To secure or not too secure? That is the question!
For the third year in the row, decentralize.today is going to take a look at the more popular privacy based messaging services. So don't expect to see anything good about Google, Facebook or Microsoft!
This year, we will be doing things a little differently.
The whole space has grown, not only in terms of the competing service options, but also because there are so many more new and cool features on the existing providers as well as more than a few bugs being uncovered!
A year back, the question might have been what would be the best replacement for WhatsApp? And that is a tricky one, not least because so many people still believe, like some of my friends and family, that WhatsApp or messenger are safe so I need to stick with using them. Even my son's school 'forced' him to install messenger to facilitate better communication! Believe me, the school and I communicated and we're doing things differently now haha! so it can be done!
Remember also that WhatsApp and others are extensions of, or linked to, Big Tech and that is usually bad news. This can lead to traffic control via their servers or even message blocking, manipulation or modification. Yes, it does happen and in places you might not expect...for example on Signal which sadly relies on using Amazon Cloud servers and Telegram group messages which are not encrypted and have been proven to be blocked and compromised in the recent past.
As an additional caution on WhatsApp, unlike Signal (which uses your cell number as a Unique Identifier), WhatsApp is also using your hardware and software as an identifier as well as your contacts. Well, it is Facebook after all! Every time you use WhatsApp, it sends all the contact numbers in your address book to a server and syncs them there! Facebook, therefore, has a full backup and information on each of your contacts!
In other words, even if you don't have a Facebook or WhatsApp account but one of your friends or contacts does, your name and number is now in Facebook's hands! Knowledge is power and if this knowledge doesn't power you and your family/friends away from WhatsApp then possibly nothing will!
Whilst this is an introduction to a series of reviews about which service is the best (or better), I needed to make the point about which one not to use first.
So over the course of these reviews, we will look into the technical and privacy aspects of each service, what advantages it has, any new or improved features (if previously reviewed) plus any bugs and fixes and maybe even provide you with the information to make an informed decision about switching services for you, for your friends, family, colleagues and associates.
Everyone has their own requirements for a messenger, some even think it is important to have stickers whilst others again are looking for polls or group chats. I highly doubt you will find one that covers every single aspect or feature on that list of requirements but depending on need you'll probably be covered by 2 – 3. For example, switching to Signal is an easier sell, it's free, it's encrypted, it feels just like SMS or WhatsApp but it also has stickers! And yeah, that really is a thing people want!
So our goal this year is to explain this kinda behavior and maybe show you better alternatives! My focus will be on privacy as well as the technical aspects of each.
It is important for us to look at the encryption protocols which will hopefully be full E2EE (end-to-end-encryption) or perhaps even E2EE with peer-to-peer so bypassing the need for a server in between!
Many messengers claim end-to-end-encryption, but some hold a master key on the servers which allows MITM (man-in-the-middle) attacks. We will look at the differing aspects of E2EE and which is safer and why as, for example, the OTR (off-the-record) protocol is used by Signal whereas Threema has it's own ways to ensure you talk to the right person! Some messengers even have a handy key exchange utilizing a QR code.
(Sadly, even a perfectly exchanged key and a great messenger doesn't ensure your safety, your device can still be compromised. Additional steps you can take are all covered within the Privacy Cookbook and we'll link into that as and when needed within the reviews).
We always make a big deal out of ads and, of course, metadata! Keep in mind that metadata is one of the biggest giveaways on your entire setup. It knows (and records) more about you than you could possibly imagine. From what device you use, to what time you are online, where you are online, with whom you chat and at what time and maybe even your full IP address.
For services that are centralized you need to trust that they have this data encrypted and not recorded. Some are partially or fully code open-source but then there are always the servers...
So we will also look at the totally decentralized messengers, some of which don't even require an internet connection. The XMPP and the Matrix protocol are also more decentralized and on the former you can just like on emails or choose different instances. All of this will be built into the reviews.
Finally (but not exclusively) we need to look at identifiers (as for WhatsApp and Signal from earlier in this intro) whether they use your telephone number or like Matrix, having a username, whilst Threema uses a generated identifier. We'll look into each of these setups.
We are covering more messengers then ever, will go deeper into each than before and present a matrix at the end to clearly show you the pros and cons across the board so hopefully making it easier for you to make a final decision on what you could or should be using.
The matrix will also include information on servers, laws, encryption levels and embedded trackers, If they are open source and audited and exactly what features they incorporate e.g. video, calls, groups, mass mailing and any other significant extras.
As a taster, please see our year end compilation from 2019 here:
Unfortunately, there is unlikely to be one messenger that covers all and corresponds with your contact network, (although having more than one provides some level of redundancy in times of failure or crisis) however, given how important and significant a part of our every day communications and social interaction our messengers have become, it is essential that your messenger of choice provides you with the security (and privacy) you deserve.
We will start our series of reviews next Thursday, March 19th with a look at Threema and follow that with a new review every 2nd Thursday of the month for the rest of the year, some new but mostly updates on old faves!
The Privacy Cookbook will return next Friday.
The Privacy Advocate