The Arrogance of Convenience

Written By TS Lipton
Preview

I've struggled deciding if I should post something about this for many months now. Mostly, I haven't had the time or the gumption to even attempt to start something like this. I know it will take a lot out of me to even try to speak or write from here. But someone recently shared a conversation they had regarding their GrapheneOS phone and Signal Messenger. What they told me alarmed me, and it feels essential at this point to speak something of this.

Since this conversation shared with me specifically mentioned GrapheneOS and Signal Messenger, I will focus on those two tools for this post.

I wasn't there for the conversation, but I know very well how these conversations tend to go because I live them regularly. For some reason, I don’t know why—maybe because I'm a woman in tech, maybe because most don't realize when they are explaining something they don't understand to someone who does —I am regularly faced with the lack of understanding of encryption, specifically.

I don't mean that to be critical; it's quite simply the place I find myself standing in a lot of conversations these days. People come to me for help, information or advice, I give it transparently, but inevitably, there is a point where the methods I recommend or the information I give are met with skepticism that sounds like objection. it’s confusing because they almost always still want my help and decide to move forward. Often this seems fueled by something they have heard from someone somewhere rather than anything I’ve already shared with them or research, so then we seem to stay in a sort of circular conversation about what it is they are asking me to help them with. And I am not here to push anything on anyone.

Most of that I genuinely welcome as part of the process, and to an extent I enjoy being in that conversation, but the volume of the push/pull has been more exhausting than I could’ve imagined. I’ve needed to spend a lot more time than anticipated figuring out ways to navigate that and how to actually be helpful. What can I offer there? What does help or support or “my service” look like considering this? I still don’t fully know. Of course, I could quit doing this, but that doesn't really match something in me.

Where My Knowledge “Comes From”

When I began to speak of some of the untruths around this conversation being shared with me, I was asked where I learn these things. Basically, where do I get my information. Well, as someone who holds a degree in Cybersecurity Administration. I learned a lot of it while earning a degree in it! Now, I’m not one to think a degree means everything, and that is certainly not where I learned a lot of what I know, but it’s where I learned the theory around what I had already learned on my own, which seems essential to true understanding. And, I truly hope it will always mean something to have a degree in something. Not for myself, but for all of us. For each of us who has been passionate enough about a subject to take the time to earn a degree in it. There is so much respect in that to me.

That being said, I don't necessarily "get my information" from anywhere specifically. I have a certain level of knowledge I’ve absorbed over the years. I’ve been entrenched in this field for almost 30 years, learning how the internet works—which is now fundamentally built on encryption protocols. I might not derive the math like a programmer does, but I possess a deep understanding of layered architectures for digital security.

Because of that, I don't need to chase the latest trends or tabloids to know what to believe. The core principles here are tried and true; they actually do not change with the news cycles. If they did this would be very big news! Essentially, I know exactly where to go when I have questions, but for the most part, I don't have to go looking. Not about this.

I rely on the foundational truths established by the researchers, cryptographers, and engineers who build these tools. I read the papers they read and the verification of the proofs they publish. My knowledge isn't just absorbed; it's rooted in the bedrock of the industry, not the shifting sands of social media trends or the fear around those. I pay attention to that, but with discernment.

I try my very best to be respectful of what most people don't know about the technology they use every day, and my goal is always to be supportive when someone wants to learn more. But it most definitely has become exhausting in this time, specifically.

When I have questions, I go to the sources the creators use: NIST, OWASP, academic journals like the Journal of Cryptology, and other professional resources. These aren't quick reads or convenient soundbites , reviews or op-eds. They are in-depth studies that impact the world. They can be dry, even boring. But they are proof, not speculation.

Now, I'm not saying people lack the inherent intelligence to form solid opinions for themselves; I don't think that way at all. But here is the problem: the arrogance of convenience. Someone hears a strong opinion on the internet or at the dinner table, and because they lack a deeper understanding, it sounds convincing even if it's false. They don't know where to look for the facts to disprove it, so they form an uninformed opinion based on another uninformed opinion. It spreads like wildfire, masquerading as fact.

