20 Sep 2018
Singaporeans send thousands of messages every day – to our friends, to group family chats, to our classmates and colleagues, to our partners, and a few more random people too. Chances are, we want the messages we send to someone to stay between the two (or more) of us. Given how often we all use messaging apps, it is increasingly important that we try to protect our privacy and our personal information. One way to do this is by using an encrypted messaging app.
What is encryption?
You can skip forward to find the list of apps, but maybe you first want to learn what this end-to-end encryption means. First, let us understand what encryption means. Encryption, or what was known as cryptography, has been used for centuries, from Ancient Egyptians to Alan Turing’s Enigma machine. Encryption is taking a message or some information, and complicating it so that no one else can read it.
For example, if I wanted to encrypt the message HAPPY BIRTHDAY using a simple substitution cipher, I could use the Atbash cipher. The Atbash cipher takes the alphabet and maps it to its reverse, so that the A becomes Z, B becomes Y, and so on. My encrypted message would be SZKKB YRIGSWZB and someone would need to know the cipher I was using to crack it.
On the Internet, you send a lot of private data to other computers or servers every day. Encryption takes your data and scrambles it, making it impossible for anyone who intercepts this data to read or understand it, except for the person you sent it to. When it reaches this person, the data is decrypted back to its original form so they can read and understand it. The unencrypted data is called plain text, and the encrypted data is called ciphertext. The software in your computer that takes the data and encrypts it is called an encryption algorithm. The algorithm is used with an encryption key, such that only the person with the right key can decrypt the data too.
What are symmetric and asymmetric encryption?
These sound complicated, but here is an easy way to understand.
Symmetric encryption is when the same encryption key is used by both the sender and receiver. For example, Muthu sends Mohamad a private message. The message goes through an encryption algorithm and is encrypted using an encryption key. While anyone might learn the algorithm, the key is a secret between Muthu and Mohamad. If Wei Jie tries to intercept the message, he might be able to learn the ciphertext, but he cannot decrypt it to the original message without the key. The problem with symmetric encryption is that both Muthu and Mohamad need to have the key, and that it might be difficult to send over without getting compromised.
Asymmetric encryption solves this. Each person has two keys: one public key and one private. Muthu and Mohamad both have access to each other’s public keys, and Wei Jie has access to these too. Muthu uses Mohamad’s public key to encrypt his message. To decrypt it, it will need Mohamad’s public and private key. Nobody has access to this private key except Mohamad. Since nobody needs to send their key to anyone else, there is very little risk of anyone getting it.
So what is end-to-end encryption?
End-to-end encryption is a type of asymmetric encryption. Like the name, it protects data so that only two people can read it: the sender and the receiver. This means that no one else can read the data, like hackers, governments, companies, or the server that the data passes through. This means that when Muthu sends Mohamad a message, Wei Jie cannot hack it to read it. If the message goes through WhatsApp’s server, WhatsApp cannot read the message. If the service wanted to give this data to third parties, they would not be able to either.
You do not actually use end-to-end encryption yourself, and most likely do not realise when you are using it. For example, Transport Layer Security (TLS) is now standard for encryption on websites. If you use a site that allows you to encrypt your data, like any site where you need to enter personal information like your card details or passwords, there are signs that show that the site is secure. One sign is that the URL starts with https:// instead of http:// where the s stands for secure.
Do I need to use end-to-end encryption?
Only you can decide. In some situations, you definitely do, like when you purchase items online and enter your card details or any other online banking. In times like this, the encryption happens without you knowing. In daily life, you can choose to use communication apps that have end-to-end encryption just to have the peace of mind that absolutely no one else can access your messages or calls – knowing that your data is safer from hacks and private. However, end-to-end encryption only means that people will not have access to your data, and can still reveal a lot of information through metadata.
What is metadata?
Metadata is essentially data about data – it does not include the content of your message, but it includes where you sent the message from, the time you sent it, and the person you sent it to. It applies to messages, phone calls, and even the time you spend online. Metadata is a security issue because it can be used to piece together information about you, like your interests, economic status, political affiliation, location, habits, and social circles. It puts together a detailed picture of your movements and daily life. Think about metadata as your digital footprints.
You might not think this is a problem, but it is when metadata that is collected by companies is outsourced to data analyst companies or leaked, sold to, or hacked by other third parties. The digital world is such a huge part of our lives that your digital footprints reveal a lot about you. With this information, companies can create individual and group profiles that can be used by advertising companies to target you. Protecting metadata is thus a large part of how we think about privacy.
Which apps should I use?
There are so many encrypted messaging apps on the market that it is difficult to definitively claim that any one is the best. Instead, we provide an assessment of seven popular encrypted messaging apps that you can consider using.
Signal is a leader in encrypted messaging apps because it is open source – anyone can look at the app’s code to inspect it, which does not make it easier to hack but instead improves the robustness of the encryption method.
The app is visually plain and functionally comprehensive. It supports messages, group chats, the sending of files and photos, archive functionality, voice notes, and voice and video calls. Messages can also be set to self-destruct after a set amount of time. The app can also be used on your computer with the Chrome browser plugin.
