It was recently revealed that the Chinese messaging app WeChat has been censoring user messages by “ghosting” ones that contained blocked words. The sender will think it sent; the recipient will never know it existed. The blocked words list is updated according to what’s in the news.
It may be tempting for some to dismiss this as a problem for China and China alone, but surveillance policy is creeping forward everywhere. Domestic procedural legislation approved by the US Supreme court earlier this month mirrors guidelines recently published by the Supreme People’s Court of China. Meanwhile, American companies like Facebook have signaled their willingness to implement censorship policies in China.
Most messaging apps are not secure by professional infosec standards because the messages you send can potentially be accessed by hackers or given over to the government upon request. There are many options for secure messaging, but one is breaking away from the pack. It’s called Signal, and it’s really easy to use, allows for group chatting, and works on Android, iOS, and desktop.
Signal uses end-to-end encryption to secure communication between users, meaning that the originating device sends off info that is scrambled, and only the receiving device knows the specific way to unscramble it. Like any social app, it depends on network effects: It works best if all the people you want to talk to use it too. What would it take to get a significant portion of the population to a secure messaging app? The Google app store says Signal has more than a million downloads. Is a million enough? Let’s say it has another million on iOS. Is 2 million enough?
Mass adoption may not be a consideration for Signal, said Pamela Clark-Dickson. Clark-Dickson is a lead analyst of consumer services at Ovum, a market research firm that specializes in IT. Since the app is open source and used by “rival” companies in the chat app market, she thinks it’s possible that Open Whisper Systems made the app to “showcase its encryption abilities, as opposed to having any serious ambitions to be a world-dominating chat app.”
The security of a chat application is clearly not the biggest draw for users. The leading chat apps in the world have monthly active users in the billions and hundreds of millions, a daunting hill for Signal to climb, considering it’s probably around .001-.005 percent of that.
“To be taken seriously on a global scale, it would need to have a subscriber base of at least 80-100 million,” said Clark-Dickson. “But in order to do that, the challenger app would need to have something quite special as a differentiator.” The Edward Snowden endorsement might not have done the trick, but according to Open Whisper Systems co-founder Moxie Marlinspike, there has been a 400 percent uptick in daily downloads since Donald Trump became US president-elect, and the spectre of a megalomaniac with unfettered surveillance power became a bit more real.
“To be taken seriously on a global scale, it would need to have a subscriber base of at least 80-100 million.”
In April, WhatsApp partnered with Open Whisper Systems to integrate Signal’s encryption protocol into its app. In that way, “Signal has already caught on with the general public,” said Matt Mitchell, an information security consultant based in New York. In other words, because Signal is open source, it’s already achieved mainstream adoption without users realizing it.
WhatsApp using Signal’s protocol means the actual content of the messages and calls between WhatsApp users are secure against outside surveillance, but the company can still track user metadata like when and between whom messages were sent. If you’re using the Signal app, its privacy policy states that transactional data “is only kept as long as necessary to place each call or transmit each message, and is not used for any other purpose.” Signal’s response to a subpoena that it received earlier this year from a federal investigation showed that it could only provide the times of creation and last login for the specified account.
For anyone who is still unconvinced that secure messaging matters, Signal’s Marlinspike has a strong argument. “If the federal government had access to every email you’ve ever written and every phone call you’ve ever made, it’s almost certain that they could find something you’ve done which violates a provision in the 27,000 pages of federal statues [sic] or 10,000 administrative regulations,” he wrote in a 2013 entry on his blog. “You probably do have something to hide, you just don’t know it yet.”
Correction: An earlier version of this story incorrectly identified Pamela Clark-Dickson as a mobile security analyst and misquoted her as saying "local scale." Her correct title is lead analyst of consumer services, and her actual words were "global scale."
