Teachable Moment: John McAfee's Gmail Rant
Responding to arguments from a late veteran computer expert
I’ve seen this video making the rounds and feel compelled to use it as a teachable moment. This is a great example that can be used to go deeper into a couple of important points about privacy & security. It’s always important to consider why a particular short, oversimplified video is making the rounds right now. Often it’s not too hard to speculate why nefarious interests would be interested in promoting particularly simplified views. Important ideas take time to understand, so always take the time to reflect on the details when you can, or at least embrace some uncertainty.
Who was John McAfee?
That’s a complicated question to answer. Allegedly John McAfee died of suicide in 2021. John had a compelling technical resume. Besides being known for selling anti-virus software, he also worked for Booz Allen Hamilton, Lockheed, and even NASA. Despite being well credentialed, he was quite a controversial figure with a very dramatic life. What’s specifically relevant to his statements here is that he was somebody who got to learn computers very well just as they were getting off the ground. There is no doubt that he was a very skilled technical mind. In addition to this, he would bring important issues like Cyberwar into the forefront of the 2016 US presidential election.
He made some excellent statements regarding online privacy and security. It’s obvious that McAfee had a very clear understanding of not only the technological details, but also the broader social implications. During some of his more lucid comments he discusses the important details with clarity that I hope to someday myself. In some ways, I would argue this clip is doesn’t represent him at his best. So much so, that I am convinced the wide dissemination of this particular clip is a mindwar operation aimed at not only disarming people from taking their own privacy seriously, but also to discredit some of McAfee’s more salient points.
One final disclaimer is that I am uncertain when this video was recorded, but of all people John would still know better regardless.
Rebuttals & Refinement
Overall message
Before addressing the content of the message, there is a lot about the framing that needs to be addressed. The most important factor is that privacy and security are not a simple binary of “safe/unsafe”. Safe from who? Unsafe how? There are always finer details that matter. Given McAfee’s complicated history, he has a particular (well-funded and well-staffed) adversary in mind and is predominantly concerned with a single threat (the US government).
You’re probably (hopefully) not in the same situation that John McAfee was, therefore your particular risks and circumstances will vary. Not only is this specific advice not particularly applicable to most individuals, many more concerns have become more pervasive threats to individuals and organizations alike. In short, cyberwar is no longer a sci-fi, or state-vs-state affair. Instead governments and corporations are wrestling over control of not just the public conversation, but our technological future as a whole.
Thus your average individual (even more for a high-value target!) needs to be cognizant of a wide variety of threats: stalkers, scammers, online mobs, gangs of cyber criminals, and even tech companies themselves. While McAfee makes some factual points in the video, the overall video leaves a counter-productive impression. It’s the opposite of informative, and requires fine correction. In today’s environment, things have only gotten much more complicated in the last few years, and certainly the last decade.
Yes, it is almost certain that a capable, motivated adversary can absolutely seize data from almost anyone no matter how cautious. The question is at what cost? Can every adversary seize everyone’s data all the time? That would get quite expensive rather fast, it would become even more expensive if those people were taking strategic measures to enhance their privacy and security. Ultimately, if we wish to de-fang the surveillance and censorship apparatus, getting more people involved to take action to raise the cost of mass surveillance is a highly effective tactic.
In addition to new adversaries, the game has gotten a lot more complicated with the advancement of new threats to people’s digital lives. Various governments are cracking down on various forms of dissent and online speech. Highly sophisticated online scams are on the rise. The sum total of data collection on people is weaponized to manipulate the public. Even employers are getting in on the mass surveillance game. State and private propaganda influence operations wage cyberwar both covert and overt. And if all that wasn’t bad enough, machine learning algorithms are quite capable of making all of the above a lot worse.
As always, the only constant is change. One can’t expect to clip two minutes from somebody with a very unique situation and an incredible depth of knowledge and necessarily expect to fairly represent their sum total expertise. I am certain that if John McAfee was still alive today and didn’t have the adversaries he did, he would state things very differently.
