Instant Messaging Apps: How Private Are They & What Alternatives Are There?
Instant secure communication is a basic expectation in the 21st century. It’s a way of keeping in touch with friends, family, work colleagues, and casual drinking buddies — without the formality of email, and with an easily accessible record of what was said.
And because communication takes place over the internet, it is, for all intents and purposes, free — unlike SMS (Short Message Service) and MMS (Multimedia Messaging Service), which often involve expensive fees for sending and receiving messages.
Having just endured another isolated Christmas dinner (thanks, Covid), I have never been more grateful for instant messaging apps. The images of turkeys, cranberry sauce, trees, and happy, smiling faces shared between my friends and family kept us connected over the holiday season, even while hundreds of miles apart.
Granted, it was a little tricky at times. Certain people communicate only using certain platforms. Sure there’s the normal SMS/text message, but half of our family uses WhatsApp, while the other half uses Signal. My mother and my sister use Telegram, while my brother and father use Facebook Messenger.
For my mother-in-law to send me a ‘Merry Christmas’ greeting, she needed to bounce it through my wife’s sister, who then passed it on to my wife, who then told me (because we were in the same physical space).
In short, instant messaging is a fragmented ecosystem, and it’s not getting better anytime soon.
Shouting over the Garden Walls
There are around a dozen messaging apps in common use today — each boasting similar features and differing degrees of privacy and security.
As demonstrated by my joyful Christmas Day communications, this is not an ideal situation. To keep in touch with everyone I know using instant messaging apps, I would need to have almost all of them installed on my phone, and I would be constantly forwarding chats from one app to another. It is far from ideal.
The reason behind this is that the app you install on your phone is not just an app — it’s a gateway to a walled garden, where, like delicate flowers, we’re kept deliberately isolated from users in other gardens (or apps). Walled gardens exist to keep us inside.
Communication providers usually offer extra services to encourage us to sign-up and stay. Messenger comes bundled with Facebook for instance — a vast network, which, alongside being a popular social media platform, also acquires intensely personal data that can be used or auctioned to sell advertising space. And Apple wants you to be dependent on Apple products and services by offering mirroring and interconnectivity between devices, such as having access to your iMessages on your phone, Apple Watch, and MacBook.
Walled gardens may be beautiful, but they can be difficult to escape. | Image: Anne Marie Peterson | CC BY-SA 2.0
There is no incentive to allow communication between apps — and every reason for the platforms to attempt to ensnare you and your friends ever more securely inside their virtual greenhouse.
But the problem with messaging platforms goes deeper than the lack of interoperability.
Governments Hate Encryption
Even the least privacy-sensitive messaging platforms allow us to use end-to-end encryption to keep the contents of our messages private. However, in many cases, such as with Telegram, end-to-end encryption isn’t turned on by default. To encrypt your messages, you manually need to change your settings. And let’s be honest, most of us won’t remember to do that.
Other services just make it difficult to keep things completely private — enabling end-to-end encryption with Apple’s iMessage service becomes useless if you have iCloud backups enabled.
End-to-end encryption means that messages are encrypted on your devices and decrypted on the recipient’s device. Only the sender and receiver can read the contents of these messages — no third party, carrier, or hacker can decode your messages and read them.
This presents a problem for governments and police forces who have an interest in knowing what dangerous people are planning. Does a group chat consist of a plan between coworkers, or is it the beginning of a nefarious plot to overthrow the state? Are the pictures being shared on Christmas simply Insta-worthy snaps of a perfectly prepared pork loin, or are they schematics for a device that could destroy mankind?
Lawmakers want to put an end to private conversations to which they are not privy — in the name of safety and security, of course — and they are making steady progress toward getting their way.
In 2020, the US Attorney General, the UK Home Secretary, and the Australian Minister for Home Affairs, along with representatives of Japan, India, Canada, and New Zealand, issued a statement calling on tech companies to ensure end-to-end encryption is “not implemented in a way that erodes public safety”.
Citing concerns for “highly vulnerable members of our societies like sexually exploited children”, the document demands that tech companies embed back doors in their software to monitor Terms of Service violations and “enable law enforcement access to content in a readable and usable format where an authorization is lawfully issued”.
The statement followed repeated efforts by legislators to strong-arm tech companies into compliance with bills such as 2020’s EARN-IT act in the US and an ongoing European Union effort dubbed “Security through encryption as well as security despite encryption“.
