Do encrypted services actually offer a meaningful privacy boost?

I’m struggling to see the “value add” of paid services like Proton or Tuta when I feel I can achieve 90% of my privacy goals for free. Am I missing a piece of the puzzle here, or is the threat model for the average user being overblown?

I’m curious about the collective goal here: are we trying to hide from global intelligence agencies, Google’s data mining, or just the average hacker?

To me, it feels like achieving “true” privacy requires an almost impossible checklist:

Network-wide VPNs: Encrypting every single IoT device in your home.

Custom ROMs: Running GrapheneOS or similar on all mobile devices.

Search Neutrality: Hard-blocking Google and other data-heavy search engines.

Air-gapping Vehicles: Never syncing a phone to a car’s infotainment system.

Physical OpSec: Avoiding public surveillance and facial recognition.

Financial Privacy: Preventing banks or utility providers from sending digital footprints via email.

Closed Ecosystems: Only communicating with other encrypted-mail users.

I understand the desire to stop Big Tech from tracking our every move (or “every morning dump”), but help me understand this realm better. Is the jump to paid, encrypted services a silver bullet, or just one small gear in a much larger machine?

For me it’s all of the above as much as possible without extreme inconvenience. For example, I will use Linux, and harden my OS, browsers, use the right privacy forward apps, and ensure I’m not the product for the big tech. But I also won’t go so far as to move to TailsOS or Whonix full time nor am I going to stop accessing non private necessary tools like YouTube or Google Maps (though I will be logged out since no Google account).

To me, this can only be achieved when you stay offline and live life as if in the 70s or the 80s (CCTV everywhere notwithstanding).

So, I don’t think there is anything like it but we should do what we can when we can in the right way to optimize a freer digital life that’s as private and independent from big tech and surveillance capitalism as one can be today.

No. It’s not a silver bullet if you ask me. But it’s as close to said optimization as one can get like I said above.

For the average person wanting to become more private, secure, and adapt healthier digital and internet practices, 75% of the journey can be made for free. The next 20% is through all the paid services and products that do add value for what you get and can do with it. The last 5% is akin to living with TailsOS only, having no real online accounts, and spending the majority of your 24 hours everyday offline (if 100% is considered to be true privacy).

I hope this clarifies some things.

It is an impossible checklist. This is why people threat model. There are very few people on the planet that need anything close to true privacy.

E2EE services provide protection from the service provider itself, even if they aren’t malicious they might have rogue employees that try to access user data. They might be compelled by law enforcement to hand over whatever data they have, so E2EE protects you in that case as well. It’s also very common for companies to use third-party companies to store your data, so you have to be able to trust them as well. Even if you don’t care about any of that, there’s still data breaches that happen all the time where users’ sensitive data is leaked.

E2EE covers a lot of threats but it’s definitely not a catch all solution. The thing you described about it feeling impossible to protect against everything is exactly why threat modeling is so important: you need to define what threats you’re worried about so you don’t get bogged down with things that don’t help you achieve those goals.

If you feel like you achieve what you want with free services, then that’s perfectly fine. What you want to defend against is up to you. But E2EE services have demonstrated real value in protecting against certain threats.

Also I will point out that “free” and “encrypted” is a false dichotomy: there’s plenty of free E2EE services.

Not being clear on what “threat models” were, I went as far as possible with my privacy, sacrificing convenience in the process. When, after a year, I stopped to think about whether it was necessary to use a VPN on all my devices, I came to the conclusion that, while it helps, the inconvenience is too high and what I get out of it is very little. At the end of the day, I’m interested in protecting my most private and personal data and distancing myself as much as possible from big American companies. In my “book”, the most important things are E2EE services (Standard Notes, Tuta, Proton Drive, Ente, Signal, etc.), so I don’t care whether Google is able to track my browsing habits. If some conversations I have with other people on WhatsApp are not truly private, I don’t mind — the really sensitive data I keep in Signal.

Network-wide VPNs: Encrypting every single IoT device in your home.

Some routers allow you to set a network wide VPN. This mostly works fine.

Not everyone necessarily needs a VPN. In the US we tend to have ISP that sell data with no opt out, so network wide can be nice to have in that case. For hiding personal browsing data you obviously don’t need network wide.

Custom ROMs: Running GrapheneOS or similar on all mobile devices.

Not necessarily hard, you just buy a device supports graphene (or next year you can buy one preinstalled through motorolla), but I’d recommend iphone to most people. It asks the least of them.

Search Neutrality: Hard-blocking Google and other data-heavy search engines.

There’s also startpage and SearXNG.

Air-gapping Vehicles: Never syncing a phone to a car’s infotainment system.

become a peasant and ride the bus with me, but yeah you should trust the device you you connect via usb and send data to

Financial Privacy: Preventing banks or utility providers from sending digital footprints via email.

I guess tuta/proton were worth it after all

Closed Ecosystems: Only communicating with other encrypted-mail users.

even better, don’t talk to anyone and go hang out in the woods with some squirrels and deer. they will not leak any info. otherwise just be mindful of what you put in emails.

I’m struggling to see the “value add” of paid services like Proton or Tuta when I feel I can achieve 90% of my privacy goals for free.

They do have good free tiers that give you the full security and encryption benefits. If you want full features + encrypted email message bodies or local storage you can potentially do that through thunderbird or extensions for free or with a low cost (eg mailbox.org $12 per year) provider.

A provider like yahoo or gmail will harvest metadata. However you could still do pop3 + pgp or store on encrypted hard drive if money is limited and you aren’t satisfied with proton or tuta apps. I think free proton is pretty good though and can be combined with duck aliasing.

Hey everyone, just wanted to share my plan for moving over to a more private setup. Thanks for all the great info!

Since I basically live in the terminal anyway, I’ll jump to Fedora. My browser setup will stay lean Firefox ESR + uBlock Origin (with my usual custom filter sauce).

For the network side:

• Mullvad will be my daily driver.

• Quad9 for the DNS fallback when the VPN isn’t active.

• Sticking with my current email workflow since I’m already using AES-256 for anything I upload.

I’ll put GrapheneOS on my Pixel. Plan to use the Aurora Store to grab Tidal, which seems like a pretty painless transition.

Let me know if I’m missing any low-hanging fruit, but I’m stoked to finally get this sorted!

I would say you’ve taken care of even the mid hanging fruit. That is pretty thorough as these things go, barring more specific threats you haven’t mentioned.

In my opinion you can use LibreWolf on your PC.

It’s fork Firefox withought firefox telemetry.

On Android it is the IronFox browser