"Elon Musk trusts Signal, so I will trust him too", "Pavel Durov claims that Telegram is not worse, or even better. I agree", "WatsApp is trying to justify itself? Well, no, I won't buy it. Delete", "iMessage and Facetime will definitely not let you down – Apple's priority for many years has been to protect the personal data of its customers", "Messenger is a primitive "child" of Facebook, what kind of privacy can we talk about there?" "Viber doesn't seem reliable to me, it's kind of old-fashioned What kind of privacy is there?" "Skype? Is it still alive?"...
These are the most common misconceptions about known communication platforms. It remains to debunk them in order to move on to something that will allow you to look at privacy from a different angle.
Signal and Telegram: messengers left the chat?
Don't idealize Signal. Despite the fact that the reputation of the messenger is cleaner than that of its opponents, there are also dark "times." For example, in October 2018, information security researcher Matthew Suiche shared information that Signal, in the process of migrating from a Chrome extension to a full-fledged desktop client, exports user messages to unencrypted text files.
In the "secure" Signal there was a "hole" through which the calling device could send a message to the receiving party without her knowledge. Attackers could listen to what was happening near the user even before he accepted an incoming call. The hole was fixed in September 2019.
A year later, in September 2020, researchers from the University of Würzburg tested several services for accessing private information together with colleagues from the Darmstadt University of Technology (Germany). During the tests, it was found that three well-known messengers, including the reference one for many Signal, reveal the personal data of users through the services of searching for contacts by phone numbers stored in the address book. So, during the experiment, using such services, researchers scanned 100% of the numbers of Signal users. They had at their disposal all the data that people post in their profiles (photos, nicknames, statuses, the last date and time of connection).
It's worth noting that the other two messengers that took part in the study were WatsApp and Telegram. The results are also disappointing.
Telegram is also far from ideal. Let's talk about encryption. The "cart", like most other modern instant messengers, uses end-to-end encryption - the message is encrypted on your phone and decrypted on the recipient's device. "In the middle" of this path, the messenger itself does not store a decrypted copy of the message. This encryption provides a high level of security. It is used for voice messages and video calls in Telegram, but not for regular chat messages.
For end-to-end encryption to work for you by default, you need to use "secret chat". But this only applies to private messages, in group chats you are still "naked".
Moreover, end-to-end encryption is not really a panacea. In 2018, a Habr user under the nickname ne555 managed to bypass two-factor authentication, gain access to secret chats (he was able to read and send messages to them). At the same time, the real owner of the account did not even see that he was hacked. Such manipulations were carried out by a hacker as an experiment, to which the developers reacted only after several more successful hacks.
You don't have to give up on WhatsApp. You will be surprised, but if you are not a businessman, not a politician and the information you transmit is not hypersensitive, WhatsApp is quite confidential for you.
The messenger may still surprise you. Another application that "got under the distribution" because of the tricks of Facebook, is Messenger – the "child" of the corporation. Yes, his linking to his Facebook account with two-factor authentication is often criticized, and it is not unreasonable - if an attacker gains access to your account, he will automatically gain access to the messenger. Its standard usage parameters also leave much to be desired - the messenger does not encrypt your messages by default. But what about "secret chat"? Chances are, you didn't even know about its existence.
The security offered by Apple messengers will not suit everyone. The fact is that messages in iMessage and Facetime are truly secure – a level higher than in some other communication applications. But data security comes at a high price in Apple's case - encryption keys are stored on the company's servers, and it can theoretically read them. Moreover, in countries such as Russia and China, it can transfer them to state servers.
Viber can compete even with the sensational Signal. Not many people know, but the application has end-to-end encryption, which is enabled by default for all chats. Also in the arsenal of the messenger, there are "secret chats", the function of automatic deletion of messages, tracking screenshots, and protection against copying and forwarding messages. Of course, this barrel of honey, like each of the messengers, has a few fly in ointment: questions about two-factor authentication and saving backups in clear form.
Use Signal— Elon Musk (@elonmusk) January 7, 2021
Skype is alive and well-fed. If the majority of young people have stopped using Skype, preferring more "fresh" messengers, this does not mean that it should be discounted. Unlike Telegram, the messenger has end-to-end encryption by default (but it's worth noting that developers can access the user's personal data, if required, for example, by law enforcement agencies).
Also, the advantage of Skype over the same Viber is that the messenger does not backup files to other servers. Of course, speaking of Skype, one cannot fail to mention the numerous scandals associated with wiretapping of conversations in the messenger by Microsoft employees (Skype was bought by the tech giant back in 2011).
Before moving on to the climax, after which you may like the idea of using carrier pigeons in your correspondence, it is important to emphasize that the developers of Signal, like the developers of any other messenger, after identifying "holes" eliminate them, improving their applications. But attackers are also improving, picking up new "keys" to data that may interest them. Moreover, in the case of Signal and the popularity that has fallen on it, the risk is really high.
But one way or another, all the controversy around the topic "Which messenger is more reliable" is a transfusion from empty to empty with a ratio of risks. Why? There is no absolute confidentiality. There is always a way to hack something. The only question is who needs it and how much it costs.
Your data no longer belongs to you
Don't panic. Yes, this is true. None of the modern instant messengers can guarantee you one hundred percent protection. But if you are an ordinary person, not a politician, not a businessman, and do not transmit sensitive information using communication platforms, breathe out.
Many instant messengers also collect other information about you - metadata (how often you correspond, what time of day, your location, etc.). Viber, for example, collects information about which sites you visit.
And these are not instant messengers themselves. Sites have a piece of code that reports to instant messengers. Modern instant messengers do not collect correspondence itself, malicious hacking is needed here, and it happens through the operating system of the phone. Within the framework of one phone, it is not so important which messenger you use.
For an ordinary subscriber, the issue of security is really not a fundamental criterion for choosing a particular messenger. As a rule, a user can think about security if he or someone close to him has already had some kind of incident (for example, information leakage).
If you have an acute question of confidentially transmitting a message to another person, then it is best to do this using Signal, Threema, Wire or Riot. IM – these messengers have high reliability according to the estimates of various analytical companies in the sector. True, first you need to persuade your interlocutors to download them.
There are also paid messengers that don't collect your metadata. But it is rather difficult for an ordinary person to use all this. In such a case, safety conflicts with convenience.
One way or another, but all popular instant messengers are not secure, because their encryption algorithms and approaches to security quickly become known to cybercriminals. And here it is only a matter of time and resources to access the data. And everything can be broken. The only question is how quickly and how much is needed.
If none of the popular messengers can guarantee complete confidentiality, then what about the users? Pay attention to other factors that can help you feel more secure:
End-to-end 256-bit encryption, which we talked about earlier – all messages are encrypted right on the gadget before being sent and decrypted already on the gadget, to which they are delivered immediately before reading.
Keys to 256-bit encryption should only be stored on users' gadgets, not on the messenger's server. If messages are encrypted, but the key is stored in the company, it can theoretically read your correspondence.
What if your device was hacked and received the key to the correspondence in the messenger? To do this, you also need to have the option to generate a key for each separate session - Perfect Forward Secrecy or PFS. Thus, even having received the encryption key, it will be impossible to open all previous correspondence stored on the device.
For secure browsing and communication, additionally use VPN services.
Wish you safe correspondence!