Encrypted Messaging

For a website designed to cater to “the average person,” it might seem odd to include encrypted messaging. Things like two-factor authentication, VPNs (especially during travel), and backups to thwart ransomware make sense, but encrypted messaging seems a little over the top. However, in my experience, that's not the case.

First, a brief reminder what encryption is: encryption is using math to encode data to make it unreadable to anyone who doesn't know the code. Think of when you were a child and made your own secret language, perhaps “A=1, B=2,” etc. An even more complex code would be “A=5, B=6.” Encryption is like this, but on crack.

Encrypted messaging is a bit of a misnomer. Technically any two iOS devices using iMessage are encrypted, but Apple knows the encryption algorithm so I don't really count that. Instead, what I'm discussing here is “End to End Encryption,” often abbreviated as “E2EE.” E2EE means that nobody except you and the person you're talking to has the key to decrypt your messages, not even the service your using. Examples of this would include Signal, Wire, or Threema. (I didn't include WhatsApp and Telegram, we'll get to that later).

So why use encrypted messaging as a normal person? First of all, trust. As of December 2018, the FCC reclassified the powers of cell phone providers in an effort to give them the powers to stop robotexts and spammers. Unfortunately, as is usually the case with these types of laws, the law was poorly written and technically it gives cell providers the legal right to alter or completely block your texts if they want. E2EE messages, however, cannot be altered because the moment they leave your device, prying eyes can't see them. This gives you a level of trust that anything you send won't be tampered with.

Second, I've found encrypted messaging to be invaluable for emergency transactions. Especially for younger readers, encrypted messaging gives you the safety and peace of mind to share sensitive information, such as credit numbers and computer passwords. Normally, of course, this would be a cardinal sin. But sometimes if I'm not home and my girlfriend needs to get into the firebox for something (the lease, emergency cash, etc), I can text her the password knowing it's safe. Or if I'm getting emergency car repairs done and I forgot the emergency card, I can have her text me the numbers and know it's safe.

“But do you really think anyone would be that eager to read my texts?” Allow me to introduce you to the Stingray. Stingrays are devices set by the police designed to capture all cell phone traffic in a small radius. Not just metadata (who you texted and when) but actual content. I take immense offense to this for a number of reasons. For starters, suppose a couple chooses to send each other dirty pictures or videos. If their messages pass through a Stingray, the police have copies of that media that was never intended for them and is not illegal in any way, and it will almost certainly stay on file somewhere. Or suppose the police intercept your message about credit card numbers. Sadly not all police are fine, ethical members of society. I wouldn't give anyone my credit card number without knowing them, so I don't feel comfortable sending that kind of information to the police for them to store who knows where where who knows who has access to it.

Encrypted messaging probably isn't the single most important thing for the average person, but in my opinion the barrier to entry is so low that it's worth it to implement it. So why didn't I include WhatsApp and Telegram? Well WhatsApp is easy: it's owned by Facebook, who has an absolutely tragic record of caring about user privacy. In fact, Facebook is one of the most aggressive companies I've ever seen in the world of data collection. It's almost downright abusive, and I wouldn't recommend you associate with them ever under any circumstance, although that's a blog for another time. Telegram is a slight improvement, although messages are not encrypted by default and group messages can't be encrypted at all. Plus it's a proprietary software, meaning we don't know what the code has hidden in it and what it's doing behind the scenes.

So do I recommend Signal, Wire, or Threema? Or something else? Personally I'm a big fan of Signal. It's almost insultingly easy to set up. Download, enter your phone number, verify it, and you're good to go. However what's important is that your circles use the same app. Wire has the advantage of not needing to hand out a phone number, and some people may find comfort in that. That's why I use Wire for this website, so people can contact me without me needing to give them a phone number. These different services are only encrypted as long as the other person is using the same service, so if you've got Signal and your friend has Wire, it's not encrypted and you're not doing yourselves any good. You need to make sure you're all on the same page, that's the most important part.