Almost 57% of the world’s population has access to the Internet and 45% are active social media users. While social media and messaging applications are developing into some of the most prevalent communication tools, the security offered by these tools is anything but certain. With recurring data breaches from both criminals and government agencies, privacy of communication is becoming one of the most sought-after digital needs in the 21st century.
We at Bytecoin take privacy seriously and, as anonymous developers of one of the most secure payment tools, possessing a means of secure communication for ourselves is an absolute must. In this article we have decided to share our observations on secure communication workflows because we believe privacy of communication is a universal human right that should be available to everyone.
Email and OpenPGP
Despite the ubiquitous transition to the mobile domain and the multitude of messaging apps coming out every day, a lot of users still rely on e-mail communication. Encryption made its way into this technology some time ago, but messages do not always stay intact throughout their journeys from one user to another. Usually, an email is encrypted between a sender’s browser and email servers and then between these servers and recipient's browser, which still makes the contents of an e-mail message available to the e-mail provider on their servers. There has been some controversy regarding the fact that unethical email providers can use the information in emails for unscrupulous purposes, let alone for marketing and advertising intents.
This controversy has stimulated the adoption of end-to-end encryption in the email domain. One of the technologies that facilitates this is OpenPGP, which is gradually becoming an industry standard. OpenPGP is an open-source implementation of the PGP (which stands for Pretty Good Privacy) encryption scheme, which was developed back in 1991 by security expert Phil Zimmermann. PGP can be used to securely encrypt and verify the integrity and authenticity of an email message. It uses a combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography. With PGP an e-mail’s contents are no longer accessible to the email provider; they only serve as an intermediary in passing along the encrypted message.
Some email providers have their own encryption schemes, but, nethertheless, PGP is finding its way into email technology. There are a number of email providers that natively support PGP, including Mailfence, Hushmail, Startmail and CounterMail and ProtonMail. One feature that unites Mailfence, Startmail, CounterMail and ProtonMail is that their servers are deployed in countries considered “secure jurisdictions” - Belgium, Netherlands, Sweden and Switzerland respectively. These countries have much stricter data protection laws than their peers in the EU or USA, or they are located outside their jurisdiction.
It is worth keeping in mind that not all the mentioned email providers have sterling reputation records. For instance, according to The Register, Hushmail users’ emails can be turned over to law enforcement agencies on their request. ProtonMail has mentioned strong ties with US investors, despite having quite a lot of trust among its users and the professional community. Thus it is always a good idea to check an email provider’s reputation, before you decide to use them.
The mobile domain
At the same time there is an ever-growing demand for mobile messaging solutions. WhatsApp alone saw 1.5 billion monthly users at the end of 2017. One universal trait of messaging apps is that, while they facilitate faster communication workflow, their technological implementation is not as universal as that of email technology. Messaging products compete for audience and there is no technical means of sending messages between different messaging apps. If you want to keep all of your mobile communication in one place, you need to make sure that your interlocutors use the same tool as you.
In addition, due to that technological incompatibility, there is no universally adopted way of facilitating end-to-end encryption in these tools. Every messaging platform has their own technological spin on end-to-end encryption. Here are the messaging apps that support end-to-end encryption that have garnered massive audiences in recent years:
WhatsApp is one of the most popular messengers on the planet. Unlike that of other messengers, WhatsApp’s end-to-end encryption is enabled by default. WhatsApp’s end-to-end encryption system has been developed by Open Whisper Systems, who are known for having a secure communication app of their own - Signal. However, there has also been some controversy around security and privacy in the app;
Telegram’s user base of over 200 million is one of the fastest growing communities in the industry. It is praised for being noticeably more feature-rich than WhatsApp, its direct competitor. Despite its popularity it has some drawbacks that are worth considering. Telegram uses a custom encryption scheme called MTProto, which has been publicly criticized, and messages are only end-to-end protected in Secret Chat, a not so obvious feature;
Signal is the messaging app created by the above-mentioned Open Whisper Systems. Unlike its competitors it is fully open-source and has a remarkably clean record. It has been praised by multiple security experts.
At the same time the things that make Signal so secure can be its downsides. First and foremost, Signal does not backup message history, even if the user backs up their entire phone. Should a user lose their phone or move to a different one, their message history is not carried over. In addition, Signal is not a commercial organisation and exists exclusively on grants and donations. While that makes it difficult to manipulate the Signal creators, there are only three full-time staff members working on it, so it does not develop as fast as its competitors.
While secure communication takes some time to get into and integrate into your daily routine, it certainly is available to everyone. Users should not neglect researching their desired communication tools and consulting the opinions of the professional community.