From the Rubble | Natural Series Extensions | Part 1

TLDR: Your phone calls, texts, and emails are not private by default. Every major communications platform - SMS, Gmail, WhatsApp, Facebook Messenger - is either surveilled by design or trivially accessible to law enforcement and intelligence agencies. This article covers the sovereign communications stack: Signal for messaging, ProtonMail for email, Element for group communications, Mullvad for VPN, and when Tor is the right tool. The friction is real. The alternative is having every conversation you’ve ever had indexed in someone else’s database.

The Default Is Surveillance

Your SMS messages are stored by your carrier. Federal law requires carriers to retain them for a minimum period. Law enforcement can access them with a subpoena - a legal request that doesn’t require a judge’s approval in the way a warrant does.

Your Gmail is indexed by Google. The contents of your emails inform the ad targeting profile Google has built on you. Google has complied with tens of thousands of law enforcement data requests annually. Your emails are accessible to Google employees under various internal policies. And Google’s privacy statement reserves rights to your data that most people have never read.

WhatsApp is owned by Meta. It uses the Signal protocol for message encryption - which sounds reassuring until you remember that metadata isn’t encrypted. Meta knows who you message, when, how often, and from where. That metadata is extraordinarily valuable for behavioral profiling and has been shared with law enforcement.

Facebook Messenger, by default, doesn’t use end-to-end encryption at all. Your messages are readable by Meta.

iMessage encrypts messages between Apple devices. Apple holds keys that can decrypt iCloud backups, which include your messages if you have iCloud backup enabled. Law enforcement requests to Apple succeed at a high rate.

None of this is conspiracy theory. All of it is documented in company transparency reports, legal filings, and journalism based on those sources. The surveillance architecture of mainstream communications is not hidden - it’s just not prominently disclosed.

The question isn’t whether you have something to hide. The question is whether your conversations belong to you.

Signal - The Non-Negotiable Starting Point

If you do one thing after reading this article, install Signal and get the people you communicate with most to do the same.

Signal is end-to-end encrypted by default for all messages and calls. The encryption is open source and has been audited by independent security researchers. The Signal Protocol - the cryptographic foundation - is considered the gold standard in the field. It’s so good that WhatsApp, Google Messages, and other mainstream apps have adopted it while surrounding it with their own surveillance infrastructure.

What Signal doesn’t collect: message contents, who you message, call logs, group memberships, profile information, or location data. The Signal Foundation - a nonprofit - is structured so that even if compelled by law enforcement, they have almost nothing to hand over. Subpoenas to Signal have returned: account registration date and last connection date. That’s it.

Installing Signal:

Available on iOS, Android, and desktop (Windows, Mac, Linux). Download only from signal.org or your device’s official app store.

On desktop, use the Signal Desktop app linked to your phone. It’s a companion app - your phone is the primary device.

Settings worth enabling immediately:

  • Note to Self: test encryption with yourself before using it for sensitive conversations
  • Disappearing messages: set a default timer (1 week is reasonable for most conversations, shorter for sensitive ones)
  • Screen security (Android): prevents screenshots - including from Windows Recall
  • Registration lock: requires your PIN to re-register your number, prevents SIM swap attacks

The network effect problem:

Signal is only useful if the people you communicate with use it. This is the real friction. Your sovereign communications stack is limited by the least sovereign person in your contact list.

The practical approach: install Signal, then invite the five people you communicate with most. Don’t lecture them about surveillance. Just say it’s what you use now and it works well. Most people will install it when asked by someone they already trust.

ProtonMail - Email You Actually Own

Email is architecturally difficult to secure. The protocol was designed without encryption in mind, and retrofitting end-to-end encryption onto a decades-old infrastructure is genuinely hard. ProtonMail does it better than anyone.

ProtonMail is based in Switzerland, under Swiss jurisdiction - which has stronger privacy protections than the US and is not party to the same intelligence-sharing arrangements. End-to-end encryption is applied to emails between ProtonMail users. For emails to external addresses (Gmail, Outlook, etc.), ProtonMail encrypts at rest on their servers and offers optional password-protected links for sensitive messages.

Zero-knowledge architecture: ProtonMail cannot read your emails. Their servers store encrypted content they can’t decrypt.

Migrating to ProtonMail:

The free tier is functional. Paid tiers add custom domains (important for professional use), more storage, and additional aliases.

Don’t try to migrate everything at once. Start by using ProtonMail for new accounts and sensitive correspondence. Forward important contacts to your new address. Let the old Gmail address die slowly - it takes months, but it happens.

For the Sovereign Self Health practice: a custom domain ProtonMail address (kyle@sovereignselfhealth.com) routes through Proton’s infrastructure while maintaining professional appearance. The sovereignty alignment is part of the brand story.

ProtonMail + SimpleLogin:

SimpleLogin (owned by Proton, fully integrated) lets you create email aliases - unique addresses that forward to your ProtonMail inbox. Use a different alias for every service you sign up for. When a service gets breached or sells your data and you start getting spam, you know exactly which service was the source. Delete the alias. Problem solved.

This is the practical implementation of email sovereignty: your real address is never exposed, your inbox is yours, and you have surgical control over who can reach you.

Element / Matrix - Sovereign Group Communications

Signal is excellent for one-to-one and small group conversations. For larger communities, persistent chat history, or situations where you need to run your own server, Matrix is the answer.

Matrix is an open, federated protocol for real-time communications. Element is the most polished Matrix client. The key difference from Signal: Matrix is decentralized. You can run your own Matrix homeserver, meaning your conversations live on infrastructure you control - not a third-party server.

