r/DigitalPrivacy

Eleven days ago, on a Friday, Meta turned off end-to-end encryption on Instagram DMs. They posted a short blog about it. Almost nobody covered the story. Most users have no idea it happened.

Today, May 19, the reason became obvious.

https://preview.redd.it/gi3mutamt52h1.png?width=1024&format=png&auto=webp&s=85d33cda05206b331bcebc4240179cb348739d45

A federal law called the Take It Down Act takes effect today. It says platforms have to remove non-consensual nudes and deepfakes within 48 hours of a takedown notice. Sounds reasonable. Reads great on the floor of the Senate. Got bipartisan support, signed by Trump exactly a year ago.

The catch: it contains no exception for encryption. If you can't read your users' messages, you can't scan them, you can't comply, and the FTC bills you $53,088 per violation.

For Instagram, which has about a billion users, that math gets ugly fast. So Meta did the only thing a publicly traded company can do: they killed the encryption.

They picked the most honest of the four available options. Here are all four, because every encrypted app on Earth is about to pick one of them:

1. Crack the lock. Read messages on your server. Tell users encryption is "evolving."

2. Install a snitch on the user's phone. Scan the message BEFORE encrypting it. Tell users the encryption "still works."

3. Eat the fines. Bleed out one quarter at a time.

4. Pull out of the country.

Meta took door 1.

TikTok took door 4 by simply never building encryption in the first place.

WhatsApp is about to walk through door 2 with a big PR smile and call it a "trust and safety update."

Door 2 is the one that should terrify you, because it sounds harmless.

Picture a safe. You put a letter inside, close the lid, only the recipient has the key. That's end-to-end encryption. The dream cypherpunks fought for in the nineties.

Now imagine a small security camera mounted on the INSIDE of the safe. Pointed at you. It photographs every letter before the lid closes and ships those photos to a server you don't control, run by people you've never met, under the authority of a government you might not have voted for.

The lock still works. The math still checks out. Your safe is technically "still secure." You can put that on the marketing site.

But the camera is in the room before you ever lock the door.

Apple proposed exactly this in 2021. They called it CSAM scanning. The public lost its mind. Edward Snowden, Matt Green, the EFF, 90 organizations signed an open letter. Apple paused.

That was the last time the public stopped it. The Take It Down Act, the EU's Chat Control 2.0, the UK Online Safety Act, India's traceability mandate, and roughly six other laws in motion right now have all decided that pausing is no longer an option. The fines make pausing irrational. The PR makes pausing impossible. The cameras are coming back online. Quietly. One platform at a time.

Here's the part nobody wants to say out loud:

If you use Instagram DMs today, your messages are no longer private.

If you use TikTok DMs, they never were.

If you use iMessage, the camera is already shipped, just not switched on yet.

If you use WhatsApp, you have maybe twelve months before the same announcement.

The only apps that survive this aren't the ones with better marketing. They're the ones with worse architecture for compliance.

A messenger that wants to genuinely survive the next ten years of legal pressure has to refuse to have three things:

A headquarters where subpoenas can land.

A signed binary the platform can update with whatever code a government asks for.

A user identity tied to your real name, phone, or email.

Signal still flies the privacy flag from inside the corporate jungle, but they survive on Brian Acton's money and Moxie's philosophical stubbornness. They're an exception, not a strategy.

The structural future lives somewhere weirder.

SimpleX has no user identifiers at all. Matrix is federated. There's a small but growing set of wallet-native messengers (I work on one called ANO, full disclosure) where your "account" is just a cryptographic keypair you own. No email. No phone. No central server that can be forced to flip a switch.

They're clunkier. They look intimidating. The addresses are long strings instead of phone numbers. You have to back up a key file. None of them have a Super Bowl ad.

But they have one thing every centralized messenger is losing today: nobody can force them to put a camera in the safe. There's no platform to compel. The protocol runs between users' devices. The clients are open source. If a scanner ever gets added, the community sees it, forks the code, and routes around it inside a day.

That isn't a feature. That's the architecture refusing to be capturable.

The mainstream era of "encrypted by default" ends today. Not loudly. Not with a single news story. With a slow drift, a sequence of small compliance moves, and a generation of users who will never quite figure out when the privacy they thought they had quietly stopped existing.

Five years from now, "private messaging" won't mean the encrypted feature on a centralized app. It will mean the apps that can't be scanned, can't be pressured, and can't be shut down without taking down the network itself.

The camera goes in the house when the house belongs to someone else.

Start building your own. Or at least pick a messenger built by someone who already did.

You may know about Anubis by Techaro, the PoW challenge thing that protects websites from bots. It's used on several major sites, including FFmpeg, Arch, and the Linux Foundation. This experiment is specifically about Anubis.