That cycle is dangerous. In technology, specifically, the answers aren't (can’t be!) found in opinions; they're found in proof.

Computers are based in mathematics. Mathematics is based on proof. If a claim cannot be proven, it is nothing more than speculation. If it can be proven and withstands rigorous testing, it becomes a theorem—a fundamental truth that cannot be disproven. That is the very nature of mathematics (and it is also how math works in nature). When we talk about encryption, we aren't guessing; we are relying on mathematical truths that have been verified. Otherwise, we would have none of what we have today at our fingertips!

So, I'm writing from within a rather uncomfortable truth today: I would speculate strongly that more than half of the issues we are facing in technology in this time are because of this sort of “convenience-minded” arrogance around technology. Let alone security and encryption. It is absolutely mind-boggling to me to imagine telling someone who has studied in a field for years, things like “ ‘they' will figure out a way to get through Signal." People who have no clue what is meant if I were to reference symmetric and asymmetric encryption. Let alone the Double Ratchet Protocol Signal uses, therefore, I can't really even begin to explain encryption to them.

So, let me address this directly:

NO. "They" won't figure out a way to get through Signal’s encryption protocols. I put "they" in quotes because there is no "they" in this equation. There is no shadowy entity sitting in a room somewhere that can override the laws of these mathematics. I don't mean math on a chalkboard, I mean the kind of math that can't be computed in a lifetime. And that is not an exaggeration. I mean math that is bound by the same physical laws as nature itself — the universe as we know it, literally does not contain enough matter and energy to brute-force AES-256 (the standard encryption protocol today), even if you converted every atom into a computer. Humans cannot override this physics. Humans cannot override this math.

I want to say this to right-size this conversation as soon as possible.

There is no human agency, no government, no intelligence service, no hacker collective that possesses some magical ability to bypass cryptographic proofs. "They" implies some omnipotent force that can simply decide to break what cannot be broken. That force does not exist within the realm of human capability and cryptography. What does exist is the mathematics of AES-256 and the Signal Protocol which make it functionally impossible to "figure out a way" to break through this kind of math.

AES stands for Advanced Encryption Standard. To put the sheer scale of AES-256 in perspective: even if you built a supercomputer the size of the Earth and ran it at the speed of light, it would still take longer than the current known age of the universe to try every single key possible in AES-256 in order to break it.

But here is the nuance that the skeptics usually miss, and it's the most important part of this post: in a certain sense, 'they' already have gotten around it—but it has nothing to do with the encryption or security of the app itself. That remains unbroken and impenetrable by anyone. Governments and hackers are bound by the same physical and mathematical laws as everyone else. They are not gods; they are limited by energy, time, and computational complexity.

In fact, our reliance on this system highlights how fragile our control really is. If the internet were 'unplugged' tomorrow, none of this would matter because the world would descend into chaos. The same would happen if encryption were broken or removed. The entire global infrastructure—from finance to communication—rests on these mathematical foundations. If they crumble, everything collapses.

When governments, intelligence agencies, or hackers access Signal messages without the user's knowledge, they do it through the device. Through poor device security. Through user error. Through spyware that exploits the operating system, not Signal itself. No one has, and no one ever will, break through Signal's protocol because they can't.

Even if we entertain the enormous hypothetical that such a supercomputer could be built in our lifetime, the reality is that most would shut it off before it was ever used. Breaking encryption would ruin everything for everyone, regardless of their unconscionable behavior currently. Whether it's Palantir, dime store hackers, or governments using something like Pegasus on innocent bystanders and civilians—or even the Googles and Apple's of the world—they all know how dangerous it would be to break encryption. It would affect everyone entirely, including them. The moment that math is broken, no one is safe to do anything on the internet.

This is precisely why strong encryption was fiercely fought for during the Crypto Wars of the 1990s. Governments tried to restrict it, classify it as munitions, and implement backdoors. But security researchers, civil liberties advocates, and technologists fought back. They understood that if the math was broken, no one would be safe—not even the powerful. That's why encryption is now public, open, and available to everyone. It's not a privilege; it's a necessity for a functioning digital society.

