Who can read your messages?

In today's world we exchange data readily and reveal so much of our intimate lives over messaging platforms. These platforms know not only where we have been but also who we have talked to and what we have discussed. They have access to our address books, calendars, locations and pictures. Increasingly external entities are gaining the ability to know and map more parts of our everyday journey of life to the extend where they right now understand in some ways more about us then we understand about ourselves. This may under certain circumstances be a good and desired thing but it is not always the case.

We are not in control and neither are only the good use cases certain or guaranteed. In this context it is desirable to occasionally take a step back and analyse the security of each medium and what measures they have put in place to protect us by safeguarding our privacy. This is exactly what the Electronic Frontier Foundation (EFF) is aiming to do with its Secure Messaging Scorecard.

EFF Secure Messaging Scorecard

Many systems we think implicitly are securely turn out in the end not to be as safe as the proponents proclaim. For instance, text messages are only ciphered when transmitted over the airwaves but on the internal systems they are often passed between nodes with the data available in plaintext over unencrypted connections. This doesn't mean that they are accessible to everyone as there are strict laws in place, though these laws differ on a per nation basis, but additionally the operators do establish control measures for their staff to limit risk by dictating whom can have access to execute certain queries. However, what you may not have fathomed is that the basic Blackberry Messenger, Facebook Chat, Skype and Whatsapp are equally exposed on the backend and that the employees, external partners, researchers, government agencies, the police and even your employers could make a request in some cases and have access to everything you have ever shared including that joke about the boss, the drunken night out or that risqué picture you shared with that person who was not your committed partner. The laws in these instances are often less strict and very flexible. This information is likely already being accessed where there is a direct commericial implication and outside of that access is governed by individual terms of use and the privacy policies of the companies which can leave great latitude for disclosure.

Vendors may claim to protect privacy but how do we check this? Do they have enough measures in place to protect us from ourselves, everybody else and even the them? Many are offering only privacy on the surface while accessing our communications in ways not seen before on the backend to generate user profiles for advertising and other yet to be disclosed purposes. This is being driven by a change in the business model as users no longer expect to pay to be connected to another party. Hence, businesses offer the connection service for free and charge only the basic bandwidth costs but instead make the profits by harvesting our personal information for resale to other interested parties.

Another trend is that data is becoming perpetual as the costs of storing information rapidly approaches zero. Message exchanges previously were ephemeral which meant that our exposure was usually limited over time unless calls were being tapped or otherwise recorded in that moment. Snapchat and others may be trying to bring back this temporary nature of the exchange with features that allow messages to expire but this is unlikely to become ubiquitous nor does it offer any added protection if the underlying infrastructure allows eavesdropping. The fact is that now all communication in every form whether it be calls or text messages are being tracked on some level everywhere because it is less expensive to do and technically feasible as revealed by Edward Snowden and theguardian.

NSA Files Decoded

Our basic telephone services were never encrypted or secure to begin with but at least monitoring required significant effort and was temporary but now our messages are being archived to form a de facto permanent record. Furthermore, our governments driven by the need to ensure security and the urge to prevent terrorist atrocities and the corresponding random mass acts of violence are joining in on the act. They are proposing new laws and expanding powers to the spying agencies of the world.

This is why you need to pay attention when services implement things like Perfect Forward Secrecy. When they encrypt the connections between datacentres and when the keys are generated between the devices in a manner that prevents even the company selling the service from deciphering the data. Things like these along with Two Factor Authentication can reduce or even eliminate episodes like The Fappening and The Snappening.

Pay attention to projects such as Open Whisper Systems and CryptoCat. Do give apps like Telegram and TextSecure a try. Most importantly read the full Secure Messaging Scorecard today.