It may have taken massive hacks of popular platforms like Apple’s iCloud and messaging app Snapchat to generate mainstream awareness around the fact that any content stored online is vulnerable to attack and exposure. Meanwhile, thanks to revelations from Edward Snowden about the nature of the surveillance state we now live in, more mobile users are aware that steps need to be taken to ensure communications remain private as intended.
But which messaging technologies are really safe and secure? According to a new study put out this week by the Electronic Frontier Foundation (EFF), very few meet the most minimal standards for security.
Many of the largest and most popular messaging tools, including those from Apple, Google, Facebook and Yahoo lack end-to-end encryption that would protect communications against disclosure by the service provider, the study found. And several other major messaging platforms like QQ, Mixit and the desktop version of Yahoo Messenger offer no encryption at all.
EFF studied over three dozen tools in its analysis, including chat clients, text messaging apps, email applications and technologies for voice and video calls. It then analyzed those communication tools on seven factors, like their encryption capabilities, whether users can verify contacts’ identities even if the service provider is compromised, whether past communications are secured if your keys are stolen (forward-secrecy), whether the code is open to independent review or has been audited, and more.
The study, part of EFF’s “Campaign for Secure and Usable Cryptography,” also examined whether the cryptography of the app in question overall has been well-documented, detailing which algorithms and parameters were used; how keys were generated, stored and exchanged between users; the life cycle of the keys and how revocation would occur; and other items. The organization says it’s working in collaboration with Julia Angwin at ProPublica and Joseph Bonneau at the Princeton Center for Information Technology Policy to advance its agenda around making messaging more secure.
Even if the technical details about the nature of the study go over the heads of the general populace, the larger conclusion should not: The apps you trust to keep your messages private are not as secure as they should be. Just because you’re not posting text or photos publicly on social media, like through a tweet or a status update to Facebook, that doesn’t mean they’re “secure.”
The recent hacks have shown the world that no one is safe from having their private digital activity exposed. Not celebrities. Not our children.
Some of those watching the fallout from the recent hacks shamed the victims for their actions. Tsk, tsk, tsk. Shouldn’t have taken those naughty pictures in the first place! People love to think this way when bad things happen to others: that they brought it on themselves by acting foolishly.
Some things are private. Not even because they’re X-rated or illegal. Just because they’re private.
Telling people to stop being human is a cop-out, though. People do and say things that aren’t always logical or well thought through. You have, too. Everyone has recorded something on their phone — text, video, photos — that they wouldn’t want exposed to the world. Some things are private. Not even because they’re X-rated or illegal. Just because they’re private.
But privacy is not a given. Security is not a right or a law. And the major messaging providers aren’t offering the best apps from a cryptology perspective. Instead, they’re focused more on their feature sets with support for things like emoji and stickers and voice recordings and video.
So which apps are you to use?
Among the mass-market tools available, Apple’s iMessage and FaceTime stood out as the best options, the EFF said, though neither offer protection from sophisticated, targeted intelligence gathering. Most of the others lack end-to-end encryption, including Google Hangouts, Facebook Messenger, Apple email, Yahoo web and mobile chat, Secret and WhatsApp.
Only a half-dozen apps scored well across all fronts, but none of these apps are household names: ChatSecure, Cryptocat, Signal/Redphone, Silent Phone, Silent Text and TextSecure.
They’re the kind of apps a cryptologist would love and recommend, but tend to be designed only with security in mind, not “delighting” the end user with the bells and whistles that make mobile messaging fun.
EFF says it hopes that the new scorecard will encourage a “race to the top” among competitors in digital communications. In the meantime, I suppose, users should mind their 1’s and 0’s.
The full scorecard is here.