Imagine that you work in government or at an NGO – both places that want to keep their communications private.
Understandably, given that governments these days use powerful spyware to surveil political activists, NGOs, and each other, you and your colleagues use an encrypted messaging app.
There’s a good chance that you’ve gone with WhatsApp, which has been a trailblazer in end-to-end encrypted messaging. As early as 2016, The Guardian was referring to the app as a “vital tool” to conduct diplomacy – an app with which diplomats could “talk tactics, arrange huddles, tweak policy – and send Vladimir Putin emojis.”
But given recent events, you have to wonder: what happens if holes develop in that supposed cone of silence?
Like, say, the stupidly simple social engineering hack that the UN said was used – allegedly by the crown prince of Saudi Arabia – to infect Amazon CEO Jeff Bezos’s phone with personal-message-exfiltrating malware, with one single click?
Or the zero-day vulnerability in WhatsApp that allowed attackers to silently install spyware just by placing a video call to a target’s phone? Or, as happened this past weekend, the way that WhatsApp and parent company Facebook shrugged off responsibility for private groups being indexed by search engines, thereby rendering them easy to find and join by anybody who knew the simple search string?
What happens, at least in the case of the European Commission (EC), is that you tell your staff to move over to Signal. Last week, Politico reported that earlier this month, the EC took to internal messaging boards to recommend moving to the alternative end-to-end encrypted messaging app, which it said “has been selected as the recommended application for public instant messaging.”
The EC didn’t mention WhatsApp, per se. It didn’t have to. Security experts have been pointing out reasons why it’s a potential national security risk for a while. Besides its recent and not-so-recent security flubs, there are privacy issues that come with being swallowed up by Facebook. One of WhatsApp’s co-founders, Brian Acton, left the company after the Facebook acquisition, saying that Facebook wanted to do things with user privacy that made him squirm. In his words: “I sold my users’ privacy.”
As Politico notes, privacy activists favor Signal not just because of its end-to-end encryption. Bart Preneel, cryptography expert at the University of Leuven, told the news outlet that, unlike WhatsApp, Signal is open-source, which makes it easy to find security flaws and privacy-jeopardizing pitfalls:
It’s like Facebook’s WhatsApp and Apple’s iMessage, but it’s based on an encryption protocol that’s very innovative. Because it’s open-source, you can check what’s happening under the hood.
Signal is recommended by a who’s who list of cybersecurity pros, including Edward Snowden, Laura Poitras, Bruce Schneier, and Matthew Green. “Use anything by [Signal’s protocol, called] Open Whisper Systems,” as Snowden is quoted as saying on the app’s homepage, while Poitras praises its scalability.
Cryptographer Green says he literally started to drool when he looked at the code. While WhatsApp is based on Open Whisper Systems, it’s not open-source, so it’s not as easy to spot something that goes awry. Another plus of Signal: unlike WhatsApp, it doesn’t store message metadata that could expose users in worldwide data centers. Nor does it use the cloud to back up messages, further exposing them to potential interception.
Sorry, WhatsApp, but you just don’t induce drooling among cryptographers.
Unlike WhatsApp, Signal is operated by a non-profit foundation – one that WhatsApp co-founder Brian Acton put $50 million into after he ditched Facebook – and is applauded for putting security above all else. Like, say, in October 2019, when it immediately fixed a FaceTime-style eavesdropping bug. It fixed the bug in both Android and iOS on 27 September – the same day on which it was reported.
It’s not just Signal’s reputation and WhatsApp’s problems that have pushed the EC into recommending that Signal become the private messaging app of choice – also motivating the Commission are multiple high-profile security incidents that have rattled officials and diplomats.
EC officials are already required to use encrypted email when exchanging sensitive, non-classified information, an official told Politico. The recommendation to use Signal mainly pertains to communications between EC staff and people outside the organization, the news outlet reported, and is a sign that diplomats are trying to bolster security in the wake of recent breaches.
The EC isn’t the only governmental body to dump WhatsApp in favor of Signal. As The Guardian reported in December 2019, the UK’s Conservative party switched to Signal following years of leaks from WhatsApp groups.
What’s ironic, of course, is that governments have been hounding companies to put backdoors in all of these products. While law enforcement in multiple governments have been demanding an end to encrypted messaging that they can’t penetrate, they themselves are increasingly turning to ever more reliable forms of encrypted messaging.
What’s good for the gander isn’t quite up to snuff for the goose, apparently.
But while WhatsApp suffers in comparison to Signal, and while at least two government outfits have shed it in favor of Signal, WhatsApp still matters. It’s one of the messaging apps that’s at the heart of the encryption debate. Facebook, alongside Apple, has stood up to the US Congress to defend end-to-end encryption, in the face of lawmakers telling the companies that they’d better put in backdoors – or else they’ll pass laws that force an end to end-to-end encryption.
As Politico reported, in June 2019, senior Trump administration officials met to discuss whether they should seek legislation to ban unbreakable encryption. They didn’t come to an agreement, but such laws are undeniably on the table.
That matters. Regardless of which messaging app the EC switches to, or the Tories, they’re all liable to being outlawed if the world’s superpowers get their way and legislate backdoors into existence. As goes WhatsApp and Apple encryption, so goes Signal, or Wickr, or any other flavor of secure IP messaging.
And, of course, so goes the stronger security that some government bodies are, ironically enough, moving to embrace.
Watch it, goose and gander, before you wind up cooking both yourself and your own sensitive communications.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
G. R.
Funny but true, I had signal and got hacked.
Apparently when you use signal as a pure messenger app it will be very possible for hackers to get to your contact list.
Pauloct
Can you provide technical details about how this happened, what were the symptoms?
Did you report hack to Signal?
Raylund
I think Signal infrastructure/servers is in USA (who knows when will US Gov pass a law to request information from encrypted messages or even backdoor) and it uses phone number.
Wire is another choice but they’re proprietary and keep metadata. Advantages are not necessary using phone number (i.e. could use email address) and could access by different devices (e.g. your Wire desktop app or even browser)
Raylund
Correction, Wire is Open Source
Anonymous
what do you think about Threema app?
Viewer
I think people don’t use that cos of the cost. I have had it for more than a year now and nobody uses it. Besides they seem not to do enough of publicity.
Joe
The new Crypto AG?
Anonymous
If you allow a back door for Government Agencies then that back door is a potential access point for a hacker (other Governments) to get past the encryption as well. You know that will happen!
Anonymous
I recommend ‘Wickr’ over any others. (For personal use) no phone number needed, no email, nothing personal shared; just make a name and find your other contacts. They also have enterprise options for those interested as well.
JohnL
I don’t think the Open Source argument about stuff being secure due to inspection holds much water yet, as people really aren’t poring over all that o/s code out there checking it. As better automated tools come along that may change. Then again a fair bit of o/s code looks like it never even got a run through lint, version circa 1990.
Oh and a news item from Oct 2019:
“Natalie Silvanovich, a security engineer who is part of Google’s vulnerability research team at Project Zero, has disclosed how a bug in the Android Signal client could let an attacker spy on a user without their knowledge.”
But this really has too many caveats to be a big issue.
Though if someone has gained control over your phone/computer then your security is hosed anyway…
John
Signal – so protective of your privacy the first thing it demands is your phone number.
I saw that and deleted.
nikk
Signal is a highly recommend encrypted messaging app for privacy-centric people. It runs on world’s best encryption protocol i.e. Signal Protocol.
anon
Open Whisper Systems was the software developing project that later evolved to Signal Messenger organization. The protocol is called Signal.
rebeccaw
The main aim of Signal App is the end-to-end encryption that means no one can intercept and read your messages.