6 min read

My Evaluation of Secure Communication Platforms

As I start to ramble on tech, and given the recent US elections, I can think of no better place than to start with secure messaging applications.
picture of computuer monitor with a white man looking through binoculars showing Facebook logos
Photo by Glen Carrie / Unsplash

Hi there! It's been a minute since I've found some time to set aside for this blog (as well as my other one) but with the political winds changing to something, concerning, for a trans woman like myself. While I reside in Canada, we not only have our own struggles here, but are also in proximity to the US election.

I want to publicize my process, so that not only will others learn from my work, but that I also am able to up my game. This will involve topics of self-hosting, but how I set up my smart home, my security, and reviews of devices I feel are worth reviewing in the preview of tech I use.

My first stop is my options of various text/communication apps. This will be in the preview of securing from prying government eyes, specifically around security. Let's dive in!

What Qualifies as Secure

Let's set the benchmark for considerations. First up...

Encryption Types

There are several ways the industry talks about encryption. The obvious one is unencrypted. This is similar to having a conversation in a public square. If someone in between you and your friend wants to listen to your conversation, there's nothing stopping them. Putting governmental spying concerns aside, unencrypted conversations can also be scooped by ad networks, and used to target content to you specifically. I can think we all agree this is not what we want.

Next up is encryption in transit and/or at rest. Here, in transit means the communication between you and the server is encrypted. So a passer-by can no longer read the message on its way to your friend. This typically means the message is decrypted once it reaches the server for processing. At rest refers to encrypting the data as it's stored for long periods of time. This typically means an encrypted database, so that only services or users with proper credentials can access the unencrypted data.

I want to take an aside and point out, that this level of encryption is default for the internet. The "S" in "HTTPS" means the connection between you and the server is always encrypted. It's a standard that uses in transit encryption to ensure no one between can read things. It does not promise, however, encryption at rest. That is up to the service provider to implement behind the scenes.

Platforms that only encrypt in transit and/or at rest include all social media messaging (Facebook, Instagram, TikTok, Snapchat, etc…). Some of these platforms offer options to encrypt your messages, but to my knowledge, they do not offer default secure settings.

End-to-end encryption (e2ee) is the most secure option for messaging platforms. This encrypts data in such a way that only the person you're sending the data to can read the message. It's important to know that not everything in e2ee will be encrypted. The server still needs to know whom to send the message to, and how to send it. This is unavoidable, but when we get to the next measure, we'll see why it's important.

Data Residency

Now that we have a better idea of what encryption standards are out there, and some idea of what data is secured in each, where the data lives is just as important. Data residency refers to where the data that gets transmitted is stored along the way. An important reminder, the "cloud" is just someone else computer that you're renting a small part of in some way. If you don't pay monetarily, you almost always pay in some other way. These computers run electricity, and that has to be paid for by someone. So where this happens is just as important as what is stored.

Important considerations, how much do you trust the provider to keep their communication secure, and how, along with what they will respond to law enforcement requests with. If they have to share the data, what will they be able to share?

Platforms to Avoid

Telegram

This one is to be avoided. We're not going to touch the recent arrests of the CEO, or the fact it's commonly used by Russian soldiers in Ukraine; however, we can still talk about the platform itself. They do offer e2ee options, but it's not enabled by default, leaving them with the clear text messages you send. There are also strong concerns around data residency, and being subject to foreign interests.

Discord

Next up on the list is Discord. This is a hard pass since it only offers encryption in transit/at rest. There's also the concern I have with data residency being subject to US government requests.

Social Media (Facebook Messenger, Instagram, Snapchat, etc...)

These types of apps should also be avoided for main messaging. It's probably fine to share posts back and forth. However, because they do not offer e2ee (or at least by default), they should be avoided for anything more than funny messages. Data from these messages are almost certainly scrapped for information and processed as much as the companies can.

WhatsApp

I would also strongly recommend against using WhatsApp. It does offer e2ee by default for all messages. However, being closed source, it's impossible to verify e2ee support. There's also something to be said for why Meta wants to support this app. Again, servers cost real money to operate and maintain. So why is Meta doing this if they are unable to scrape data? While I'd avoid personally, it's certainly better than the apps above.

What platforms do I recommend?

Signal

This app is going to get my first recommended use. We'll start with e2ee support, where the Signal Protocol (named because it was developed for the app) is regarded as a gold standard in encryption and security in the industry. I'm unable to find specific sources, but in past NSA leaks about what data is collected by each platform that they're able to get, are consistently meta-data only. This is, however, old information, and should be checked independently when you read this.

I want to also take a moment to follow the money for signal. They're operated by the Signal Technology Foundation, a tech non-profit dedicated to supporting the application and network. There is a high degree of transparency that comes with Free and Open-Source Software (FOSS) being run by a non-profit.

This isn't to say there aren't some concerns. They are registered in the US, and with the incoming government being, uncertain, at best. Caution is always recommended.

As I've mentioned before, servers cost real money to run. So all else being equal, why is the signal here compared to WhatsApp above? It's the money trail. The Signal foundation is a non-profit that runs the application. So the money trail on how those servers get paid for isn't beholden to shareholders. So if you depend on the service, and have the means, donate.

Matrix/Element

Matrix is a decentralized chat system. Meaning instead of all messages being sent to a singular provider (Facebook, Signal, Discord, etc…), it's sent to your chosen server. That server can then communicate to a network of other servers to spread your message to recipients.

This means local communities can form servers, and network those servers to enable communication between them. For example, I'm running a matrix server, and so is my friend. They're able to host everyone for their house, and I mine. Together, we can chat like we can on any other platform, but we each communicate through our own servers.

If this all sounds very complex, it's because it is. Matrix isn't for everyone right now, but if you've heard of docker before, I plan to create a series on how I'm hosting my matrix (and other related services). There are also public servers out there, like matrix.org, for example.

Matrix is secured using e2ee. Being able to host your own matrix anywhere you'd like, you can minimize your data trail. And even if your data is to get leaked, they're still secured in such a way that the data on the servers can't be read anyway.

What have I gone with?

Taking a step back, this was a large info dump. So I'll go with my recommendations. I strongly encourage minimal use of unencrypted chats. I, personally, use signal with less technically included friends, and those that I can convince to join me on my matrix server,

What's Next

Now that I've talked about why I'm using the apps I'm using, I want to focus next on how I host my services.

Want to hear me speak about myself and related topics like community building and resistance, checkout my personal blog!