Why aren’t we encrypting our chats?
Lately the Feds have been making their case as to why they need backdoors into encryption schemes. This is problematic anyway you look at it; privacy, technology … philosophically. Most people I talk to seem to agree that they’d rather not have a ‘back door’ evaporating any expectation of privacy. Why then, I wonder, aren’t more people leveraging secure communication options? In theory people want private communications but in practice it seems they can’t be bothered.
That’s a good thing for the Feds, as even the ‘standard’ offerings out there have been problematic for them. It’s things like Apple’s iMessage and Facetime that forced the issue. Both iMessage and Facetime offer end-to-end encryption. End-to-End encryption means that the two end devices have the keys and no middle-man (such as Apple) does. In theory then, even Apple cannot access (or provide to others) unencrypted chat history from iMessage and Facetime sessions since Apple doesn’t have the decryption key for those historical messages. This is a problem for law enforcement which wants to be able to eavesdrop / wiretap on any and all conversations.
Apple’s use of end-to-end encryption, I think, generally gives people the level of privacy they reasonably expect/assume to have in their personal communications, but it’s not foolproof. The biggest (but not the only) issue is that Apple’s end-to-end encryption only works if all parties are using Apple’s products. If you send a standard SMS message (or use another chat service) as you would have to do for any of your contacts that use an Android phone, for example, you lose the benefit of end-to-end encryption; and that means that your wireless carrier or some other third party could have access to (and provide to others) your chat history and essentially provide a historical ‘wire-tap’ of all your communications. Even if you wanted to use only iMessage and Facetime, Apple hasn’t released apps for Android … so unless every single one of your contacts uses an iPhone … the protection remains fairly limited.
Google’s service (Hangouts) does have a cross-platform app available for each major smartphone, but (believe it or not) it is far worse from a privacy standpoint in that it does not offer end-to-end encryption. Google may not typically do ‘bad’ things with your data, but even if we grant them that … they certainly at the very least have access to the (unencrypted) data, and could easily provide it to others if compelled to do so.
Now, I have nothing to “hide”, but I personally – on principal – I don’t feel I should be giving Google or AT&T (or those they might deal with) my personal communications. I need them to be a platform/conduit, but I reject the idea that they need access to the message content in order to provide that service.
In a perfect world both Apple and Google (and Microsoft once they are a major player again – it’s coming just wait) would offer end-to-end encryption AND allow for key exchange and encryption of messages between their respective services. These companies aren’t likely to play that nicely together left to their own devices, so (surprise surprise) this is a good job for a third party like Open Whisper Systems (https://whispersystems.org/).
I’m really not sure why more people (who I know) don’t use the apps from Open Whisper Systems. They seem to work really well and offer end-to-end encryption for both messaging and voice calls while being available cross platform. (The system doesn’t secure standard SMS (anymore) but can provide secure cross platform messaging through the app.)
These apps allow for secure communications with your friends, family, etc regardless of which smart phone system they use, and the platform is ‘open’. Open in this case means it’s cross platform, developers can fork and build off of it, and its security/code is auditable. How great would it be if Apple, Google, and others decided to contribute to Open Whisper Systems, make their systems compliant – and give us all cross platform end-to-end encryption?! (Answer: very)
Until they do, at least we can use the third party Whisper System apps.
I’ve got the current apps installed but (even though I have lots of security geeks in my social circles) only one other person I know appears to be running them. Wow.
I really think Open Whisper Systems should be running a huge marketing campaign right now to capitalize on all the news we’re seeing about how the Feds want backdoor access to all our communications.
Anyway … go get yourself some secure private communications at https://whispersystems.org/. Send me a secure text once you do.