Signal also has interesting features such as blocking screenshots within the app and in the recents list, and incognito keyboard, so that your phone’s keyboard does not learn your writing habits when you are sending messages on Signal. Although Signal can be used as a replacement for SMS, both users need to have Signal installed for the end-to-end encryption to work.
Signal is free to use and ad-free. Signal is owned by Open Whisper Systems, which is a non-profit made of software developers, whose mission is to ‘advance the state of the art for secure communication’. As such, Signal’s architecture protects and hides a lot of metadata from users of the app.
Telegram was one of the first apps on the market. End-to-end encryption is not enabled by default on Telegram. You need to make sure Secret mode is activated so that no one else is able to access your messages. Its encryption methods are also not open source and thus have not been as closely inspected by third-party experts.
The app has features like group chats, the sending of files and photos (also encrypted only when in Secret mode), disappearing messages, archive functionality, and voice and video calls. However, it is more comprehensive in terms of extras, offering stickers and basic photo and video editing. Once Secret mode is turned on, messages can also self-destruct across all the devices in a chat, and there is the option of self-destructing your account within a set time.
Telegram lets users find other users by their number and user name, meaning that contacts don’t need to have or know a phone number when using it. This makes it an impressive cross between a messaging system and a social network. Telegram also syncs across multiple devices and platforms, and has unlimited broadcast groups (meaning that you can send many people messages individually at once).
Telegram is free to use and ad-free. All data is encrypted and stored on Telegram’s servers, except for the Secret Chat messages – which are not stored on their servers.
WhatsApp was already used by a billion people around the world before the company collaborated with Open Whisper Systems (who develop Signal) and integrated the same encryption protocol to their chats.
This means that WhatsApp messages are now, by default, end-to-end encrypted. There is very little that this app cannot do. It has group chats and calls, file sharing, archive functionality, location sharing, a Broadcast feature, and more. The popularity of the app also works in its favour, since you likely do not have to convince people to get the app.
WhatsApp is free to use and ad-free. However, WhatsApp is owned by Facebook and openly admits to collecting a lot of metadata about you for marketing and other purposes. If you are very privacy-conscious, this might put you off the app.
4. Facebook Messenger
The old-school (at least to the millennials) Facebook also uses end-to-end encryption, the same Signal protocol used by WhatsApp and Signal itself. This means your messages cannot by viewed by Facebook staff. However, like Telegram, this needs to be turned on through the Secret Conversation setting in the conversation options. You also cannot encrypt conversations you have already had.
Facebook Messenger functions like most other apps, with group chats and calls, file sharing, location sharing and video calling. It is also very user-friendly, with stickers, GIFs, and even games within the app.
However, Facebook Messenger, like WhatsApp, falls under the Facebook goliath, meaning that the app still contributes to the data that Facebook collects about you and its billions of users. Be sure to read through Facebook’s data and privacy practices to check if you are comfortable with them before relying on this as your encrypted messaging app of choice.
Wire is an app that is, in many ways, similar to Signal. The encryption protocol is based on Signal’s and it is also open source – meaning that it has been vetted by third-party security experts.
The app includes encryption messaging, group chats, individual video and voice calls, conference voice calls, screen sharing, and file sharing. Wire was made for consumers, such that Wire is integrated with different content platforms, including YouTube and Spotify. One Wire account also works on up to 8 devices, allowing you to sync your content across devices. Unlike many messaging apps, Wire does not require you to provide a phone number or own a smartphone to use the app. Registration can be carried out using just an email address. However, Wire does have a paid version that may have some of the features you want, such as secure file sharing for files about 25MB and video calls for groups.
Wire Swiss, the company which owns the app, also collects several types of metadata about users. Although the company does not sell the data, it could possibly be hacked, leaked, or provided if they receive a subpoena.
Silence is an app that deals with SMS and MMS, instead of chats that work over the Internet. It is one of the apps that came after Signal, and uses the same open-source encryption methods that are regularly audited by security experts to test for robustness.
Since the app focuses on messages, it works without Wi-Fi and has individual messaging functions. However, it is limited in its range of features, and does not have group chats or video call functions. Instead, it makes up for that in additional security features such as disabling screen-shots by the other party and having to enter a password to unlock the app.
Given that it works like texts, your phone network will also still be able to collect data about who you are texting and when, even if not what. It is recommended to use this app in tandem with another, like Signal, to enjoy both secure texts and group chats.
7. iMessage and FaceTime
Apple has introduced end-to-end encryption of all your messages in iMessage, the default messaging app on iOS devices, and all your calls and videos on FaceTime. iMessage and FaceTime are available on iOS mobile devices as well as Apple’s Mac computers.
The two apps cover a range of basic functionalities, such as messaging, location or file sharing, and voice and video calls. Third-party apps that use iMessage also do not get access to your messages or contact information. Your iMessage messages are backed up on the iCloud, but this can be turned off in your settings.
However, the encryption only works if both people are using iMessage or FaceTime, which means you can’t contact any Android or Windows friends using these. It is also worth noting that Apple is another mega-company with extensive data collection practices, and the amount of metadata collected when using either of the apps would increase the amount of data they have on you.