Digital Detox: You Think Your Thoughts Are Free – But Who Controls the Key?

24. May 2025

You have saved the chats from the last 10 years on your cell phone and all WhatsApp backups on Google or Apple?

You think there is no problematic content on your cell phone or PC? Do you know what content is on your phone? Have you checked each piece of content individually? Have you checked the browser cache? Do you still know what content was displayed to you involuntarily on Facebook, for example, or what content was involuntarily uploaded to your device (and stored on it) as part of advertising, for example? No, certainly not – and this is exactly where the problem lies.

Planned chat control

In this context, the planned introduction of so-called chat control by the EU represents a massive planned encroachment on our fundamental rights. It is supposedly intended to combat crime – in reality, it would enable general and unprovoked surveillance of private communication.

Private messages via messenger services would be just as affected as emails or cloud content. Content could be automatically analyzed by upload filters and transmitted to authorities in the event of suspicion – and not just new messages, but also all messages that have already been stored. This means that even years-old, confidential chats could suddenly be searched and evaluated.

In Germany, the recording of words not spoken in public is a criminal offense (§ 201 StGB), and the secrecy of correspondence is protected by constitutional law. Digital messages are nothing more than modern letters – why should they be any less worthy of protection?

The interplay between these surveillance plans and advanced artificial intelligence is particularly alarming. AI can not only analyze content, but also interpret it, recognize patterns and create profiles – fully automatically, across the board and around the clock. In combination with chat control, this creates an Orwellian horror scenario: a surveillance apparatus that places every citizen under general suspicion and can evaluate their most intimate communications in real time – without any specific reason.

Other constitutional principles are also massively violated by the introduction of chat control. The intrusion into the so-called private core area of human life, which, according to the established case law of the Federal Constitutional Court (in Germany), is protected by human dignity (Art. 1 Para. 1 GG) and the general right of personality (Art. 2 Para. 1 in conjunction with Art. 1 Para. 1 GG), is particularly serious. Even in the case of court-ordered telephone surveillance, conversations concerning this inviolable core area – such as deeply personal, intimate or emotionally distressing content – may not be exploited or even listened to (Section 100d (5) StPO). This protection is de facto removed with chat control: private and intimate content, including communication with a partner, personal health information or psychological crisis conversations, is to be scanned by automated systems and possibly forwarded to government agencies. This opens up a particularly protected area of privacy that even the state was previously only allowed to enter with the utmost restraint and under the strictest conditions. This is a blatant violation of the principles of proportionality, informational self-determination and human dignity.

A further problem with the planned chat control concerns the admissibility of the measure under international law in a cross-border context and arises in particular when accessing data residing in a third country. As the unprovoked screening of digital communications is not regularly limited to the EU area – for example in the case of conversations with persons in third countries or persons with a temporary or habitual residence abroad – there is an acute risk that the technical implementation of sovereign surveillance measures will also result in access to communication content outside EU territory. Such action without a prior request for mutual legal assistance or agreement under international law constitutes an impermissible extraterritorial exercise of state sovereignty and thus violates the principle of state sovereignty enshrined in Art. 2(1) of the UN Charter. Automatic content analysis, in particular using AI, could de facto lead to widespread, unauthorized digital surveillance, including of citizens of other states – with massive diplomatic and legal implications. In addition, the extent to which the EU is authorized to introduce measures with a potentially extraterritorial effect without recourse to existing instruments of international legal assistance or agreements under international law must be questioned. Such a practice not only undermines the existing international legal framework, but also represents an erosion of fundamental principles of the rule of law in the international context.

Such a preventive surveillance approach therefore fundamentally contradicts the principles of the rule of law. Those who accept chat controls and upload filters today will allow permanent eavesdropping on all private communications tomorrow.

Reading cell phones

As things stand at present, any cell phone (yes, even the iPhone) can be read using UFED, for example, especially if it has already been unlocked after being restarted. The only reasonably secure option is to use a Google Pixel with GrapheneOS. The settings on GrapheneOS should be adjusted accordingly (USB only for charging, exploit protection, etc.). Biometric factors should also not be used, as in some countries a finger is often used by force to unlock a cell phone.

UFED from Cellebrite is a tool for the forensic analysis of mobile devices that can be used to read even deleted data such as messages, photos or location histories. It is used by law enforcement agencies, but has been criticized because it has also been used in authoritarian states to monitor and persecute journalists, activists and regime critics. Despite export restrictions, the technology has sometimes reached such countries via detours.

GrapheneOS is a secure, privacy-oriented Android system for Pixel devices that can even work without Google services. It was recommended by Edward Snowden and offers significantly more security than standard Android thanks to strong hardening, sandbox isolation and protection against zero-day exploits.

Encryption is all well and good, but haven’t you ever wondered if you really need all the chats from the last 10 years? Most of us won’t need this data, especially not for such long periods of time. You should therefore make it a habit to regularly carry out a kind of “digital detox”. This means deleting all unnecessary chats and data.

For companies, compliance with retention periods is an obligation under the GDPR anyway.

You should also overwrite the free storage space on your cell phone after such a deletion. There are apps for this or you can simply copy data to the cell phone until the storage space is full. This makes it extremely difficult to recover such data, even if the cell phone is unlocked.

What about WhatsApp and Google backups?

This really is another problem, because even though WhatsApp data is encrypted end-to-end, I personally have strong concerns about the WhatsApp web client. Also, WhatsApp backups are not end-to-end encrypted by default (be sure to activate this in the settings). It is best not to use WhatsApp for sensitive communication and to deactivate the backup in the cloud. 2FA protection should also always be activated so that the account cannot be taken over by other parties.

An alternative here could be Threema or Signal, for example.

Threema and Signal are secure messengers with end-to-end encryption. Threema comes from Switzerland, does not require a phone number and does not store any metadata. Signal is open source, free, ad-free and known for the highest security standards – ideal for confidential communication.

Digital detox on the PC

On other devices, such as a PC, the same question arises: Do you really need all your data? If not, simply delete superfluous data, the browser cache, history and many other sensitive areas.

Use strong encryption on other devices too and go one step further. Encrypt rarely used data again separately with a different password, e.g. with VeraCrypt within a different container.

VeraCrypt is a free encryption program that securely protects files, containers or entire operating system drives. It uses strong algorithms and is ideal for protecting sensitive data – both on external media and on the entire system drive.

Don’t forget to use a password manager for accounts on the Internet with a strong password. If possible, increase the number of iterations to make brute force attacks more difficult and also use other options such as key files.

Use 2FA correctly, i.e. only save and generate 2FA codes on a second device and not out of laziness in a password manager on the PC.

Cipher under Windows, for example, can be used to delete the free memory space. Simply open the command prompt and execute for :

cipher /W:C:

The cipher /W command in Windows overwrites the free space on a drive to permanently and securely remove previously deleted data. But be careful: Some data such as small text files could still remain in the file system, so always encrypt the entire device and only run cipher additionally.

The be-all and end-all: deleting data

Always ask yourself the question: Do I need this data on my cell phone or PC?

Always delete as much data as possible, especially if third parties send you borderline memes, for example. A supposedly funny picture from the Internet can very quickly lead to serious problems, because in many cases the content is not “funny” after all. Unfortunately, a lot of unwanted content, e.g. from the Facebook feed or X/Twitter feed, ends up in the browser cache.

The thought police

And what can happen in practice? Here are some examples:

You travel to the USA, for example, and your phone is read when you enter the country. The border official finds memes critical of Trump from X on your phone and you are denied entry.

The cell phone is confiscated for another reason and memes are found that may be criminally relevant. In the end, you exonerate yourself and all is well, but you had a lot of stress and also lost a lot of time and money. Also, the cell phone was in “evaluation” for several years.

You are traveling in transit through a questionable country and are arrested because of a Facebook comment. The cell phone is read and other allegedly state-critical content is found. As a result, you spend several years in custody – on the other side of the world – while hoping in vain for consular protection.

Emails

Use an email provider with full data encryption and zero-knowledge architecture. Despite everything, in many cases incoming and outgoing emails can be intercepted and forwarded – right outside the mailbox, so to speak. Communication with PGP keys is therefore recommended.

PGP works with two keys that belong together – a public and a private key. You give your public key to others so that they can send you encrypted messages. Only you have the private key, which you can use to decrypt and read the messages. This ensures that only you can open the encrypted messages.

Tutanota, Proton Mail, Mailfence and StartMail are email providers with full encryption and zero-knowledge architecture. Tutanota impresses with automatic end-to-end encryption, which also protects subject lines and contacts, which is unique. Proton Mail scores with its ease of use and servers in privacy-friendly Switzerland. Mailfence combines OpenPGP encryption with integrated calendar and document functions, while StartMail stands out with its connection to StartPage and strong data protection with OpenPGP support.

Backups

Create regular backups with a very strong password and very strong encryption. If necessary, store the backups in other European countries with a high level of data protection.

Make sure that you have a way to gradually restore all data in the event of a total loss of all devices. The process need not and should not be convenient, but should be designed for maximum security. Remember: you must have the appropriate strong passwords in your head.

If necessary, use a hash generator with HMAC to derive a strong password from a simpler one. You can also find a hash generator with client-side generation, HMAC and even iterations here: https://www.lautenbacher.io/hashgenerator/

For example, the input “apple” with the HMAC “potatoes” and 100 iterations returns the following SHA-512 hash:

7ffae305f78a1b6b8c43c5a7c0e18ff47ad60aa14eb9436cd7ffdde083ecd05ae347763478dd831910399e1afa5a856031a38f748a58e66d5cfc8af4bbba155b

Which could be used as a password replacement, for example.

Iterations (= repetitions) of a hash value mean that the calculated hash value is not only hashed once, but repeatedly with itself. The result of one hashing process becomes the input for the next. This intentionally makes the calculation of the final hash value very slow in order to increase security – especially for passwords, which are extremely difficult for attackers to “guess”.

Do you need help?

I will be happy to assist you with IT security at reasonable hourly rates. Contact me today using my contact form.