail_court_orders/

Verifiably Private Email. → bmail.ag

A Swiss flag is not a firewall.

If a provider can log your IP address to 'monitor for abuse,' they can log it for a court order. If they can monitor a mailbox for 'safety,' they can monitor it for a government. They are not villains. They are administrators operating under whichever set of laws applies this week.

In 2021, Swiss authorities ordered ProtonMail to log a user's IP. ProtonMail complied. The architecture permitted it. Switzerland, it turned out, was a jurisdiction, not a guarantee.

bmail's API gateway runs inside an Intel SGX enclave. Client IP addresses are processed in hardware-isolated memory and never written to any storage. There is nothing to log because the architecture never permitted it.

Physically protected by hardware, not imaginary lines.