Financially speaking, which is almost always the most important driving factor in our world, the money in most banks would be at risk because the entire online financial infrastructure—TLS/SSL encryption protecting every transfer, every login, every account balance—relies on the same mathematical foundations. Credit card transactions, wire transfers, stock markets, cryptocurrency exchanges—all of it depends on encryption that would suddenly be worthless. They all know this. That's why even the entities with the most to gain from breaking encryption have a vested interest in keeping it intact.

The encryption is never the problem when implemented correctly. The device is the problem. The user is the problem. Attackers almost always bypass the math through social engineering, malware, or by seizing an unlocked device. They don't break the encryption (they can’t!); they go around it.

And that is exactly why GrapheneOS exists—to fix the device side of the equation that Signal alone cannot. But you'd have to actually understand the architecture of both to grasp that, which usually I am unable to bridge in one conversation when someone is asking me what I know about encrypted applications.

This level of understanding doesn't come from TL;DR summaries or quick videos. It comes from deep study, testing, reading and writing research papers, verifying proofs, and learning from professors who have dedicated their lives to this work, as well as the professionals currently living in it. It also comes from knowing the Open Source community—understanding how hard and fast these engineers work, often for very little in return, to patch the vulnerabilities created by the poor decisions most of us are making out of convenience.

Once you reach a certain level of understanding, clickbait becomes obvious noise. AI-generated videos on YouTube that falsely portray how things work—relying on overly strong opinions and scare tactics—become transparent traps the moment you grasp the underlying mechanics.

Today, you don't need to know anything about the underlying mechanics of these devices to use them. While that isn't inherently a bad thing, it has created serious issues: convenience has nearly become the only option mostly because we don’t know any better as The User. The result? A flood of opinions from people who don't have enough understanding to hold them. And when they encounter someone who does know enough, they still choose their opinion usually out of convenience. That is what I mean by arrogance in this post.

The "It's Already Broken" Myth

There is a dangerous trend right now. And it is particularly dangerous right now in 2026 to be thinking this way. It's a chorus of voices, often loud, often confident, and often completely wrong, claiming that "encryption is broken," "the government can read everything," or that "no app is truly safe." No app is truly safe, I will give ya that, but not for the reasons people usually begin speaking about.

Now, the government can read and track a lot if they want to. But mostly, that's through cellular triangulation using your SIM card and phone number, telephony protocols for voice calls, and SMS (text) messaging.

Thus, I'm legitimately exhausted by voices that are derailing this critical conversation while having little idea what they're talking about. They are scaring people away from the very tools that offer the highest level of consumer protection available today against modern surveillance. Two of those tools are GrapheneOS and Signal.

If you're worried about state-level surveillance, you want GrapheneOS. You want Signal. Or something equally robust. There is no middle ground here.

If you do not understand the mathematics of AES-256, the architecture of the Double Ratchet protocol, or the mechanics of memory safety, you are not qualified to tell people anything about GrapheneOS or Signal.

This isn't me encouraging censorship; it's about accuracy. When uninformed fear-mongering spreads, it pushes people toward "convenience" over security, leaving them vulnerable to the very threats they fear.

Let's be clear about the state of modern cryptography.

AES-256, the standard used by Signal and countless other secure systems, has a key space of (you are not ready for this, I promise!) one hundred fifteen undecillion, five hundred seventy-nine decillion, nine hundred eighty-two nonillion, eight hundred forty-six octillion, seven hundred thirty-seven septillion, three hundred sixty-eight sextillion, three hundred twenty-four quintillion, six hundred twenty-six quadrillion, seven hundred ninety-three trillion, eight hundred forty-five billion, nine hundred five million, eight hundred forty thousand, eight hundred ninety-six.

If you do not understand what I just said, you have no business in a conversation about the efficacy of Signal Messenger. No government, no supercomputer, and no quantum computer on the horizon can brute-force AES-256 encryption. And if you don't know what brute-force is, either... Well, I’ll let you Google that one (but don't use Google, use something like DuckDuckGo—it matters!).

