Former Puerto Rico Governor Ricardo Rossello’s leaked messages this summer raised many questions for us privacy junkies, including alarm bells about secure messaging applications. We wondered, in light of such a massive breach of supposedly secure messaging, what constitutes secure messaging today? What constitutes private messaging today?
Telegram, Rossello’s messaging application of choice, supports end-to-end encryption. Its “secret chats” feature supports self-destructive messaging, deletes information from their servers and prevents messages from being forwarded or saved to the cloud. However, if you don’t turn on the “secret chats” feature, your chats are saved to the cloud, accessible from multiple devices at the same time and can remain on said devices for extended periods of time. Without the “secret chats” feature, your information is completely vulnerable.
Vulnerable? How could my information be vulnerable if it is end-to-end encrypted? Encryption is only part of the story. Does that mean security should stop there? What about the risk of people you chatting with posting your chats on Facebook, taking screenshots, keeping those chats on their devices indefinitely? How many devices are your messages stored on? Your smartphone, laptop, tablet? Are they backed up to the cloud? While encryption is good in that it protects against man-in-the-middle attacks, it does nothing once a message reaches a recipient’s phone and the sender loses all control.
One popular way to tackle this security flaw is with disappearing messages: Telegram’s “secret chat” offers that feature, as do messaging apps such as Signal and even Facebook Messenger “secret conversations.” That way you can ensure nobody keeps your messages on their devices longer than you want, but there is always a chance the messaging application you are using could be faulty and not delete your messages as promised. Even if your messages are deleted on all devices after a certain period of time, they could still remain in the cloud.
So, what should you look for in a secure messaging application?
1) Encrypt by default or only support encryption. Make sure whichever messaging application you choose does not require you to turn on a specific feature to make sure your messages are encrypted.
2) Shred on demand in addition to disappearing policies. Disappearing policies are an excellent way to protect your information from being kept indefinitely; however, it is important to be able to remove messages from all devices at any given time, too. That way you have an additional way to control how long your messages remain on other devices and can remove any messages immediately and easily.
3) Prevents messages from being shared or saved without your consent. You should always be able to control whether your messages can be forwarded to others, copied and shared, saved to a device or the cloud, or posted online by anyone.
4) Independent audit. Providers that have had an independent third-party audit their security models are more reliable and trustworthy. It’s a good litmus test for whether providers maintain the security features they promise and do not compromise their users’ information.
There are also steps you can take with whichever application you are currently using, be it iMessage, WhatsApp, Facebook Messenger, or something else. For instance, some services automatically enable cloud backups so that you can access your messages on multiple devices; that typically means you can turn off the cloud backup as well. If the application your using has extra security features, turn them on.
When all is said and done, in order to have both private and secure conversations, you need to look for the right application that goes beyond encryption and provides you with advanced controls and policies. Historically, the need to have private and secure conversations has been most relevant to political figures, regulated businesses, celebrities and other public figures, but in the messaging environment we communicate in today, it matters for all of us. We all use vulnerable communication tools, whether we realize it or not — understanding the nuances of the security and privacy of those tools is an important step to protecting your information.
Contributor: Galina Datskovsky and Paul Viollis