Instant Messengers, Encryption and Privacy
In this article I will try to explain in reference to privacy the differences between various instant messengers (SMS, Facebook Messenger, Whatsapp, Signal, Telegram, Threema, Tox, Briar etc) and how their application of encryption (or non-encryption) can affect your privacy.
Why is encryption important?
Generally we don’t like others to read our messages. You might say that is not important to you, because you have nothing to hide. And while this is a valid opinion it disregards, that corporations and other third parties could be interested in what you have to say, how often you say it, how much you say etc. basically analysing your behaviour. That knowledge they can use to derive a profit or influence you (and others, if they have a significant number of people’s behaviour on file). I personally also don’t do anything illegal, but I think my personal business is nobody’s business but my own. So I choose to keep my private things private as much as possible and use encryption whereever viable.
Many people don’t know, that when we send messages without encryption (like Facebook Messenger. Telegram when not using secure messages and SMS) anyone (network operators, service providers and in turn their managements and governments), through whose infratructure your message is transported, could read it. If it is encrypted they cannot read it unless they have the encryption keys.
So the encryption keys are important. In order to assess who might possibly have access to the keys and thus could read your messages we need to look at how those keys are handled, where the messages are transported and who is in charge of the messenger platform in use.
Not all messenger services are equal
SMS – your phone network provider supplies you with the ability to send and receive SMS. They may apply a weak encryption along the way, but too weak to consider this secure. So this is unsecure, which doesn’t mean it is unusable, but certainly an awareness of this suggest you shouldn’t send credit card details or any other sensitive personal data via SMS.
Facebook Messenger – Not encrypted and Facebook’s T&C even say they will read and have the right to assess and use your messages for their purposes.
Whatsapp – While one of the largest services and widely used with an excellent set of functions and is End-to-End encrypted, I have some concerns about the security. Whatsapp is not open source. So the coding cannot be independly assessed. So we have to believe, that they are not doing anything untowards with our messages.
In addtion they say the encryption keys are only on your own phone and that of the person you communicate with, the keys and all messages are still going via their servers. Also Facebook (now Meta, owner of Whatsapp) are based in the USA and could be obligated to give access to your messages to their legal system. So they must be able to do this. The easiest way is to keep your keys somewhere on their systems. We like to believe them, but they certainly have the technical ability to do otherwise. And they require your phone number. Thus making you identifyable.
Signal – A competing messenger service to Whatsapp, but it is open source and indeed an non-profit organisation. So somewhat that might instill more trust, that they will do the right thing, but they are also based in the USA. Thus the same obligation to their legal system is present. And also all keys and messages are going via their servers. They also require your phone number. Thus making you identifyable.
Telegram – Another open source messenger service. They are based in Dubai, a kingdom where the non-elected king takes an active role in governing the country. Telegram offers encrytion, but you need to select to send secure messages. The default is to send NOT secure (like SMS and Facebook Messenger). All keys and messages are also sent via their servers and a phone number is also required to sign up.
Threema – A messenger service based in Switzerland. So you would be covered by Switzerland’s stringent privacy laws. It is not free, but the once off cost of US3.00 is small. It is open source and no phone number is required for sign up. They say they are not keeping your messages, but all keys and messages are going via their servers until they are delivered to your device.
Briar – A messenger service using the Tox protocol harnessing the TOR network and not relying on a central server or needing a phone number. It can also utilise Wifi without internet connection and Bluetooth to transmit messages. “…designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate…..”. This is possibly a more convenient solution, but usually with more convenience may come less security.
Tox – A messenger service, that is open source and free, no phone number is required for sign up. So it can be totally anoymous. Since keys are truely only kept locally on your phone or computer and indeed if you want to connect with someone else on this service you would have to find your own way to give them your key so they can communicate with you. So the keys are not going through their servers. The messages are also not going via their servers, but directly from your device to the device of the person you commuicate with. Therefore they and you would have to be online at the same time in order for messages to be delivered between you. You could have the messenger software running in the background (much like all the other messenger services) and messages will be delivered and received (if your communication partner also has it runnning in the background). In addtion you can use the TOR network with the messenger, which is another layer of protection to keep your location anonymous.
I will now describe how to set up a Tox client on Android and on Windows and how to add the TOR network function to the Windows installation. There are clients for Apple MacOS, but unfortunately not for iPhone. The reason for this is possibly, that iPhone’s systems are too restrictive to add the secure Tox client.