Trust Nothing But Your Own Analysis

Nowadays, nearly all privacy service recommendations are compromised. Review sites earn commissions from services they recommend, "independent" audits are commissioned and controlled by the services themselves, and even technical forums are flooded with sophisticated marketing campaigns disguised as authentic discussions.

This guide teaches you to identify contradictions within a privacy service's own materials—their only reliable measure. It also challenges some widely held outdated beliefs. We will begin with a little history, because this history provides us with perhaps the most relevant instructive example of why some claims simply can not be trusted on their own...

The Crypto AG Deception

For decades, Crypto AG marketed itself as the gold standard for secure communications. They emphasized three key selling points:

  • Their Swiss jurisdiction, claiming neutrality and strong protections
  • Independent security audits that certified their encryption as unbreakable
  • Recommendations from seemingly neutral technical experts and organizations

In reality, Crypto AG was secretly owned and operated by the CIA and German intelligence (BND). Their encryption devices—sold to more than 120 countries worldwide—contained deliberate backdoors allowing Western intelligence agencies to easily decrypt supposedly secure communications. This operation ran undetected from the 1970s through the 2000s, all while receiving third party certifications, recommendations from technical sources, and marketing their Swiss jurisdiction as providing neutrality and strong protections.

This demonstrates that:

  • Jurisdictional claims ("Trust us because we're based in privacy-friendly fantasyland") are meaningless
  • Independent audits can be manipulated or conducted by compromised parties
  • External recommendations, even from seemingly authoritative sources, can be part of the deception

The most telling indicators of a privacy service's true nature aren't found in what others say about them, but in the contradictions within their own statements.

Common Contradictions in Privacy Services

The bottom line is that privacy services are trust based, regardless of their claims to the contrary. You must trust that they are acting and functioning in an ethical manner. A true zero-trust model would not, by design, require the use of any privacy service.

So how do you determine trust? By looking for contradictions in their marketing vs reality. Below you'll find some things to help you understand what to look for that are indications that the service is not ethically marketing itself. If they are not marketing themselves ethically, then they likely are not handling your data in an ethcal or trustworthy fashion.

The "Zero Access" Contradiction

The Claim:

"Your data is end-to-end encrypted in a way that makes it inaccessible to us. Data is only decrypted on your device, using keys that we don't have access to."

Yet their terms of service says:

"Accounts may be suspended or terminated if used for sending unsolicited bulk messages or signing up for too many third-party services in a short timeframe."

The Contradiction: How can they determine you're signing up for "too many services" without monitoring the content or patterns of your incoming mail? True zero-access would make this technically impossible.

While spam detection for outgoing mail might be achievable without accessing content (through recipient server responses), detecting when you've registered for multiple services would require content analysis or traffic pattern monitoring of your incoming messages—directly contradicting zero-access claims.

Critical Question: Ask yourself exactly how a service could know you're signing up for other services through their system without monitoring the content of your incoming messages? Apply this same critical thinking to their entire terms of service and acceptable use policies. You may find that the realities of what they will termiante accounts for doing completely contradicts their marketing claims, especially regarding "zero access" claims.

The service may claim it is only reviewing metadata when metadata does not necessarily show this information at all (and don't look past the fact that they just admitted to monitoring your incoming mail by saying this, especially if their claims are end-to-end encryption and zero access). Regarding metadata, while it may be true that some big-name services have automated signup emails that may be somewhat identifiable based on subject and machine sending them, there are no standard headers for new accounts. Signup confirmation emails come in various formats, and there is no universal metadata indicator that can reliably identify them. This means any provider claiming to detect excessive signups must either be analyzing and recording the content of the incoming messages or tracking user behavior in ways that contradict their stated privacy policies.

The Encryption Misrepresentation

The Claim: "We use end-to-end encryption. No one except you can read your encrypted emails."

The Nuance: True end-to-end encryption is possible in email, but requires specific conditions:

  • All participants must use compatible encryption tools (like PGP or S/MIME)
  • Encryption keys must be securely generated using your choice of compatible sofware
  • All participants must properly exchange encryption keys
  • The encryption must be performed using the recipient's public key, on the senders device, with their choice of standalone software, ensuring that the sender is the only party to the encryption
  • The encrypted content must remain intact throughout transmission
  • Decryption must only be possible by the recipient using their private key, which remains exclusively on their own device, using their choice of standalone software, to ensure that the recipient is the only party to the decryption
  • Anyone who is a common party to either the encryption, decryption, or creation and/or management of private keys, should be considered a party to the unencrypted content

When services make blanket claims about "end-to-end encryption" without specifying these requirements, they're typically referring to encrypted storage of your emails on their servers or the fact that you connect to them or their mail servers connect to others via ssl. This is not true end-to-end encryption across the entire email journey and it's deceptive marketing. If a service is deceptively marketing itself then they are showing you that they can not be trusted.

Some services do offer genuine end-to-end encryption, but only when communicating with users of the same service or with individuals who have properly configured compatible encryption tools. Other services might offer methods like password-protected attachments or password protected temporary web links, when sending to external addresses, which provide some security but with different characteristics than true E2EE.

The key issue is that email as a protocol was not designed with built-in encryption. Any encryption is added on top of the basic protocol, which means it's optional and requires active implementation by all parties involved. If a service is not making this clear, yet is claiming end-to-end encryption, you should think twice and not just blindly trust because they used the term E2EE.

Key Control Contradiction

The Claim: "Your messages are encrypted with keys only you control."

The Nuance: If your encryption keys are generated, stored, or processed inside their proprietary software or on their servers, you don't truly control them. Unless you're personally generating keys, decrypting on your own device using your own choice of compatible software, and only importing the public key to the service, there's no technical way to verify they don't have access to your keys. The service could easily be:

  • Creating a copy of your private key during generation
  • Using a predictable generation algorithm they can reproduce
  • Capturing your passphrase when you enter it
  • Implementing a backdoored encryption algorithm
  • Accessing the decrypted content as you decrypt it

True key control requires key generation and management to happen on hardware you control, using non-proprietary software. Using proprietary software labeled as "open source" provides little zero-trust protection if you're installing pre-compiled versions, as you have no way to verify whether the actual installed code matches the published source code. Most people will not compile the source themselves, companies know this, making this "openness" largely a marketing tactic rather than a meaningful security measure. You really don't know what they are currently running on their servers and you don't know what is actually in their compiled code.

Key Change Contradiction

The Claim: "We've upgraded our encryption to a more secure algorithm. All your existing data has been automatically re-encrypted for better protection."

Reality Check: If a service can change or upgrade their encryption system without requiring your action or access to your private keys, this is a definitive indication that they can decrypt your data. The process of changing encryption algorithms or keys necessarily requires:

  • Decrypting the data using the old system
  • Re-encrypting the data using the new system

If a service can perform this operation seamlessly without requiring you to provide your private key or decrypt the data yourself, they must have access to either:

  • A copy of your private key
  • The data in an unencrypted form
  • A master key that can decrypt all user data

This capability directly contradicts any claims of "zero access" or "end-to-end encryption." Any service that announces encryption upgrades or changes with "no action required from users" is acknowledging (whether explicitly or not) that they have the technical capability to access your supposedly encrypted data.

Password Recovery Contradiction

The Claim: "Your messages are encrypted with keys only you control."

The Contradiction: If you forget your password and lost access to your key and they can help you recover your account and all your previous emails.

Reality Check: These two things cannot both be true. If you exclusively control the encryption keys, and there are no master key backdoors, the service cannot recover your past encrypted data. If they can change your password to get you access to your mail, they can change your password to give themselves access to your email.

The "No Tracking" Contradiction

The Claim: "We believe in absolute privacy. We never track our users' activities."

Yet their website includes:

  • Google Analytics or similar third-party analytics
  • Social media sharing buttons that track visitors even without clicking
  • Advertising pixels that build user profiles
  • Session recording scripts that capture user behavior

How to Verify:

Use Blacklight for a report or use browser developer tools to examine network requests when visiting their site. If you see connections to analytics services, advertising networks, or social media platforms, the service is allowing third parties to track visitors—directly contradicting their "no tracking" claims.

