Messaging apps: How safe are they?
Special counsel Robert Mueller’s team is reportedly reviewing the encrypted messaging apps of witnesses in the Russia investigation. Not all encrypted messaging apps disclose their user numbers, so it’s hard to pinpoint just how prolific they have become. But the most popular among them, WhatsApp, claims 1.5 billion users around the world. Offering people what’s known as end-to-end encryption, in which only the sender and the intended recipient can read a message, the apps are designed to help people communicate more securely. They are popular among activists, journalists, security professionals and government officials. Here’s a look at how the four apps that are reportedly being reviewed work:
Signal
Signal is considered by security experts to be the gold standard for secure messaging. Senders and their recipients can set messages to disappear after just five seconds or up to one week. (For messages to disappear, users can switch the setting on for each contact.) People can also manually delete messages or conversations. The messages are stored only on the device, and Signal can’t read its contents.
The witnesses in the Russia investigation reportedly handed over their phones willingly. If they also unlocked their phones as part of the arrangement, and used Signal but did not erase their messages, Mueller’s team could easily view the witnesses’ correspondence. With full access to the device, experts said agents would be able to view a person’s Signal message history as if they were the phone’s owner. Mueller’s team could read old messages on the phone like a normal user, or to ensure that potential evidence is preserved, they could retrieve the underlying data, back it up and then insert it into a new device.
WhatsApp, used by 1.5 billion people each month, is owned by Facebook. Users can call and text, message groups, and send pictures and video with the app. WhatsApp’s encryption was built using the same technology as Signal, and the contents of messages are stored only on the device; not even the company can read the communications. With access to a device, however, agents would be able to see a user’s WhatsApp message history. WhatsApp does not offer an auto-delete feature, but users can manually delete messages or entire conversations.
Unlike Signal, WhatsApp offers users a feature to back up their message archive. Experts say this can give users the convenience of keeping their chat history if they lose their device or get a new one, but it also introduces the added risk of an unauthorized user gaining access to the communications. WhatsApp notifies users that when they back up their chat history, the media and messages are no longer protected by end-to-end encryption while stored in the cloud.
Dust
With Dust, users can choose between automatically deleting messages after 24 hours or after they have been read, according to its website. The app claims that “no messages are permanently stored on phones or servers” and that the messages are encrypted and “not accessible to anyone.” The app alerts users when someone takes a screenshot; for Android and Windows users, Dust disables the ability to take screenshots. The app offers text, photo and video messaging.
Confide
Messages on Confide disappear after they have been seen, according to the app’s website. “After they are read once, they are gone. We delete them from our servers and wipe them from the device,” the app states. The service allows users to text and send photos, videos, documents and voice messages. Confide also claims it prevents screenshots and “ensures that only one line of the message is unveiled at a time and that the sender’s name is not simultaneously visible.”
It’s unclear if deleted messages on these apps can be retrieved. Experts say it depends on the phone, the security of the app and the thoroughness of the searches.
“Hypothetically, it’s possible,” Matthew Green, a professor at Johns Hopkins University who focuses on applied cryptography, said. “But it would be very difficult to uncover deleted messages from a well-designed app.”
Other experts noted that phones can offer a window into our lives through less obvious ways than what’s been typed in messages. “I may not be interested at all in the contents of your conversations, but I might find it interesting to see who you are in contact with,” said Daniel Kahn Gillmor, a staff technologist for the American Civil Liberties Union’s Speech, Privacy and Technology Project.
Best tool against hackers
Encryption is the best tool people have for defending against hackers, cybercriminals and government surveillance, said Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society. Still, “your communications encryption choices are only worth as much as the trustworthiness of the people you’re talking to,” she said.
“If someone in a group chat is a police informant, or your friend shows the messages you sent them to someone you didn’t want to see them, then encrypting messages in transit and encrypting your own phone doesn’t do you any good,” Pfefferkorn noted. “This has always been a privacy risk, though, well before the advent of encrypted apps and devices. If your trust turns out to have been misplaced, that’s the risk you take.”
— Hamza Shaban