Although it appears these measures have stalled on both sides of the Atlantic, it doesn’t mean that they haven’t had an impact. Few messaging platforms have end-to-end encryption enabled by default, and all will cooperate — to some degree — with law enforcement.
Your Messaging Apps Aren’t as Private as You Think They Are
When using a messaging service, you hand over all control to the company operating that service, and you depend on them to keep your communications private and secure.
But that’s not always a good idea. Various providers are happy to hand over certain data to organizations requesting access. The best providers make sure that they don’t even have the technical ability to view your messages or say who you’ve been in contact with; the worst will spill the beans to anyone who shows up with a valid search warrant.
What Data Will Messaging Apps Give to Law Enforcement?
- Signal: Only the date and time a user registered, plus the last date of a user’s connection to the service. No message content.
- Apple iMessage: Device backups, including encryption keys if the target has iCloud backup enabled, and stored messages if the target has enabled messages in iCloud.
- LINE: The target’s registered information including profile image, display name, email address, cell phone number, LINE ID, date of registration, usage information, and up to seven days worth of text chats if end-to-end encryption has not been enabled.
- Telegram: IP address and cellphone number, but only in the case of terrorist investigations.
- WhatsApp: Limited message content, address book contacts, and WhatsApp users who have the target in their address book contacts. WhatsApp also keeps a record — updated every 15 minutes — of the source and destination for each message.
For a more comprehensive breakdown of what law enforcement can get from your messaging service, check out this FBI training document obtained following a Freedom of Information Act request filed by Property of the People, a US non-profit dedicated to government transparency.
Another important thing to note is that messaging services require some kind of identifying information to start using the app. Even Signal — arguably the most secure and anonymous platform — needs a phone number. A phone number can be tracked, revealing your travel habits and approximate location. It’s a clue to who you are, and police can use special equipment, electronically masquerading as cell towers, to pinpoint you further.
If only there was a messaging protocol that allowed you to overcome all of the shortcomings of instant messaging platforms. One that was so simple and intuitive that even the least tech-savvy among us could use it…
Going Old-School with Email
Email is the OG of instant messaging. It has been around in one form or another since the 1970s — and it suffers few of the problems related to closed-messaging platforms.
Email ignores the limitations imposed by walled gardens, and email spreads, like a weed, from one ecosystem to another. A Gmail user on Android can send messages to a Yandex.mail user on Apple; a ProtonMail subscriber can receive messages from a corporate email server.
But email has different issues. It’s formal and not at all suited to the chat format we’re used to in messaging apps. It isn’t secure by default, and although emails are typically encrypted while in transit, they are usually stored unencrypted on the email server. A law enforcement request to Google, for instance, could see the entirety of your Gmail account exposed to scrutiny.
With email, you can handle your own encryption. Scour the web for personal blogs belonging to security-conscious techies and you’ll occasionally come across one where the author publishes their public key — a wall of cryptographic text you can use to send messages that can only be read by the recipient.
If you’re lucky enough to receive an email from my colleague, Glyn Moody, you will note the 3,000+ character PGP public key block with which he signs off his emails. Should you choose to, you can encrypt your response using this key and be assured that only Glyn Moody will be able to decrypt the contents.
Sending email this way is secure, and even if the message ends up with the NSA, they won’t be able to read it without Glyn’s cooperation.
You can set up an email account with any provider you choose. You can run your own email server in your own home, you can set one up on a $10 per year Virtual Private Server (VPS), or if your security concerns tend toward the extreme, you can rent a no-logs, anonymous, and offshore VPS on which to host your email server.
Email has the potential for everything you need in a highly available, indestructible, end-to-end encrypted, and virtually untraceable messaging service.
The only problem is that it’s painful to use. The back and forth and constant ping-pong of email inboxes is anything but fun. Email apps themselves are clunky, long-winded, and irritating to use. Not to mention the fact that messaging via email is hardly ‘instant’.
Keep Your Messages on the Down-Low with Delta Chat
The siren call of messaging services is their convenience and user-friendly interface. It’s easy to understand what’s going on. Conversations can be grouped and messages shared, and you can record and send voice messages by holding down an icon. Even your oldest relative can understand WhatsApp, Telegram, or Signal after a few minutes of training.
It’s this convenience and intuitiveness that makes messaging apps so much more popular than the potentially more secure and private encrypted email alternatives.