Why This Matters:

A privacy service that allows tracking on their own website demonstrates either:

  • A fundamental misunderstanding of privacy (unlikely for a privacy service)
  • Willingness to compromise user privacy when convenient
  • Deceptive marketing practices

If they allow tracking on their most public-facing asset (their website), how can you trust their claims about not tracking in their actual service?

The Jurisdictional Privacy Myth

The Claim: "We're based in [privacy-friendly country], with no mandatory data retention laws."

The Contradiction: The digital world doesn't respect borders. Your data traverses numerous countries and is intercepted at internet exchange points before reaching the service. The reality of modern surveillance includes:

  • Global data interception occurs at major internet exchange points, regardless of where your final destination is located
  • Commercial data broker networks allow agencies to simply purchase data they can't legally collect directly
  • Undersea cable taps and transit country monitoring capture data regardless of endpoint jurisdiction
  • International intelligence agreements extend far and wide, with documented sharing between supposedly adversarial nations
  • Manipulation of BGP. Border Gateway Protocol (BGP) is the backbone of internet routing, allowing autonomous systems (AS) to exchange routes. However, its trust-based nature makes it vulnerable to manipulation, leading to traffic rerouting, interception, and disruption.

Jurisdictional privacy is an outdated concept and those that cling to it have either remained ignorant to the realities of the current state of global surveillance, or they seek to use the belief that jurisdiction matters for their own benefit. Crypto AG is not the first, nor the last, to capitalize on this false belief. For a comprehensive analysis of why jurisdiction offers minimal protection in today's interconnected world, see "The Myth Of Jurisdictional Privacy" which documents how surveillance capabilities have evolved beyond traditional legal frameworks. This in-depth research reveals how international cooperation, commercial data sales, and technical interception make jurisdictional claims largely meaningless.

The jurisdictional marketing approach is itself a red flag. A privacy-focused service should understand that today's technical realities do not see borders. Everything is just another node on the network and that network is tapped everywhere. If a service does not acknowledge this reality, then they are being deceptive.

The "No Logs" Fallacy

The Claim: "We do not keep any logs, of any kind, period."

The Contradiction: Running any secure service requires some form of logging. System logs are essential for a number of critical things:

  • Security monitoring and intrusion detection
  • Preventing fraud and account abuse
  • Troubleshooting technical issues
  • Maintaining service reliability

A service claiming to keep absolutely no logs is either lying or dangerously unsecure. The more honest approach acknowledges what minimal logs are kept and for how long.

The industry is littered with cases of "absolutely no-logs" services that were later found to have extensive logging capabilities. This pattern has been consistent for over a decade, with multiple providers exposed for contradicting their own logging claims.

Global Server Network Claims

The Claim: "We have thousands of servers in 100+ countries."

While also claiming:

"We own and operate all our servers for maximum security."

Reality Check:

Maintaining thousands of physically owned and operated servers across even dozens of countries would be prohibitively expensive for most VPN providers. What many services don't disclose is that these "global networks" are often:

  • White-label services - Many VPN providers are simply reselling access to the same underlying network infrastructure, operated by a handful of companies that don't advertise directly to consumers. This was exposed in a major security breach that revealed multiple supposedly "independent" VPN services were actually the same white-box service with different branding. The most revealing part of the breach? The white box service was logging and selling absolutely everything, including detailed IP logs and browsing histories while the services using them were claiming "absolutely no logs".

  • Virtual server locations - A server physically located in one country (often a cheaper data center location) may be configured to appear as if it's in another country entirely. When a service claims to have servers in countries with restrictive internet policies, they're often using virtual locations.

  • Rented infrastructure with minimal oversight - Rather than owning and operating hardware, many providers simply rent generic virtual private servers from standard hosting companies, install VPN software, and add them to their network with minimal security hardening or physical control.

The overall reality is that a truly global network of properly secured, dedicated, physically owned servers in hundreds of physically owned datacenters would cost hundreds of millions into billions of dollars to build and maintain. This directly contradicts the low subscription prices many services offer - and completely negates the possibility of providing such infrastructure "for free."

So ask yourself, do you see how this service could be earning hundreds of millions to billions of dollars to be able to justify this expenditure in a world where people will give up their privacy to save 25 cents on a bottle of soda? If if you can't see them earning enough to cover such expense, then you have your answer to their trustworthiness.

