Facebook’s messaging apps have been ranked the best in the world for secure communication by Amnesty International - but there's a catch. Although Facebook came out on top, the charity counts WhatsApp and Messenger, with their 2 billion combined users, together in its calculations - and there are some stark differences.
While Whatsapp is “the only app where users are explicitly warned when end-to-end encryption is not applied to a particular chat”, Messenger does not use end-to-end encryption as default and does not tell users that normal conversations in Facebook use less secure forms of encryption.
WhatsApp deployed end-to-end encryption - a security system that means only the customers can see the text, not the company - earlier this year as default, and regular users may have noticed the proclamation explaining this fact at the start of every new WhatsApp chat. It uses the Signal Protocol developed by Open Whisper Systems, an open-source private messaging system supported by Edward Snowden. These facts make it incredibly attractive to Amnesty, which wants to encourage activists and journalists working in countries where their work puts them in great danger, to use the most secure communications systems possible.
There is, however, an added complication - earlier this year WhatsApp announced it would be sharing data with Facebook. The EU Competition Commissioner Margrethe Vestager is currently investigating this, since Facebook was initially allowed to buy WhatsApp in 2014 after making assurances it would not share data.
Aside from the Facebook data sharing problem, the Electronic Frontier Foundation has also published caveats about using WhatsApp for three reasons: messages backed up to the cloud are not encrypted, so it warns any user and recipients to select an option never to backup; if a recipient of your messages changes their encryption key, the fact is hidden by default; a WhatsApp web extension would be far more secure than the desktop version offered.
With Messenger, Facebook has been full steam ahead in pushing its potential on customers. After forcing Facebook members to download the separate mobile app to retrieve messages, the social network began to introduce peer-to-peer payments, location-sharing and voice calls, and has opened it up to outside developers. In the meantime, it lagged behind WhatsApp in the security stakes, and has only caught up this month with the introduction of an end-to-end encryption option.
The “Secret Conversations” option appeared after an update but customers were not alerted to this opt-in change. The service, which also uses the Signal Protocol, provides an option for messages with an expiration date. To use “Secret Conversations”, users need to select it as an option in Messenger settings, select someone to message, then select the information button in the chat to start a separate “Secret Conversation”. It’s hardly straightforward and will likely only be used by those in the know, who need to keep their communications secure for their own personal protection.
So, although Facebook was ranked number one with a score of 73, those coming a close second with 67 points offer a great deal to activists who want to work under the radar when judged by the encryption they offer, as well as their transparency around government requests for data. These are Apple, with iMessage and Facetime, and Telegram.
The former offers end-to-end encryption by default, and very publicly refused to work with the FBI to hack an iPhone belonging to one of the San Bernardino shooters - arguing that creating a backdoor to encryption would render the devices insecure for users all over the globe that might be at risk. Amnesty’s only complaint was that Apple should notify users when messages are not protected, such as those sent to non-iPhone users. This is a problem WhatsApp and Telegram do not face.
Well short of WhatsApp’s billion users, Telegram has 100 million monthly users and came to life specifically as a means to promote and protect privacy. Speaking in the March 2015 issue of WIRED, Telegram founder Pavel Durov said: "Secure messaging should be free for everyone. Displaying ads alongside your private communication seems out of place, even immoral. We're aiming to set a higher standard for messaging technologies, to raise the bar of communication in terms of speed, security and versatility."
In this highly publicised context, Amnesty points out it is “surprising” that end-to-end encryption is not set as default and users are not warned when they are using a weaker form of encryption.
Google, Line (popular in Japan and southeast Asia) and Viber follow behind, roughly on a level with one another. Microsoft scored a paltry 40 for Skype due to its weak encryption which persists (it does not have end-to-end encryption as default), despite the fact it has apparently been a target of government surveillance - the Edward Snowden leaks showed that the NSA had full access to the video calling service, a fact Microsoft denies.
Snapchat scores even lower with 26, with no end-to-end encryption and a selling point that Amnesty says “may give users a false sense of privacy”.
Amnesty put the report forward largely as a means of highlighting the services that offer the most protections to the kinds of activists and journalists it supports everyday. But it does point out that beyond these factors, there are millions of people using the services on a daily basis with no knowledge of whether their communications could be vulnerable to hackers. “Many of us trust these apps with intimate details of our personal life,” the charity said. “Companies that fail to take basic steps to protect our communications are failing that trust.”
It calls for every company to deploy end-to-end encryption as default and to be transparent with consumers about the level of security they are receiving.
This article was originally published by WIRED UK
