There are many messaging, voice call and video call apps available that claim to use the latest end-to-end encryption to keep your messages and conversations safe. These apps include Facebook Messenger, WhatsApp, Viber and Telegram.
However, as I will explain in this article not all encrypted messaging apps are made equal, and currently if you really value your privacy (which you should) then Signal is the app you should be using.
Why do I even need to encrypt communications? #
This is a fair question.
Are you ok with someone opening your letters? #
The best analogy I can think of is that of your post. Would you be ok with someone opening your post in transit? I know I wouldn't want someone opening my letters without permission. In the UK it is actually illegal to open mail that is not addressed to you.
Your online communications should be treated exactly the same. Unfortunately it is not so easy to police digital content sent through wires, as it is physical mail.
Bad people and data collection #
If the post analogy is a little weak for you then consider the fact that your data, however bland and unimportant to you, is worth a lot to big companies and criminals.
It is not a secret that large revenues are made from harvesting and processing peoples personal data. Using encryption means they don't have access to your data, so it can't be used by them, or stored in their servers.
your data, however bland and unimportant to you, is worth a lot to big companies and criminals
Which brings us on to the bad people (criminals. . .even some governments). . .they could monitor your communications to gather information about you to clone your identity, or get enough info to access your bank accounts. With controlling governments it might mean persecution for political, religious or sexual preferences.
However, do not assume that you are not affected because you don't do anything bad so you have nothing to hide! There is much more to it than that.
The solution... #
One of the best solutions to this problem is end-to-end encryption.
What this basically means is that you write a message, then once you hit the send button, it is encrypted. The only person able to decrypt the message is the intended recipient.
This stops the message being read in transit, by a hacker, your internet service provider, the phone company, the government, the police or anybody else for that matter.
The above can also be applied to voice calls and video calls.
What makes Signal so special? #
It is open source #
It cannot be understated how important it is that software that involves encryption and communications is opensource.
What opensource basically means is that the computer code that has been written to make the app is available for anybody to review. It is therefore close to impossible for any backdoors or other dodgy code to go unnoticed. Someone would spot it.
It also has the added benefit of allowing experts from around the world to review and suggest improvements to the code, which can only make the overall product stronger.
As they say, many hands make light work...
It does not store metadata #
What is metadata? #
Metadata: a word used, and heard, very often.
However, I suspect that people don't really know what metadata is exactly, and it is really important to know if you value your privacy.
Edward Snowden leaked an NSA document which stated that metadata collection is one of the agency's "most useful tools"
The easiest way to think about metadata is that it is all the data not contained within the message, phone call or video call. For example it may include:
- What device is being used?
- Where is the device (i.e. a geographic location) that sent the message or start the call?
- How long did the call last for?
- What date and time did the message get sent or the call start?
- Who was the message / call to?
The data above may not seem more important than the content of the message, but it can build a very detailed picture of a user over time.
Where you are, who you communicate with, who you talk to the most etc.
This can have many implications. For example if the government is monitoring you to see who you are talking to due to your political affiliation, or the police to know your whereabouts at a particular time. . .
Maybe the above are too abstract for someone in a western society who is law abiding? How about these:
- they know you were calling / texting a particular helpline, and for how long (alcoholics anonymous etc.)
- do you phone sex lines or use sex messaging services? They can monitor how long and how often.
- having an affair? calling your co-worker out of work hours regularly? ooops!
I think you get the idea. . .it's not just the content that matters.
Have a read of this Business Insider article for more insight...
Does Signal store any data? #
Best heard from the horses mouth, in reference to a request for information on a user by the Eastern District of Virginia:
We’ve designed the Signal service to minimize the data we retain about Signal users, so the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.
Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with.
All message contents are end-to-end encrypted, so we don’t have that information either.
The quotes above are taken from a page provided by Signal on their website (appropriately called "Big Brother") that details the types of requests for data they receive and how they deal with them. Take a look if you want a better understanding of how your data *should* be handled.
It uses a tried and tested encryption standard #
The encryption used in Signal is based on the Signal Protocol (formerly known as the TextSecure Protocol).
Again it is opensource, and as such has been thoroughly tested.
An official academic paper written in collaboration across three different universities (Oxford University - UK, Royal Holloway University of London, UK and McMaster University - Canada) published in 2017 stated that:
we have found no major flaws in its design, which is very encouraging
I would say the above statement represents a typically cautious academic statement. Essentially this means that as far as they are capable of testing the encryption method, it doesn't have any flaws that would compromise its safe use.