The use case for FTR and Sovereign Self Health: a community space for subscribers and clients where conversations aren’t subject to Discord’s moderation policies, Slack’s surveillance, or any platform’s deplatforming risk.

Matrix federation means you can host your own server and users on other Matrix servers can still communicate with you. It’s the email model applied to real-time chat - interoperable across servers, no single point of control.

Running a Matrix homeserver requires some technical setup - it’s more involved than installing Signal. For the immediate term, creating an account on matrix.org (the flagship public server) and using Element gives you the privacy benefits without the server management overhead. When you’re ready to go deeper, matrix.org has solid documentation for self-hosting.

VPN - The Right Tool for the Right Job

VPNs are one of the most misunderstood tools in the privacy space. They’re oversold as privacy solutions when they’re actually traffic routing tools - and the distinction matters.

What a VPN does:

  • Encrypts traffic between your device and the VPN server
  • Hides your traffic from your ISP
  • Masks your IP address from websites you visit
  • Changes your apparent geographic location

What a VPN doesn’t do:

  • Protect you from surveillance by the VPN provider itself
  • Prevent tracking via cookies, browser fingerprinting, or login state
  • Secure your device from malware
  • Provide meaningful anonymity if you’re logged into accounts

The critical variable is trusting your VPN provider. You’re shifting your traffic from your ISP (who can see it) to your VPN provider (who can also see it). This is only an improvement if your VPN provider is more trustworthy than your ISP - which requires choosing carefully.

Mullvad is the recommendation that consistently clears the sovereignty filter:

  • Based in Sweden, under EU jurisdiction
  • No-logs policy, independently audited
  • Accepts cash and Monero - genuinely anonymous payment
  • No account required (uses account numbers, not email addresses)
  • Open source client
  • Has been raided by Swedish police and produced nothing because there was nothing to produce - the no-logs policy is real

When to use a VPN:

  • On public or untrusted networks (coffee shops, airports, hotels)
  • When you don’t want your ISP logging your browsing
  • When you need to change apparent location for access reasons
  • When you want an additional layer between your IP and services you use

When a VPN isn’t enough:

  • When genuine anonymity is required (see: Tor)
  • When you’re logged into accounts that identify you regardless of IP
  • When your browser is fingerprinted regardless of IP

The DNS privacy setup from Episode 2 (Quad9 at the router level) handles the ISP-level DNS logging that a VPN also addresses. For home use on a hardened system, the combination of Quad9 + Mullvad when leaving home covers the main threat vectors without over-engineering.

Tor - When You Actually Need Anonymity

Tor is not a VPN. It’s a different tool solving a different problem, and conflating them leads to using the wrong tool in the wrong situation.

Tor routes your traffic through a series of volunteer-operated relays - typically three - encrypting it at each hop such that no single relay knows both who you are and what you’re accessing. The entry node knows your IP but not your destination. The exit node knows your destination but not your IP. The middle relay knows neither.

The result: meaningful anonymity, not just privacy. Your ISP sees you connected to Tor. They don’t see what you’re doing. The destination sees traffic coming from a Tor exit node. They don’t know who you are.

When Tor is the right tool:

  • When you need to access something without your IP being logged
  • When you’re researching sensitive topics and don’t want a browsing trail
  • When you’re in a high-risk situation (journalist, activist, someone in a country with active internet censorship)
  • When you’re accessing .onion services (Tor hidden services)

The tradeoffs:

  • Tor is slow - routing through three relays adds latency
  • Some sites block Tor exit nodes
  • Tor anonymity can be degraded if you log into accounts while using it
  • The Tor Browser (the standard client) has specific usage requirements - don’t resize the window, don’t install extensions, don’t log into identifying accounts

Practical Tor usage: Download the Tor Browser from torproject.org. Use it for specific high-value sessions where anonymity matters, not as a daily driver. Tails OS - a live operating system that routes all traffic through Tor and leaves no trace on the machine - is the deeper implementation for situations that warrant it.

The Communications Stack Summary

ToolUse CaseWhy It Made the Cut
SignalDaily messaging and callsGold standard E2EE, open source, minimal metadata, nonprofit
ProtonMailEmailSwiss jurisdiction, zero-knowledge E2EE, audited
SimpleLoginEmail aliasesMasks real address, surgical control over who can reach you
Element / MatrixCommunity and group chatFederated, self-hostable, no platform dependency
MullvadVPN for untrusted networksNo logs (proven), anonymous payment, audited
Tor BrowserAnonymity when it mattersGenuine anonymity, not just privacy

The Network Effect Is the Work

The hardest part of sovereign communications isn’t the technical setup. It’s convincing the people in your life to join you on better infrastructure.

Every Signal convert in your contact list makes your sovereign communications stack more useful. Every person who switches to ProtonMail is one less person whose correspondence with you is indexed in Google’s servers.

You’re not going to convert everyone. You’re not trying to. You’re building the infrastructure for the conversations that matter - with the people who get it, or who will get it once you make it easy for them.

Start with Signal. It takes three minutes to install and the ask is small. Everything else follows from there.

Resources

  • Signal: signal.org - messaging and calls
  • ProtonMail: proton.me - email, VPN, calendar, drive (full sovereign suite)
  • SimpleLogin: simplelogin.io - email aliases, integrated with Proton
  • Element: element.io - Matrix client
  • Matrix: matrix.org - federated communications protocol
  • Mullvad VPN: mullvad.net - accepts Monero, no account required
  • Tor Project: torproject.org - Tor Browser and documentation
  • Tails OS: tails.boum.org - live OS, all traffic through Tor, no traces left

From the Rubble is written by Kala - veteran, 30-year conspiracy realist. Digital sovereignty, health sovereignty, and the overlap between them. No corporate funding. No ads. No permission required.