Point by point
Email
I am dissed constantly for using Gmail as my email system
…
if you think you have any privacy whatsoever with an encrypted system whether it’s an email system like Proton mail or an encrypted messaging system like signal you have no fucking privacy
The problems with email are pervasive. Even tools like Pretty Good Privacy (PGP) have their limitations. While McAfee is correct to point out that encryption is no ‘silver bullet to privacy with email, he’s completely wrong when it comes to the choice of provider. As he points out later in the video, encryption was designed to thwart man-in-the-middle attacks. He’s likely not at all concerned about somebody (other than the govt) compromising Google’s infrastructure to get at him. The problem is that in his situation, the vast array of concerns from Google itself are still worth considering.
It would be better if McAfee explained that in his situation, abstract concerns like data-mining and data sovereignty are a much lower priority to him when he has to worry about imprisonment (and potentially assassination). But when an email provider (even one such as Proton) has the capability of snooping on emails, there are many reasons why an individual would want to take precautions. This is where the condemnation of Gmail makes perfect sense. From a standpoint of protecting emails from prying eyes of the provider, Google is obviously the worst one to choose.
That said, Signal and Proton mail are worlds apart in terms of the risks involved. It’s not a reasonable comparison to make. Signal was originally designed to protect SMS messages, and eventually this was dropped in favor of becoming a pure messaging app. It’s pretty cool these days to dunk on Signal for it’s board’s membership, but when governments come knocking they repeatedly show they have (almost) nothing to hand over as recently as last month. On the other hand Proton has repeatedly handed over user data.
Notably, there is a “secure by design” email client that does offer similar protection. It seems surprisingly absent in many discussions around secure messengers, but Delta Chat is a fascinating telegram competitor that I believe is vastly underestimated in this space. Recently Delta Chat was able to respond to Russian authorities that they have no user data to give away.
Encryption
encryption was designed 35 years ago to prevent a man in the middle attack meaning someone between your transmission and your receipt
…
encryption is a worthless piece of shit old technology that is being marketed as a safe system. There is no safety anymore, there is no privacy.
…
you are being sold a fucking bill of goods which is worthless with encryption
As explained earlier, this is all relative. Cryptography (encryption) is a tool, and tools need to be applied and understood in their proper context. McAfee is absolutely correct that “encrypted” has become somewhat of a marketing buzzword that loses meaning rather quickly. Encryption is a very useful tool in a wide variety of contexts. It’s quite ironic that many sharing this particular rant would also argue Signal is “worthless” because it didn’t encrypt the local messages database in the desktop client.
There are different ways to use encryption to protect information. You can protect information in transit (which is what McAfee refers to here), you can encrypt it at “rest” (which is what Signal was criticized for not doing), and apparently while in use. Depending on your situation, these different techniques all have very important effects on what and how it protects. Of course, the details matter. Encrypting not enough is often just as damaging as not encrypting at all.
This is where my charitable interpretation of what McAfee is expressing is that in his situation, he feels that encryption will not protect him against the particular adversary he’s concerned about. That’s certainly a defensible position, but it’s far from saying encryption is worthless for everyone, everywhere, all the time.
Smartphones
there’s no man in the middle anymore! we don’t need them
your fucking smartphone is the surveillance device preferred by every government on the fucking planet
This is the strongest point in the entire video, since many individuals will also have a smartphone. It is important to have reasonable expectations about what protections you can have from un-trusted devices you use. Arguably, this is the biggest ‘Achilles Heel’ of various privacy software, if it only works on a smartphone your expectations have to be reduced dramatically. This also applies to any system running an atrocious AI data-miner such as Microsoft Recall ( or even antivirus software…? )
How much you can trust a particular device or system is a complicated question. A great deal has gone into protecting consumer devices, and for various Android devices there are ways to have them “De-Google’d” that may provide some benefits. But! McAfee’s strongest point is also a fairly weak point against encryption in general. Because serious risks to savvy smartphone users are really only presented by governments and tech companies. For those concerned with protecting their data sovereignty, there are significant benefits to encryption even on these devices. At any rate, people always have the choice to perform private tasks on more secure devices.
