Most of us take privacy for granted. If we’re discussing something personal while sitting in our living room with a friend, we assume that our conversation is private. Our living rooms are considered a private setting, so it feels safe to assume that our conversations there are private as well.
But what happens if we’re having the same conversation with the same friend while that friend is in her living room in Hong Kong, Moscow, or Istanbul? Now, due to the distance, we’re having the conversation via phone, video chat app, social media, or text messages. While we may believe that we still have the same right to a private conversation, technology has now entered the equation and that… changes things.
When we use technology to communicate, our assumption should always be that others can see, hear, and document our conversations.
That’s scary, I know, but if secure communication is important to you, then it’s always important to think — in advance — about what you’d like to communicate. That pause allows us to choose the best possible tools to help ensure that our communications are as private as we’d prefer.
Table of contents
The Three Truths of Technology
Most communications options we use on a daily basis are readily available, cheap, and easy-to-use. Unfortunately, they’re also considered insecure for three, important reasons:
- All technology is hackable, even cellphone networks.
- Few companies can be trusted with your personal data.
- Every company can be ordered to disclose the data they’ve kept about you to law enforcement and/or government authorities.
Check out the transparency disclosures from companies like Amazon, Facebook, Twitter, Snapchat, Microsoft, Apple, and Google. You’ll notice that the number of requests from government and law enforcement for your personal data grows every year; you’ll notice that tech companies comply with these requests most of the time; and you’ll notice that the US issues more requests for user data than every other country.
End-to-end encryption (also known as “E2EE”) is used in the world’s most secure messaging systems. The technology behind it ensures that only those who wish to communicate with one another have access to their messages.
That’s a huge deal. Here’s why:
- Even if your communications are intercepted by hackers, they remain encrypted and, therefore, private.
- Even if the company who makes the software you use to communicate securely decides to spy on you, your messages remain encrypted and, therefore, private.
- Even if the CIA subpoenaed the provider of your secure messaging service and forced them to turn over your messages, your messages still remain encrypted and, therefore, private.
It’s worth noting that, as late as 2017, it’s been established that the CIA cannot crack the encryption of messages which use E2EE.
For a messaging service to truly be considered secure, it must demonstrate that it:
- uses E2EE to protect messages in transit
- activates E2EE by default (so you don’t have to)
- encrypts both messages AND attachments
- encrypts some or all metadata
- is independently funded
- never collects customer data
- has been audited (or code-checked) by third parties
- provides self-destructing messages
BONUS if the software is open source, meaning that the software’s source code is freely available online for anyone to check, improve, or challenge.
When evaluating these requirements against a list of the most popular messaging services, there are really only three choices to recommend for those seeking top-tier privacy and security: Signal, Threema and Wire. Let’s investigate each a bit more.
For most security professionals, Signal is considered the best choice for secure communications. There’s a reason that Wired magazine gave Signal a top recommendation: it’s easy to use, very secure, and — unlike most of the other messaging options — it was designed to be an entire end-to-end platform, not just an application. Signal’s technology, also known as the Signal Protocol, was adopted by WhatsApp, so it’s now become the de facto standard for billions of secure messages sent each day on the planet. Even better: Signal brings E2EE to your messages, phone calls and video chats!
On its first launch, Signal asks you to provide a phone number. Some security professionals distrust Signal for asking you to provide this, but it’s worth noting: you can enter any valid phone number you like. I’ve chosen to use a Google Voice number instead of my personal number and so can you with these directions.
There’s much to like about Signal.
- Signal’s website offers easy-to-read help pages for its basic functionality.
- Many of you won’t need help pages because Signal is intuitive and easy-to-use. It works like most messaging apps, so sending notes, including attachments, recording audio, or initiating phone or video calls are simple.
- The company is transparent about requests from the government which is fascinating to see and read.
Additionally, Signal’s apps and server are both open source: you can view the source code yourself here.
What To Consider
Signal isn’t perfect, but no app, platform, or technology is. Here are a few things to consider for those of you who will choose to use Signal.
- While Signal requires a valid phone number to set up, don’t provide your actual cell number to Signal. Instead, obtain a free, second number.
- Although it asks, you don’t have to give Signal access to your address book. Instead, you can always search for others on Signal by entering their phone numbers.
- If you delete Signal, delete all of it. If you delete the app, also ensure that you delete anything that you or Signal might have stored in the cloud regarding its app.
Some comparison websites (and famed whistle-blowers) rank Wire as being more secure than Signal. It’s easy to see why folks prefer it to Signal: it’s easy-to-use, offers open-source applications, has a pleasing interface, and is regularly vetted by outside security professionals. Even better, Wire offers key features that Signal doesn’t:
- Using an anonymous email to sign up rather than a phone number
- A security screen
The security screen is simple but powerful: if Wire is open but not in use, it locks itself down from prying eyes. Need to use the app again? You’re met with a challenge to unlock the app using Touch or Face ID. This prevents someone from grabbing your phone and having immediate access to all of my unencrypted messages.
Threema offers many of the same features as Signal and Wire, but offers a strong set of features that make it a great choice for privacy-seeking citizens:
- It allows you to enable two-factor authentication to better protect your account.
- It doesn’t require a phone number OR an email address to sign up and use.
- It was last audited in 2020 (compared to 2014 for Signal)
- It hosts and maintains all of its own servers instead of relying on Amazon, Google or other companies to do that for them.
Threema’s comparison list can be found here.
It’s also worth nothing that Threema currently costs $2.99 to purchase. Three dollars isn’t a lot of money to spend to have secure communications. And, even though Signal and Wire are free, good technology isn’t free to build. Developers need to find funding from someone, usually a wealthy financier or corporation. In this case, however, the public helps finance the technology, allowing Threema’s parent company — Threema GmbH — from needing a third party company or government to provide its funding. That independence is important and 100% worth the money you’ll pay.
On the Horizon
Lastly, it’s important to remember that a secure messaging app is only as good as the person using it. Even the most secure messaging app on the world can’t protect you if you click on unfamiliar email links or leave your phone out for others to see. So remember: achieving better privacy and security requires that we not only change the apps we use, but in the behaviors we use regarding our technology.
One smart move: switch to using iOS. Apple’s iOS is — by far — safer than either Microsoft’s Windows or Google’s Android. These results have been confirmed by others. Repeatedly. And then again.
Until next time, keep it safe!