Header image source: https://unsplash.com/@alvaroserrano
This is part of a wider series on taking back my data, to see the introduction to these posts click here.
So messaging was number 1 for me in terms of sensitivity, conversations form a big part of who we are and they should default to private/secure.
Before my research I was using FB messenger and whatsapp for more than 99% of my personal comms, with a tiny bit of email (gmail), but I think that's another topic.
So let's look at those tools, and categorise them using the system I defined before:
🙁 WhatsApp - e2e encrypted but closed source so not publically auditable.
💩 FB Messenger - Currently messages are not e2e encrypted by default (they are in "secret conversations"), the messages are stored on FB servers. If FB are to be believed they are moving towards e2e encryption but currently every message just sits on their servers readable by Facebook's software. And in the future if they do encrypt messages best case scenario messenger gets as secure as WhatsApp (closed source not publically auditable).
💩 Gmail - I'll tackle email seperately but needless to say Gmail emails are not end to end encrypted and are readble by Google's Software.
Ok so the glaring vulnerability in terms of a potential data leak is FB messenger. I'm never happy when the cloud can read my messages. I'm also not happy trusting closed source WhatsApp as their encryption can't be publically verified but I'm more comfortable with this than FB messenger.
Messaging is one of the hardest areas to go secure/private on as it's a communication tool that requires you to use the same protocol as the person/people you're communicating with. Which makes binning off a tool incredibly hard.
😃 Signal The Darling of the private messaging world at the moment. Signal is open source and uses e2e encryption for messages, Signal implements the Signal protocol which was invented by it's parent organisation. This protocol has become the defacto choice for encrypted messaging apps and is used by many proprietary solutions such as WhatsApp, FB for secret messages and Android Messaging. This protocol generates a new key for each message it sends, this allows for disapearing messages where keys for old messages are deleted after a set amount of time. Meaning if signal's db and you current keys leaked your old messages would be safe (as long as you have auto delete on). Personally I like signal a lot it is created by a foundation who's mission is to create best in class secure open source communication technologies without having to dilute this to please shareholders.
💩 (Although, it's complicated) Telegram Telegram is also often held up as a great alternative to the main brand messaging apps. There are positive to telegram, its apps are open source and e2e encryption is available through secret conversations. So why the 💩? Well the answer comes from the top of the article on secret chats: "Secret chats are meant for people who want more secrecy than the average fella". For me security should be the default not the exception, I don't think that privacy is a luxury of people who have the time, the knowledge and the will to look into the details of an app, privacy is the right of all. So this is why I put Telegram in the 💩 category. However it is worth saying that their encyption mechanism for secret chats does re-key every 100 messages meaning somone who stole your phone and gained access to the telegram db could not access deleted messages.
💩 Discord This one is in here because of popularity not security credentials. Discord has become incredibly popular and is a messaging app targeted at gamers and boasts 300 million users as of June 2020. Howevever put simply there isn't even as little as a nod to privacy/security, it's closed source and doesn't use e2e encryption.
I downloaded signal, I also spoke with people in my most frequent group chat about the possibility of switching platforms. To my surpise people were onboard. In time people did complain that they only had this app for one chat but this is changing with Signal's recent popularity. I still have a couple of threads on FB messenger which I plan to ask to move to Signal or WhatsApp but once these are moved I can delete FB messenger for good.
"Signal where I can WhatsApp where I must."
WhatsApp is basically unavoidable in a lot of countries and has overtaken SMS as the default means of text based messaging. It seems unlikely that I will get to ditch it all together any time soon but at least if we trust them the messages as e2e encrypted.
I will continue to talk to people about the virtues of Signal and where a friend/friends have both I will choose to message them on signal every time and plan to take the attitude Signal where I can WhatsApp where I must.