Though it can be easy to take for granted, your privacy online is very important and is something that should be held sacrosanct. The internet is a place for interconnectedness; for us to be able to connect with people we care about - family, friends, and to be able to do so privately when needed. But institutions continuously encroach on our right to privacy, because the data they can harvest from our personal conversations is valuable.

Data extracted from your conversations with others online can be used to sell you things, for example: if you discuss purchasing a car with somebody then you might expect to see more and more car advertisements in your 'suggested ads'. This can appear harmless at first, but could quickly become predatory and exploitative - imagine somebody being targeted by gambling or alcohol adverts for example. The data they collect can also be used against you, as when these companies suffer security breaches your personal information then falls in to the hands of criminals, and with enough information they may be able to gain access to your accounts.

This begs the question: where can you still expect to be able to have a private conversation online? we do have some suggestions which could help you in finding the ideal private messaging platform. First, we'll go over some key factors that you need to consider in your decision.

Qualifying "security"

Let's go over what makes a platform secure. There are a few considerations to be made, however we will try to keep it as simple as possible by discussing three major points.

1. Encryption 

This is one you will see talked about a lot. Encryption, especially end-to-end encryption (E2EE), means that the only people who can read messages between you and another are yourselves. There is no way for that message, once sent, to be intercepted and read by anybody else. The way this works is a token is kept on both your and their device that can be used to both encrypt and/or decrypt any messages you exchange. Nobody else will have that token, which means that your messages are secure so long as nobody gains access to your device or reads your screen. However, message contents are not the only thing you should be interested in having encrypted, and that is something we will touch on later.

2. Open source

Following on from above, there's something else that you need to be aware of when it comes to encryption. Some companies will not disclose the exact method by which they encrypt your messages. There are various reasons to withhold this information, and many of them are valid from the point of view of a company, however from a user standpoint this makes it impossible for to determine if their encryption is as secure as they say it is or if the company still maintains some ability to read all messages themselves. So, when looking around for your platform of choice, you may like to place particular priority on an app with an "open-source" encryption model. Open-source means that the code is available to the public for anybody to verify.

3. Centralised versus federated

Ultimately, any platform you use requires you to put faith in the developer themselves, and some people have had their faith shaken a number of times already. Consider that previously WhatsApp could easily have been considered the best out of all private instant messaging services, however, when Meta (formerly Facebook) acquired the company the privacy that was previously afforded to WhatsApp users no longer seemed a guarantee. The same can be said for any 'centralised' platform - it can be bought and sold, it can close down, it can be leaked and hacked and so on. What if there were another option that meant users didn't need to rely on one individual company? Say there was a protocol like email, but for instant messaging, where you can use whatever application you want with any degree of encryption, and speak to anybody else regardless of the app they use themselves? Enter federated instant messaging. Just like how emails can be sent from iCloud to Gmail, federated IM services allow users to use whatever client they want to speak to anyone across a network that offers both local- and server-side encryption.

Selective review

One important factor which doesn't affect data privacy but may affect your decision is also user count. Notably, platforms such as Facebook Messenger and Twitter are not even part of the discussion when it comes to privacy, however they remain hugely popular for the simple reason that a large number of people are already on them. The same goes for Discord, which remains a popular choice for instant messaging both in private conversations and in much larger groups despite having almost no guarantee of privacy, solely due to its preexisting community. The same goes for WhatsApp: popular, even despite a decline in its privacy measures. But per the above, WhatsApp offers E2EE on messages. We said that makes your data secure, so what gives? Why is it no longer considered as secure?

It's important to consider that even when companies tout things like E2EE to inspire confidence in their privacy measures, if these platforms are owned by private companies who are able to raise millions of dollars of funding then odds are they are still monetising your data somehow. This is the case for WhatsApp - despite messages being encrypted, the parent company Meta is able to generate huge profits from other data which is not encrypted, and this data is termed "metadata". Metadata in this case describes almost everything that isn't the content of your messages: timestamps, contacts, who the messages are sent between, location and so on. Meta in particular has been scrutinised in the past for their unethical collection of personal data, and this is metadata is something that you should be looking to keep secure where possible regardless of which app you use.

Signal has seen a huge uptake of new members and is generally considered respectably secure. Some, but not all, of their code is open source, and despite some metadata still passing through unencrypted this app currently satisfies the privacy needs of many. Users must supply a mobile phone number to create an account, so anybody who objects to this may be interested in Threema which offers more or less the same functionality, and arguably more transparency since the company recently went open-source, but only requires an email address to use. Threema has a small but fair price tag.

We can also consider Session, which itself is built using the code of Signal but with some additional features and upgrades. It also does not require a phone number, is free and only stores "minimal" metadata. The metadata that they store is assigned to your user ID which the company reaffirms is anonymous, however it is worth bearing in mind that metadata itself can be used to identify individuals.

One interesting thing about Session is the way they relay messages from person to person, which is through a type of decentralized network. This can be considered an upgrade over platforms with centralised networks as this avoids your messages and metadata passing through the main servers of the company at all, instead all data and messages are encrypted and then transmitted through different 'nodes', which are architectural pieces of the network that allow data to pass through - the caveat being that it is currently not possible to discern whether it is the company itself or individuals which are maintaining the presently 389 nodes on Session's network.

Consider this improved upon even further by the XMPP and Matrix communication standards. These are not applications, but rather represent networks or protocols over which messages can be sent. Users have freedom over which client they wish to use (think of this as the application), which can bridge to other platforms such as those aforementioned, e.g. Signal, Telegram, Discord, but also SMS and Email. This offers a huge advantage in that you don't need to convince all your friends to switch over. Users also have far more control over the privacy of their metadata, though there are some anecdotes around metadata leaks on both networks. Evidence for this is hard to come by, but may be worth further research.

Conclusion

There are many options available and we have only covered a few. Hopefully though you now have some idea of what's available to you, and what will offer you the best data privacy. Apps like Session, Signal and Telegram are easy to download and use, and have the advantage that lots of people already use them - Telegram also supports larger communities and can be considered a social media platform in addition to an instant messaging service. The trade off for all three, variably, is that you make your metadata available to companies who will look to sell it to advertisers and/or government agencies. For those with the need, XMPP and Matrix clients can be awkward to set up exactly as you might want them, but are maybe the best in terms of maintaining your privacy.

Sources

https://xmpp.org/

https://matrix.org/

https://getsession.org/

https://signal.org/en/

https://rehack.com/security/discord-data-breach/

https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale

https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.