But what if you could have the best of both worlds? That is, you could enjoy the function of an instant messaging app while reaping the benefits of email security and decentralization.
The screenshot above shows Delta Chat — an app that follows the traditional instant messaging formula and layout. It’s intuitive and all of the elements are instantly recognizable to anyone who has used the alternatives.
Messages are typed in the bottom input field, you take photos using the camera icon, attach photos and other files using the plus symbol, and send voice messages by holding down the microphone image. There are even colored check marks to show whether a message has been successfully sent, received, or read.
Delta Chat is, in every sense that matters to users, an instant messaging app. Its killer feature is that it’s an encrypted email client in disguise — meaning that it has the ease-of-use associated with the former but all of the security advantages of the latter.
With Delta Chat, you can exchange messages with anyone who has an email address. If they’re also using Delta Chat, the app automatically exchanges public keys between senders, using a process conveniently titled Autocrypt. The large block of cryptographic text is still sent, but you don’t need to worry about it. There is no central control and no tracking.
It does not need your phone number.
Choosing an Email Provider to Use with Delta Chat
As Delta Chat is, at heart, an email client, you need an email address to go with it. It should probably go without saying that security-conscious individuals should use an account that is separate from their main address. More importantly, you should stay away from the ‘free’ providers who will have no problem handing over your encrypted emails, complete with sender and recipient details and associated metadata.
In case you don’t know which providers I’m talking about, here are a few to be wary of: Gmail, Hotmail, Yahoo, and AOL Mail (which surprisingly still exists).
The creators of Delta Chat are currently in the process of evaluating commercial email providers with a view to compiling a list of recommendations. Until their research is completed, I’m not 100% comfortable recommending any one provider. You’ll need to do your own research and use your own judgement.
First, you should assess the ease of integration and compatibility with Delta Chat — it’s compatible with any email that supports open standard IMAP protocols.
When assessing any email provider, look at their physical location and jurisdiction, logging policies, historical collaboration with governments and law enforcement, and encryption levels.
Also consider performance criteria, including speed, maximum attachment sizes, number of permitted recipients, among other important factors. Alternatively, running an email server on a secure, remote VPS is an excellent idea, as it allows you to keep your emails completely private and managed by your own terms of service. If you want to keep your data close to hand, it’s fairly simple to set up a complete solution on a $10 Raspberry Pi Zero in around 30 minutes.
Delta Chat Features & Functionality
No software is perfect, but as a messaging app built with security and interoperability in mind, Delta Chat comes close.
The interface mirrors that of instant messaging apps, with all the functionality you need – including read receipts, voice notes, attachments, emojis, and group chats. However, it offers more security in terms of putting you in charge of your data and information. There’s no need to provide your phone number, there’s no chat logging, and you can use your own servers for extra privacy.
Delta Chat is also compatible with all major desktop and mobile operating systems, including Android, Apple, Linux, and Windows devices.
The downside is that because Delta Chat doesn’t come attached to any central servers, your message security and storage is your own problem.
Private keys and messages are kept on your device, meaning that if anyone is able to break past your nine-digit pin code, your communications are theirs to see. You can’t remote-wipe your message history or attachments without erasing your entire device.
A more common issue is that you can’t remotely back up or restore your messages from a central server. If you buy a new phone, you will need to export your messages from within the app and then use a file manager to copy your encryption keys to the new device.
It’s not a deal-breaker, but it’s not exactly convenient either. I’m hoping that at some point in the future, Delta Chat developers will add the functionality to automate and synchronize backups with secure, personal cloud servers such as Nextcloud.
Delta Chat is open source and free software, meaning that you can share the source code with anyone you like, and even modify it to change or add certain features, and contribute your code back to the project. You’ll need to know a thing or two about coding in order to customize it, but open software means you can add any feature you like, whether that’s larger file support, video chat integration, multiple profiles, or animated emojis.
Your Privacy is in Their Hands
Instant messaging apps allow us to stay connected with one another — whether that’s someone in the room next door, or a family member on the other side of the world.
While these apps enable us to engage in consistent communication with our loved ones, we often hand over more to these companies than we realize, from data about ourselves, to the contents of our private conversations.
Emails offer a more secure and private solution, but lack the functionality and features of instant messaging apps that so many of us love. And even some email providers are guilty of handing over data they hold about you to the government.
With Delta Chat, there is no need to compromise — you can have the best of both worlds.