The Signal Protocol is also generally accepted as being trustworthy and secure within the cryptographic community.
It is available on many platforms #
You can use it on:
- Linux (debian based), but I understand that with Flatpak it can also be used on rpm based Linux systems as well
It can also be your SMS app #
Signals can replace the standard SMS application on your phone.
This is a great feature as it means you don't need a separate SMS app and all messages can be consolidated in one place.
However, you also need to be a little bit careful. . .
You need to remember that you can only send encrypted messages to other people that also use signal.
If you send an SMS message to someone not using signal, then it won't be encrypted and will just be a standard text message.
. . .so it pays to encourage other people to use the app too. As it ensures the conversations you have will always be encrypted and secure. Not to forget free, as you won't pay for an SMS message!
What do the others lack? #
As I alluded to at the beginning of this article - Not all encrypted messaging apps are made equal.
I thought it only fair to go through some of the big names and point out exactly what they lack. In this section I will mention Facebook Messenger, Whatsapp, Telegram and Viber, which I think just about cover the most used messaging and phone apps currently available.
Encryption is not on by default #
Although all the apps generally feature end-to-end encryption, it is not typically enabled by default, you have to opt-in.
This may not seem like a big thing. I mean having a choice is good right?
The thing is that there is no reason not to use encryption. The only feasible argument is speed of communication, as the encryption-decryption takes additional time. However, it is a weak argument, and you will likely not even notice a difference.
The problem is that people who are not tech savvy won't even notice the option is there, and won't use it. Which is not fair on those users, as they could also benefit.
Quite frankly a stance like this stinks. It doesn't instil trust in any way.
Facebook Messenger and Telegram both do not encrypt by default. You must either turn it on or use a specific feature of the app.
Metadata and Stored Data #
You will find that one of the biggest downfalls of a lot of "secure" messenger apps is the *other* data that they collect and / or store.
Facebook Messenger, Telegram, Viber and Whatsapp (owned by Facebook), all collect some form of metadata that I would consider unnecessary. Remember to check out their privacy policies for specifics.
Unique Encryption Methods #
Actually most of the apps use an industry standard end-to-end encryption standard such as Signal. However, there is one exception:
Telegram uses it's own encryption method: MTProto
There is of course nothing wrong with Telegram having it's own encryption protocol, but it does not benefit from the wide user participation that an open source protocol would benefit from.
It is also not time tested as many of the widely used encryption protocols are. I don't think anybody would argue with the fact that if a method is exposed to, and tested by, as many people as possible for the greatest length of time feasible, and without failure. Then that method is at the very least solid and secure for the present day.
It has also been the subject of not so glowing research papers from places like MIT, and general user scepticism. Telegram have done their best to refute any claims of weakness or failure in their implementation, but it is fair to say that some people are still sceptical. Including me.
The point of this article was to convince you that Signal represents your best bet when it comes to a free, accessible, secure and trustworthy messaging app when compared to the main competition that you have likely heard of before.
I hope I have managed that, if not let me know why in the comments.
I think it should be an industry standard, and right, that you can call, and message anybody without having to worry about being snooped on.
The final thing I wanted to point out is that potentially there may be other apps out there that are better than Signal. I hope there will be plenty of competition in this field. The more the better, because I think it should be an industry standard, and right, that you can call, and message anybody without having to worry about being snooped on.
If you wish to look at alternatives to Signal then I have listed some other apps that you could take a look at below. I have briefly highlighted any concerns or positives to give you a head start...
For now my recommendation stands: Signal represents (currently) the example of what a secure messaging and call app should be - give it a try...
Potential Alternatives #
Threema - Possibly the best alternative to Signal. It is a paid option, but we aren't talking big bucks. The only downside is that it isn't completely open source. However, it has been audited by at least two separate auditors, and passed with flying colours. If you take privacy seriously this is really worth a look.
Wire - some of it is opensource, not all. They keep metadata...
Wickr - as far as I can tell it keeps metadata such as date of last use and device type...but take a look if you like
There are probably more, be sure to ping me a message if you have any other interesting suggestions.
Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated. For feedback, please ping me on Twitter.
...or if you want fuel my next article, you could always: