You may have read numerous pieces on how online communication is hardly ever private. And since most of them are written from a purely technical standpoint, you may ask yourself “Okay, they read what I type, but so what?” Well, it ought to serve as a wake-up call when Amnesty International approaches it as a human rights issue.
In its recently published report, For your eyes only? Ranking 11 technology companies on encryption and human rights, the NGO states that encryption of online communication stops cybercriminals, prevents unlawful government surveillance of communications and helps create places where ideas could be expressed freely. Basically, encryption protects people’s human rights online.
When it comes to online privacy, the tech companies designing the tools we use to communicate are among the biggest stakeholders. They bear a large part of the responsibility for eventual holes in their apps’ security, as well as for protecting users from those willing to exploit them.
Amnesty International looked into what 11 tech companies offering the world’s most popular instant messaging services – Facebook, Google, Apple, Microsoft and so on – and their apps offer in terms of encryption and human rights.
Turns out it is not much.
Encryption and human rights: How did the top IM service providers rank?
The news from the report can be summed up in two headlines:
1) Facebook tops the ranking
2) All companies’ scores (including Facebook’s) are worryingly low
Amnesty International ranked the companies (and not the separate apps they offer) according to five criteria. The bulk of those are related to how the companies in question treat the issue of online privacy from a legal and human rights standpoint – do they take a public stance on privacy, do they inform users whether government agencies are after their data, etc. The sole technical criterion is whether there is end-to-end encryption in their apps by default.
Facebook tops the ranking with a score of 73 out of 100. Which, let’s face it, is far from an A. The report assesses FB Messenger and WhatsApp – which Facebook also owns – and the high score is mostly due to the latter’s end-to-end encryption feature.
More astonishingly, eight of the 11 ranked companies score below 60, which means they basically get Fs. And one – China’s Tencent, developer of QQ and WeChat, the two of which have a combined user base of 1.5 billion people – scores zero points. You read that right.
Is WhatsApp’s encryption good enough to protect your privacy?
Amnesty International checked only whether the apps offer message encryption or not – and not if the provided security is any good. The organization notes that the overall security of the messengers wasn’t assessed in the report and that it doesn’t endorse any of the apps from the report.
And WhatsApp certainly is far from bullet-proof.
The client has the option to store unencrypted copies of all conversations on the cloud – for backup purposes. Which by itself defeats the purpose of encrypting communication, because the cloud could be accessed by third parties, thus compromising any privacy.
Then it also has a web interface for sending and receiving messages. Which is convenient because you can use the app from a computer. But it is prone to attacks because the web page loads the resources for the app every time you access it – and it could be easily reconfigured to load a malicious version, which sends your messages to a third party.
In WhatsApp, chats are encrypted by the sender so that they could be opened only with a specific recipient’s encryption key – and vice-versa. That’s how the conversation stays between two people. However, the keys can change – for example, if your contact reinstalls the app or switches phones. WhatsApp doesn’t prompt you about the change by default, leaving you oblivious to what might be a man-in-the-middle (MITM) attack.
And, as of this summer, the app also shares user data with Facebook for better targeting of ads in the latter’s service.
So, despite WhatsApp offering encryption by default, privacy is hardly the client’s primary feature.
Where would our propriety chat, Secure Chat, rank on the encryption and human rights scale?
Secure Group’s own IM app – Secure Chat – is designed exactly with maximum security in mind. Let’s take the liberty of running its specifics through the same criteria Amnesty International used and see where it stands.
Does the company recognize online threats to human rights?
Well, taking these threats seriously is the very reason Secure Group was founded in the first place. We believe it’s everyone’s right to enjoy the privacy and security of their communication. Not only do we recognize online threats to privacy but we offer products and services specifically designed to counter these very threats.
Does it deploy end-to-end encryption as a default?
Yes. In fact, this is only a part of the privacy protection Secure Chat offers by default. It generates new keys for each chat session, meaning that a compromised key doesn’t compromise your entire chat history. It also employs mutual authentication using a secret the two users share, cutting off the way for MITM imposters. And then, on top of that, the storage of the app is encrypted as well.
Does it inform users of privacy risks and how does it respond through using encryption?
Yes. There’s no on/off switch for encryption in Secure Chat – it is on by default, all the time. This is how we counter the risks to your privacy.
Does it disclose government requests for user data?
All communication via Secure Chat is 100% peer to peer (P2P) – meaning that it is directly between the two parties involved and nothing is stored on our servers.
And does it publish technical details of encryption?
Yes. Secure Chat uses the Off-the-Record (OTR) encryption protocol, which is open source – meaning that it could be read and rewritten by anyone. The former provides users the transparency to know exactly how it works and what it does, the latter opens the door for anyone to contribute and fix any bugs.
No surprise – Secure Chat scores well in the job it was designed for. And that’s the point. If you’re concerned about online privacy – and common wisdom says you should be – you should look for apps that are designed specifically to protect it.
As part of our Secure Pack of encrypted communication apps, Secure Chat is available for Android and BlackBerry and is also included by default in Secure Phone, our flagship line of encrypted smartphones. It's compatible with many other OTR-protected IM apps.