Note that Anubis does not use up all CPU cores for its challenge to not overheat devices and for a better UX. Some PoW challenge systems do all cores, making them more effective. However, it appears as if Anubis gets the job done just fine.

Just read the TechRadar article about the FBI getting court orders to remotely wipe/reset thousands of compromised TP-Link routers because of Russian GRU malware (APT28）

On one hand, these old SOHO routers (Archer C5/C7, WR841N, etc.) are End-of-Life, have no security patches, and are basically being weaponized into botnets. But on the other hand, the fact that the government can just drop commands into consumer hardware at scale is a huge reminder of how vulnerable our home networks actually are.

Once a router stops getting firmware updates, it’s a ticking time bomb. What is everyone’s strategy here? Do you just buy a new consumer router every 3-4 years, flash OpenWrt, or move to hardware-level firewalls/gateways?

A long time ago we separated from the monkeys. We've come a long way since then. We're now clever. We use iPhones. We send men to the moon. And well all stuff our fat faces with Big Macs and Cheezey Fries.

IMO, we've reached one of the most pivotal times in our entire evolution. Anthropic have just rolled out Mythos. It's the most intelligent AI ever created.

Experts predict that in two years from now, AIs like Mythos will be able to give birth. Yes, you read that correctly. AIs will be able to generate next generation AIs.

So Mythos #3 will have a baby. It'll be called Mythos #4. A year later, Mythos #4 will give birth to Mythos #5. And so on.

I'm a published designer. My company makes websites. We have a client that not so long ago sold a multi-million dollar superyacht.

On the PC, I use Google Chrome. I will now be massively downvoted. But one year from now, I will be massively UPVOTED.

Security will be significantly more important than privacy.

Imagine what might happen if Mythos #6 ends up in the hands of scammers, or the type of people that inject malware into websites and/or browser extensions.

Every week, at least two people on this sub start threads asking about privacy browsers. Next year, these people will be asking about security browsers.

What do you guys think about this? Some of you are a lot more knowledgeable about this topic than me, so I'll be interested to see what you think.

Managing multiple online identities for work taught me one thing fast: your IP, your phone number, and your SIM are three separate attack surfaces and most people only think about one of them.

Here's what worked for me:

1. Mobile proxies over residential and datacenter every time. Residential success rates dropped hard, the big pools are burned and platforms have the ASN ranges flagged. Mobile carrier IPs are the hardest to separate from normal traffic because that's what they are. VPNs are fine for privacy but poor for platform trust, most ranges are already blocked.
2. Stop using your real number for verification. Every time you hand over your real number for a 2FA or account verification, you're creating a permanent link between that account and your identity. Non-VoIP carrier numbers fix this cleanly, virtual/VoIP numbers get rejected on anything serious.
3. eSIM for secondary connectivity and travel. Physical SIMs are tied to your identity at the carrier level (most countries require ID for activation now). eSIMs from a privacy-focused provider give you a clear layer of separation, especially useful when moving between countries.
4. Keep everything under one platform. Switching between three different providers for proxies, SMS and eSIM is where most people leak. Inconsistent setups, overlapping accounts, payment trails. I moved everything to Voidmob and the operational overhead dropped significantly.
5. Pay with crypto where possible. A privacy stack paid for with a card tied to your name is not a privacy stack.

The biggest mistake people make is treating these as separate problems. They're not, they're one problem with three surfaces.

[supprimé]

A few weeks ago I needed a secure way to share confidential documents with a client, so I started researching encrypted file sharing tools and secure document transfer services.

The problem is that most secure platforms still feel like regular cloud storage services with basic password protection added on top. Some file sharing links could still be forwarded easily, which kind of defeats the purpose of private document sharing.

What I was actually looking for was a secure file sharing solution with features like password protected links, one-time downloads, temporary file access, auto expiring links, and end-to-end encryption for sensitive documents.

I also didn’t want another bloated cloud storage platform or something that forces clients to create accounts just to open confidential files.

I’ve tested a few encrypted file transfer services already, but it’s surprising how many are missing basic privacy and security features.

What secure file sharing service are you guys using these days for confidential client files or sensitive documents?

I wish I could be a normie again because caring about privacy drives me nuts.

Hello everyone.

I have a new VPN company and I'm looking for someone to help me run it and promotion.

I have a website and full infrastructure. If anyone is interested please get in touch with me.

vpnsafe . net

https://preview.redd.it/y7fcnoru451h1.png?width=487&format=png&auto=webp&s=58c464bc95b9a70d1d18eba91057c7897121ab19

See screenshot here. Not for one second do I trust Ticketmaster with this type of info. 100% no. Anyone know if I can buy straight from the venue if I decide to go?