Important: If a privacy service maintains reliable VPN servers claimed to be in China, this should be a red flag. China requires access to encrypted transmissions and those that do not comply are blocked by their highly responsive and intelligent firewall (the great firewall of China). This AI driven firewall will automatically block encrypted streams that it cannot access, regardless of what port or ports traffic is spread across or whether or not that traffic looks like a VPN.

If the traffic is regular and cannot be accessed, it first sends forged fin packets to both ends, attempting to disrupt the connection, and if that doesn't work, it's outright blocked. There are many discussions within the privacy community regarding how to obsfucate traffic and circumvent this firewall, with little long term success. So if someone is operating a reliable public VPN within China, then they have likely given access to, or it has some kind of backdoor for, the Chinese government or that server is not physically located in China.

Practical Evaluation Approach

Conduct a Cross-Document Contradiction Analysis

The most revealing information about a privacy service comes from comparing statements across their various documents:

  • Marketing pages vs. technical documentation
  • Homepage claims vs. privacy policy details
  • Blog posts vs. terms of service
  • Support documents vs. legal disclosures

The larger the gap between marketing claims and technical or legal documentation, the greater the likelihood of deception.

Evaluate Fundamental Technical Limitations

For Email Services:

  • Email is fundamentally not designed for secure communication. Any service claiming to have "solved" email privacy without limitations is likely being deceptive.
  • True end-to-end encryption in email requires all participants to use compatible encryption, securely self-generated keys, and properly exchange keys.
  • True end-to-end email encryption is not proprietary.
  • True end-to-end email encryption means that it does not matter if you use a privacy service or not, your data is protected by design, no matter what email service you use.

For VPN Services:

  • VPNs can only protect the connection between you and their servers; they cannot protect you from what you voluntarily share after that point.
  • Perfect anonymity is impossible for a commercial service that processes payments and manages user accounts.
    - If you offer it, it will be abused. If you can't address abuse, you will be cut off from the Internet. If you can terminate accounts for abuse, it is not anonymous.
  • Properly operating VPN servers is extremely cost intensive.

If a service's marketing appears to contradict these truths, they should be considered untrustworthy.

Analyze Business Model Alignment

"Free accounts with premium privacy features. We don't collect or sell your data."

Reality Check:

Privacy infrastructure is expensive to build and maintain. Servers, bandwidth, development, security audits, and support staff all represent significant costs. Companies must generate revenue somehow. When a service offers "free" premium privacy features, ask yourself:

  • How are they covering operational costs?
  • Why would they invest millions in infrastructure without a revenue model?
  • What's the actual product if you're not paying with money?

The adage "if you're not paying for the product, you are the product" applies strongly to privacy services. Free VPNs have repeatedly been caught selling user data, injecting ads, or sharing browsing habits with third parties despite privacy promises. Free email providers typically scan message content for advertising purposes or to build user profiles.

Finally - The Honesty Check

The most important skill in evaluating privacy services is identifying contradictions in their own statements. No external validation, audit, or recommendation can replace this analysis. If a service is not ethical in it's marketing, it is not going to be ethical and trustworthy with your data.

Perhaps the most telling indicator of a trustworthy privacy service is whether they acknowledge the inherent limitations of their technology:

  • Do they openly discuss the limitations of jurisdictional protection in a globally connected world?
  • Do they clearly explain when and how their encryption works (and doesn't work)?
  • Do they admit the trade-offs between convenience and security?
  • Are they transparent about what data they must collect for the service to function properly?
  • Do they talk about the realities, or do they just claim to be the solution?

Services making absolutist claims like "100% anonymity guaranteed" or "completely untraceable" without acknowledging real-world limitations are displaying clear red flags. Privacy has inherent trade-offs and technical constraints that cannot be eliminated—only managed and mitigated.

A truly honest service will not position itself as the ultimate solution but will instead help users understand the complexities and potential weaknesses of online privacy. Transparency about what can and cannot be protected is a strong sign that a provider is acting in good faith.

Any privacy service that claims absolute security, anonymity, or "no logs" without caveats is either misleading or incompetent. Privacy is about risk reduction, not absolute guarantees, and a service that acknowledges this reality is more likely to be trustworthy.

Published: March 23, 2025