While most people love the Internet, their smartphones, their social networks, and the apps that enable them to stay in constant contact with their friends, they don’t love how easy it’s become for apps to suffer security breaches or for companies and governments to listen in on their conversations. But a variety of apps are offering options for encrypted messaging as a way to keep users’ communications private.
Encryption is one of the most effective ways to keep data secure, and involves encoding messages or data in such a way that only authorized parties are able to read it. To read an encrypted file, you need to have access to a key that enables you to decrypt it, and without the key, there’s no way to read the file. Both tech giants and small startups are building services that put encryption to work protecting the messages that users exchange via their platforms.
According to the Secure Messaging Scorecard created by researchers at the Electronic Frontier Foundation in collaboration with Julia Angwin at ProPublica and Joseph Bonneau at the Princeton Center for Information Technology Policy, many companies offer “secure messaging” products, but most aren’t as secure as their providers would like you to believe. The scorecard evaluated messaging services on seven different criteria, such as whether messages are encrypted so that the service provider can’t read them, whether past communications are secure if the encryption keys are stolen, or if the product’s code is open to independent review.
They found that only a few messaging services offered all of the security features, but the most secure included ChatSecure, a messenger for Android and iOS; Cryptocat, an encrypted chat app for Chrome, Firefox, Safari, Opera, OS X, and iOS; Pidgin, a chat client that supports AIM, MSN, Yahoo, and other chat networks; Signal and RedPhone, apps to make encrypted phone calls; Silent Phone, an app to secure calls, texts, video, and file transfers; Silent Text, which encrypts text messages; the “secret chats” functionality of Telegram, which enables users to send encrypted messages that self-destruct; and TextSecure, which encrypts text and chat messages over the air and on your phone.
But as some of these services note, even high levels of security aren’t a perfect solution. According to Cryptocat’s website, the service “is not a magic bullet. Even though Cryptocat provides useful encryption, you should never trust any piece of software with your life, and Cryptocat is no exception.”
Writing for The New York Times last year, Molly Wood posed the question of whether you should trust the companies promoting their “secure” messaging apps. Ultimately, the answer she got from cryptographer and security expert Bruce Schneier was that you shouldn’t use them if your life is on the line — but for the average user in a more normal situation, these apps are “probably sufficiently secure.” Schneier says that evaluating the security of a messaging app necessitates examining why you need it. Some apps are much more secure than others, and ephemeral messaging apps like Snapchat are often light on encryption but offer a different promise: that the messages you send through them will disappear before they can be used against you.
But the question of whether you can trust the claims made by companies is still unresolved. Snapchat, for example, was found to have misrepresented its service to users by claiming to delete messages that it hadn’t. Schneier told The New York Times, “Let’s say they’re encrypted. That means that, assuming they did a decent job, no one can read the messages in transit. It doesn’t mean they can’t read them on your computer, and it doesn’t mean that someone can’t issue a court order to get those messages off a server somewhere.” A government could issue a court order forcing an app to circumvent its own encryption, or order an ephemeral messaging app to keep messages it told users it deleted. Schneier explains, “They’re not saying that they’re going to defy a court order, that they’re going to go to jail to protect your messages.”
The trustworthiness of service providers aside, the Electronic Frontier Foundation says that many users opt not to use tools to encrypt their communications because of the difficult relationship between security and usability. “Most of the tools that are easy for the general public to use don’t rely on security best practices–including end-to-end encryption and open source code. Messaging tools that are really secure often aren’t easy to use; everyday users may have trouble installing the technology, verifying its authenticity, setting up an account, or may accidentally use it in ways that expose their communications.”
But security and usability may come together more easily as new and improved services enable users to take control of the security of the information they input into a web service. Tom Simonite reported for MIT’s Technology Review late in 2014 that the unveiling of a prototype browser extension called ShadowCrypt followed announcements by Google and Yahoo that they were working on software that would enable users of their email services to easily exchange encrypted messages. ShadowCrypt makes it easy to send and receive encrypted text on Twitter, Facebook, or any other website. When using ShadowCrypt, a user who writes or is authorized to read a tweet or an email sees normal text, but the site operator or anyone else looking at or intercepting the message just sees a garbled string of letters and numbers.
Simonite reports that ShadowCrypt was created to demonstrate that strong encryption can be both simple to use and compatible with the popular services that millions of people use everyday. Researchers tested ShadowCrypt on 17 major web services and found that it worked more or less flawlessly on 14, including Facebook, Twitter, and Gmail. As tools like ShadowCrypt bring more secure communications to all of the social networking and webmail sites that users rely on, it will become easier for users to keep their everyday conversations safer from prying eyes.