In March 2020, at the beginning of the COVID-19 pandemic, downloads of messaging apps increased significantly as users found themselves yearning to maintain some semblance of connection with family and friends around the world during a time of fear and uncertainty. There was plenty of online discussion and concern about which messaging app was the best choice for secure communication in real-time. The concern was certainly understandable given past reports of cybercriminals viewing and using their victim's personal data, surveillance and tracking, and society’s overall heightened awareness of data privacy and information security.
Choosing a messaging app requires consideration of the user’s risk tolerance for data privacy and security. The choice may ultimately boil down to personal preference. In light of the increased use of messaging apps, the general consensus appears to be that the communication tool is not a nice-to-have, but instead, a must-have. They keep us globally connected and offer many communication conveniences. To accomplish the goal of communicating privately and securely, however, messaging apps that use end-to-end encryption are the only choice.
What is end-to-end encryption
End-to-End Encryption (E2EE) is a type of public key cryptography, also known as asymmetric cryptography, that protects data by making it available to only the intended recipient. E2EE ensures that if a third party intercepts your text messages, the message will be unreadable to the third party. Third parties include the app owner, for example, in the case of WhatsApp, Facebook should be unable to view the content of text messages sent between two WhatsApp users. Third parties also include law enforcement and any other authority that may have an interest in reading your text messages. It’s worth noting that, obviously, if the third party has physical access to your device, they can read all the contents of your messages.
Messaging apps such as Apple’s iMessage, Facebook’s WhatsApp and Google’s Messages, Signal and Telegram all use E2EE. The leading messaging apps, based on downloads, are Signal, Telegram and WhatsApp, and while they all use E2EE for texts, voice and video calls, the apps differ from one another (as we will discuss below).
The Signal Protocol
The most promising development in the E2EE space is the development of the Signal Protocol. E2EE that uses the open-source Signal Protocol is unique because of Perfect Forward Secrecy, which essentially describes the idea that if data is encrypted and secret now, it should also be encrypted and secret in the future. The Signal Protocol is becoming the de facto standard for E2EE for messaging apps.
The Signal app, funded by the Signal Foundation, uses the Signal E2EE Protocol and is best known for its privacy features and secure messaging, as well as several high-profile endorsements from individuals like Jack Dorsey, CEO of Twitter, and Elon Musk, CEO of Tesla, Inc. In addition to winning over privacy advocates, information security experts, lawyers, cryptographers, and journalists, the popular app also leverages the following notable features offered by the underlying protocol:
- Default security controls (e.g., disappearing messages)
- Perfect Forward Secrecy
- Open-source software
- No ads or affiliation with Big Tech
Anyone has the option to audit the code and check the application’s security because it is free and open software. One reason Signal may be a messaging app favorite, compared to Apple’s iMessage, is because both Android and Apple users can download Signal, whereas only Apple users can use iMessage. When you send an iMessage to a user who is not using IMessage, the message is sent as a Short Message Service (SMS) message. SMS has its own security risks and sending financial or sensitive information using SMS is not recommended.
Another positive Signal app feature is that, unlike Telegram and WhatsApp, Signal does not store user data. Telegram requests your personal data (e.g., your name and phone number), while WhatsApp collects data that may identify you and may share some of your data with other Facebook companies
Encryption backdoor requests and implications
The primary argument against E2EE is messaging service providers should create an encryption backdoor to permit government access to encrypted data to address the potential consequences E2EE may have on law enforcement. The problem with the backdoor argument is that, while the backdoor would be open to law enforcement, it would allow authoritarian governments and cybercriminals to walk through the backdoor too.
In February 2016, Apple responded to the United States (U.S.) Federal Bureau of Investigation (FBI) request for data in their possession following the tragic San Bernardino shooting. Apple challenged the FBI’s demand and characterized it as an overreach by the U.S. government.
In March 2020, Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina), U.S. Senators Richard Blumenthal (D-Connecticut), Josh Hawley (R-Missouri) and Ranking Member Dianne Feinstein (D-California) introduced the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), bipartisan legislation to encourage the tech industry to take online child sexual exploitation seriously. Critics of the EARN IT Act held that the law would jeopardize privacy and free expression rights, without effectively tackling child sexual exploitation. Officials who propose bills like the EARN IT Act focus solely on tech companies to solve child exploitation online and ignore the need for multiple actors and solutions to contribute to an effective response to child online sexual exploitation. The provisions of the bill threaten privacy for those who may need it most (e.g., children learning online, journalists, marginalized communities and peaceful protesters).
Messaging app users desire data privacy and security. They expect to be able to speak freely with friends, family, community members, journalists, peaceful protesters and colleagues without their messages being intercepted and read by a third party, including the government. This is especially true during times of social unrest or political uncertainty.
Currently, the Signal Protocol is the leader in E2EE and by all accounts the Signal app provides the highest level of privacy and the most secure messaging for its users. It is also true that cybercriminals will exploit this level of advanced E2EE. The argument, however, that encryption backdoors are necessary to assist law enforcement bodies in their efforts to prevent criminal activity is overcome by the fact that weak encryption results in privacy and security risks to all law-abiding citizens, our civil liberties and democratic values.
This is yet another example of how machine identities, such as those used for E2EE, will continue to play a greater and more important role in our everyday business and personal lives.
- The EARN IT Act, the Latest Legal Threat to Encryption
- Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors
- Why are Government Officials Who Know Next to Nothing About Encryption So Eager to Mandate Encryption Backdoors?