Furthermore, the Signal Protocol isn't just 'encrypted.' It has been formally verified. Open Source Software like Signal was not accidentally built by rebels without a cause working in their basements; it was built by exceptional engineers. In 2020, researchers Katriel Cohn-Gordon, Cas Cremers, and others published a rigorous mathematical proof in the Journal of Cryptology confirming that Signal's X3DH key exchange and Double Ratchet mechanism provide forward secrecy and post-compromise security.

This means that even if a hacker steals your encryption key today, they cannot decrypt your past messages (because the keys were deleted) nor your future messages (because the protocol "ratchets" to new keys).

This isn't speculation or opinion. It's proofed and verified. And that’s actually a really big deal.

The Real Weak Points: The Device, The User and Privacy Policy

So, if the math is unbreakable, why do people still get hacked?

Because attacks don't go through the math; they go around it. The most effective form of hacking today, has always been, and remains, social engineering.

The weakest link in the chain is never the encryption algorithm when properly implemented. It is the device. But it's not just about the code; it's about the business model behind the device.

If your phone is running stock Android or iOS, it is a porous vessel wrapped in a fortress. Whether it's the aggressive data harvesting of Google's services or the closed-source 'walled garden' of Apple, both create massive attack surfaces (ways around the math!) filled with legacy vulnerabilities and proprietary code you can't audit. But more importantly, you are not the customer; you are the product.

Google monetizes your data directly, while Apple monetizes your lock-in and the illusion of privacy. In both cases, you trade your sovereignty for convenience, believing the door is locked when, in reality, the company holding the master key is the one watching

We, the users of the devices, have failed to pay closer attention to their privacy policies and consumer antitrust laws. We have blindly trusted the likes of Google and Apple to "take care of this for us," assuming that their interest in security aligns with our interest in privacy. It does not.

  • Google's Business Model: Google generates the vast majority of its revenue (over 95%) from advertising. Their entire ecosystem is designed to harvest data to build user profiles for ad targeting. A secure, private user is a bad customer for Google because they cannot be tracked or monetized.

  • Apple's Business Model: While Apple sells hardware, their services revenue (App Store, iCloud, Apple Pay) relies on a walled garden. They have a financial incentive to keep you in their ecosystem, but they also have a history of resisting true user control (like sideloading apps or full file system access) to maintain that control and revenue stream.

Consumer Antitrust Laws:We have allowed these companies to become monopolies with unchecked power because of convenience. Antitrust laws were designed to prevent exactly this kind of market dominance where a few players control the infrastructure of our digital lives. Yet, we accept their terms of service without reading them, trusting them to protect us while they profit from our data and our continued ignorance. I am not saying that to be rude—it’s THEIR business model not my opinion.

This is where GrapheneOS changes the game. It is not just a 'custom ROM'—and if you don't know what a 'custom ROM' might mean, you can go ahead and take yet another knee in the penalty box of 'not knowing enough about something to talk about it.' I'm quite serious.

GrapheneOS is a fundamental re-architecting of the Android operating system to prioritize security and privacy, and it's extremely effective. We are incredibly lucky to have it. I find it incredibly hubristic that people treat these tools with such irresponsible cynicism and disrespect. And I say this as someone who is, by nature, a cynic!

How GrapheneOS Stops State-Level Spyware (Like Pegasus)

Spyware like Pegasus (developed by NSO Group, primarily targeting mobile devices but capable of infecting nearly any connected system) doesn't break encryption. It exploits memory corruption vulnerabilities in the operating system to gain root access to the device. Once it has root access, without you knowing, it can read your screen, record your microphone, and steal your keys before apps like Signal encrypt them. (Google and Apple have similar permissions built in to their systems and devices, just in case you didn't know that).

GrapheneOS drastically reduces this risk through:

  • Hardened Memory Allocator (hardened_malloc): This custom memory manager detects and blocks the exact types of heap corruption bugs that spyware uses to execute code.

  • Strict Sandboxing: Every app runs in an isolated container. Even if an app is compromised, it cannot access the memory of other apps or the OS kernel.

  • Control Flow Integrity (CFI): This prevents attackers from hijacking the execution flow of the OS, a common technique in zero-day exploits.

  • Verified Boot: The device cryptographically verifies the OS integrity at every boot. If the OS has been tampered with, it won't boot!

As noted in a 2026 forensic analysis, GrapheneOS represents one of the most secure mobile platforms available, offering "substantial resistance to state-level surveillance capabilities" by making the cost of exploitation prohibitively high.

The Result: By moving to GrapheneOS, you aren't just "hiding" your data; you are removing the foothold that surveillance spyware needs to exist on your device in the first place. You are opting out of the surveillance economy that Google and Apple have built.

The Convenience Trap: Why We Keep Losing Our Digital Sovereignty

So as uncomfortable as the truth is about our current digital landscape: we chose convenience over security, and now we're going to start paying the price. That is definitely not because there’s only faulty tools available or encryption protocols fail.

Most people won't install GrapheneOS. Most people won't use Signal. Most people won't disable permissions, use a VPN, or limit their phone number exposure. Why? Because it's inconvenient.

And then when they get compromised, they turn to people who don't understand cryptography and say, "See? Security doesn't work."

No. Convenience didn't work. Convenience is not secure. Security works perfectly when implemented correctly, but it demands a little more effort than our culture's addiction to immediacy is willing to give.

This is the cycle:

  1. Choose convenience over security

  2. Get compromised through the device, not the encrypted app

  3. Blame the encryption tools instead of the choices

  4. Listen to uninformed voices who validate this

  5. Repeat

We need to break this cycle.

When you combine GrapheneOS (device integrity) with Signal (message integrity), you create what is called "defense in depth" architecture:

  • Signal ensures that even if the network is tapped, the message is unreadable.

  • GrapheneOS ensures that even if the network is tapped, the device cannot be compromised to read the message before encryption.

  • Responsible Use (disabling unnecessary permissions, using a VPN for metadata obfuscation, avoiding SMS 2FA) closes remaining gaps.

  • Limited Phone Number Use (using a burner number or a privacy-focused VoIP service) prevents your real identity from being the anchor for tracking.

This combination makes you a "hard target." Governments and intelligence agencies operate on efficiency. They look for the path of least resistance. If you are running GrapheneOS, they have to spend millions of dollars and months of time to develop a custom, likely non-reusable exploit for your specific device. Most of the time, they will simply move on to the guy using a stock iPhone with no passcode.

Unless you are seriously a person of interest, which most of us are not.

What if we stopped letting uninformed opinions dictate our security posture?

When someone says something like, 'they' will get through Signal eventually. Ask them: Which part? The math? The protocol? Or the implementation? Who is they? If they can't answer, they are spreading fear, not facts.

The experts—the cryptographers, the security researchers, the developers who have spent decades refining these tools—agree: The tools work. The problem is that people resist using them, mostly because they don't want to let go of convenience, and, to be fair, because most don't understand how to use them correctly.

It's not necessarily even difficult to use things like GrapheneOS; it's just that ecosystems like Apple's are so tightly controlled that they falsely lead people to believe they are in control of their technology and actually know how to use it. But the illusion of control is a byproduct of their design.

Most modern-day users have no idea what they are really using when they pick up these computers and phones. Furthermore, most of us need less than half of what Apple's machines can do for our regular daily functions, yet they convince us, hook, line, and sinker, to pay thousands of dollars for resources most have no idea how to use. This is a problem that Google and Apple continuously make worse, because they massively profit from the very insecurity they claim to fight.

Switching to GrapheneOS and/or Signal Messenger (or similar) is not a guarantee of invisibility. Nothing is. But it is one of the most effective steps an individual can take to reclaim their digital sovereignty. It shifts the balance of power from the surveillance state back to the user.

Don't let the noise of the uninformed convince you to stay vulnerable. Don't let convenience thinking create a digital nightmare you can’t get out of. The math is on our side. The code is open. The choice is ours. At least for now.

Sources & Further Reading

TS Lipton
Previous

Practical Defense Against Section 702 Surveillance in 2026
Next

From a “Permanent” eBay Ban to Reinstatement Using Privacy Laws and Regulatory Avenues