For the last 5 years or so we at decentralize.today have been conducting a rolling review of all available messengers but in that time we have never really looked too deeply into Wire. The name has popped up on occasions and we've now had some requests to look into it so let's see why people believe Wire should be on our list, or why it absolutely shouldn't be!
Wire was started in Switzerland, just like Threema, which is usually a good starting point for companies with privacy in mind. Development is in Berlin and all their servers are located within the EU. However, at the end of July 2019, the Wire Swiss GmbH entity was taken over by Wire Group Holding Inc. (Dover USA) which means that it became a USA based company. Furthermore, they have accepted $8 million in funding from Morpheus Ventures, a company investing in AI, healthcare, life insurance and data collection!
The 'good news' is that you can download Wire directly from their website via an APK, so it is not dependent on nor utilizing Google Playstore or Google Services.
There is some more good news, as Wire does not require you to register with an telephone number, although at least an email address is required. After signing up, you can select your own username (similar to telegram @you). If you allow access to your address book you can spot other Wire users. Your address book is submitted to Wire's servers in an hashed format (SHA-256), checked to see if any of your contacts are also on Wire and then deleted from the Wire server network! That is unlike Telegram where this all happen without the auto-deletion, there you can do it manually, and on Telegram it also happens un-hashed!
The app and the server end is fully open-source! Wire has been independently audited, so overall very good news.
That said the audit is now more then 2 years old (pre-dates the takeover) and a lot has happened since then.
Wire offers E2EE (end-to-end-encryption)
Proteus is their chosen solution for this and it is totally open-source. That said, Proteus did start up as Axolotl and was part of the Signal protocol, you can read more about that here:
This noted, the E2EE part of Wire looks solid and comes with PFS (Perfect Forward Secrecy) in one-on-one as well as group chats! Just like Signal or Threema you can verify your chat partner with a device fingerprint. If you have done so it shows you a blue shield next to the username of your chat partner.
The key for the encryption is generated on your device and is not saved on Wire's server so you retain control of the encryption key.
The server used is AWS so an Amazon service provider and it is one server which means everyone is on that one server, no federation, no decentralization. Wire controls all and so also the future of the application.
Every message, regardless if private or group chat, will be deleted instantly on the servers after successful delivery. The server saves the message for a maximum of 30 days in case of a failed delivery.
As mentioned earlier, you can download the APK on Wire's website and there is no Firebase Cloud Messaging (FCM) involved, which keeps the metadata only on Wire's servers. A point that brings us to...
...the first major difference to Signal, in so much as Wire collects metadata, this includes when and with whom you were communicating, furthermore, this data is not encrypted but saved in plain sight.
“We are in Switzerland, which has the best privacy laws in the world”
— ( it’s subject to Europe’s General Data Protection Regulation framework (GDPR) on top of its own local laws ) —
“and Wire now belongs to a new group holding, but there no change in control.”
Wire CEO Morten Brøgger
Further good news is that we detected no trackers or 3rd parties popping up in our field research, which is commendable!
Wire has you covered on iOS, Android (as well as via APK), Windows, Mac and via Browser support. Wire offers chat, call and video chat with the latter accommodating up to 4 callers at the same time.
In the end and in conclusion, Wire is open-source, the encryption looks good, there is no 3rd party sniffing BUT who knows what next from Morpheus Ventures and then of course 'in plain sight' metadata.
Maybe not much but enough for us to not be making it a recommended message service provider for you (at this stage!).
Ok, that's it for this month...we'll be back in July with our next review when we will look again at Status.