There have been many questions raised about how private our data really is. Some whistleblowers such as Edward Snowden brought to light how easily the government or even corporations can access and use our data. Apple had to apologise for its Siri grading program where its employees and contractors were listening in on samples of Siri conversations. That sparked a debate about whether or not our phones are recording us. Northeastern University’s study indicated that 17,000 of the most popular apps were recording users’ screens and sharing them with third parties without user knowledge.
While we become more dependent on our phones and get lured into providing additional data, some apps provided appealing alternatives. WhatsApp became instantly popular due to its branding as ‘encrypted’ messaging. There are many other messaging apps that flaunt their encryption capabilities such as Viber, Signal, and Wickr.
iMessage is used by 1.3 billion people today. Apple claims that iMessage provides end-to-end encryption only accessible with your passcode. While Apple cannot see the messages while in transmission between devices (sender and receiver), there are still ways to access the messages saved on the device.
Your messages hit the Apple server once you hit ‘send.’ That means that Apple is able to store the data for 30 days and thus access it during that time. End-to-end encryption does not guarantee unconditional or unlimited protection. It is encryption at the time of transmission but when the database which enables you to store the chat on your phone does not include double encryption which means that the content of the messages can easily be extracted with some light developer work.
Few legal cases have shed light on the fact that Apple, in fact, cannot access the full contents of the messages. However, they can and do collect metadata in their logs, which can provide revealing information about you and your activities. While Apple claims that it does not collect or store any location-related information, the logs collect IP addresses which often contain GPS data. The lesson here is that there are legal grey areas and a company may still unintentionally collect certain data even if it claims otherwise.
WhatsApp gained its prominence initially due to being the most secure messaging app. They added the feature to delete messages on devices. Even if only one person in the group wants to delete the messages in a group chat, the messages can be deleted off all participants’ devices. This feature solves the issue of discontinued encryption when the messages are retained on one or more devices. All in all, many of its 1.5 billion users considered WhatsApp to be the most secure third-party messaging app.
Not so fast. In February, it came to light that the WhatsApp messages could be found via Google search. It was a blunder on the app’s part. The invite link to a group chat was accidentally getting indexed by Google and thus making its existence available to the public. Over 470K WhatsApp chats were found when searching “chat.whatsapp.com” URL. Some apparently included phone numbers of the participants. This incident, along with being acquired by Facebook which was repeatedly criticised for data breaches, eroded the trust people once had in the app’s security. End-to-end encryption doesn’t guarantee that messages cannot be accessed in their entirety to whoever owns the server, who in this case will be Facebook. The European Union moved to ban WhatsApp for official use and switch to Signal.
Signal became popular in light of the security breaches of WhatsApp. Signal is similarly an open-source, end-to-end encrypted messaging app but it does not store metadata or allows cloud backup. The endorsement of European Union which switched over from WhatsApp as well as Edward Snowden, an ex-NSA whistleblower who called to attention overreaching access to personal data by the government, really elevated the status of the new messaging app. Just like SMS, iMessage, or WhatsApp, Signal offers messages, attachments, and voice/video calls.
Signal offers a feature that allows messages to be auto-deleted after some time. Once the sender opts in to use this feature, it cannot be stopped or called back. Signal also offers another privacy-enforcing feature called Screen Security which disables anyone from taking screenshots. These features ensure that the messages remain encrypted as they won’t be saved in any form on the device.
Perhaps what’s most interesting about Signal is that it also provides next-level encryption for in-app phone calls. Once the call is connected, both participants will see two words appear on their phones sequentially. Thus, the participants can verify that they are seeing the same words to ensure the encryption is working correctly. If the words do not match, they can disconnect the call and switch over to a different internet network. This protects the conversation from being intercepted or accessed in any way. Such powerful technology led to a partnership with Microsoft to bring Signal’s encryption protocol to Skype.
Wickr claims to be the most secure platform even though it only recently started making strides towards being open-source. It has a few different versions, Wickr Me, Wickr Pro, and Wickr Enterprise. Wickr Me is the most basic peer-to-peer messaging and Wickr Pro provides video calls and conferencing as well as better file-sharing capabilities. Wickr Enterprise is for corporations with services tailored to help corporations provide a secure, well-encrypted communication platform while complying with all relevant regulations.
Wickr supports ephemeral messaging where the content disappears shortly once it’s read by the recipient. When you sign up, your username is secured using one of the best cryptographic functions called SHA256. Using AES256 encryption, Wickr encrypts data not just during transmission like its competitors but also once upon delivery. The data is deleted permanently from its server once it expires. Your device is also anonymous to Wickr as it doesn’t track or store IP addresses. The FBI famously accessed WhatsApp messages during its investigations of some of President Trump’s associates such as Paul Manafort. As Wickr offers multiple layers of encryption and extremely limited storage of data on its servers, the government will not be able to obtain much data from Wickr even with a subpoena.
The platform supports compliance while preserving its commitment to multi-layered-encryption of user communications and activities. While it complies with valid legal requests from the government authorities, it will notify the users regarding any surveillance and communicate as much information as it legally can. Wickr Pro offers a bot to companies who need to retain the audit trail of conversations and the saved messages only live with the bot, not with the participants’ devices.
Vigilance Is Key in Ensuring Security
Simply having end-to-end encryption does not equate to comprehensive privacy protection. Company’s disclosure and legal disclaimers can be intentionally or unintentionally misleading as there are many other loopholes and agreements that could allow alternative entryways into your personal data. Best way to protect yourself is to aim to anonymise your internet activities as much as possible using security protocols and protection software.