Malware
Do you know how easy it is to plant malware?
Go on pornhub, if you’ve been on pornhub someone is now listen[ing] to you.
All you have to do is do a drive-by of a website and it sets the “download unauthorized applications flag”, the first click and you now have malware that is doing two things:
Watching your inputs before they’re encrypted and transmitting them
And reading the outputs after they are fucking [de]crypted people
This is another very solid point in general. It’s not just state-level actors leveraging malware to collect people’s information or seize control over people’s devices. As always, this is a greater concern for high-value targets, but even just the technologically naive can fall for opportunistic traps. Again, this doesn’t feel like a strong argument against encryption, but rather raises the amount of effort one has to put in managing their digital affairs. Nobody would seriously suggest that just because a thief can throw a brick through your window that you should never lock your doors.
One could always avoid porn sites and hostile cyberspace all together. It’s possible to build more secure systems that protect regular users better. There’s always a great deal that you can do to measurably reduce your risk to malware. Just being careful and running an ad-blocker takes you a great deal of the way there.
Legal
I use Gmail for one reason
the last company that requires a fucking subpoena from a government in order to give them your information, and their lawyers have 30 fucking days to review the subpoena
30 days is enough for me, I change my email every 15 days
I think relying on a legal strategy to protect your data is more flawed than relying on encryption. Just ask anyone who wants to be forgotten online. I don’t think anyone can be certain that Google can’t figure out which of their users keeps changing accounts every two weeks. The best argument McAfee would have for using Gmail is that he is so attached to the Google ecosystem that it would be pointless for him to try to withhold information from them. Even simple things like using an Android phone, and various cloud services is enough to cross that threshold. But that represents an entirely new problem.
Not discussed, but still relevant
Interacting with others.
Lets take everything McAfee said at face value for a moment. He claims that in his situation, there’s no benefit to him for switching from Gmail to any other nominally secure provider for email. This breaks down the moment somebody else wants to contact him via email or he contacts a person through email. Suddenly he’s impacted someone else’s ability to protect information from Google just to communicate with him. This is exactly why even if it would do him no benefit to switch, others would benefit from him switching to a different provider. For example, if he was using Proton for mail, any Proton user could send him an email that would be encrypted in transit and at rest, and be at least a fair bit safer than in plain text on Google’s servers.
Conclusion
While John McAfee was a very knowledgeable person, his particular situation leads him to make judgement calls that aren’t necessarily right for everyone, especially as the situation evolves. At best, it’s an important reminder that your privacy and security are never entirely up to a single technology choice. It is the sum total of all your digital decisions that makes up your overall situation. Systems that handle personal information need to embody the spirit of “secure by design”. As always, the best way to protect information is not to record it, but the next best thing is to not store it. If it must be stored, than encryption is one tool to protect it from prying eyes.
If you see somebody sharing that video to make a snide point that protecting privacy is worthless, please consider sharing this post to explain why the reality is much more nuanced than that short clip presents.
Rest in peace John McAfee.
I pray that God has mercy on his soul, and for comfort to his loved ones.
You have a gift Gabriel! Outstanding work!!
Regarding Signal, beyond the (very warranted in my opinion) concerns about the composition of their board and funding by entities affiliated with the US government, the sign-up process and the use of phone numbers is an easily exploitable attack vector, especially due to their reliance on a third party for that (Twilio):
https://thehackernews.com/2022/08/nearly-1900-signal-messenger-accounts.html
This is obviously not an issue unique to Signal but there are other IMs where said attack vector is simply not present (by design!). Session is one such example but there are others.
Does Delta Chat use phone numbers as unique identifiers for user accounts similar to what Telegram itself does?
There are some brilliant flawed people. McAfee may have been one of those.
One thing I tell people is that even if Langley has a way to watch every communication, most of it is impersonal and if they encrypt, then at least the neighbor's bored fourteen year old isn't listening. That's not nothing.