Secure and Private Messengers

Many "encrypted" messengers collect/share a lot of data

Despite implementing their versions of end-to-end encryption (E2EE), many "encrypted" messengers out there collect a surprising amount of data, which can include:

  • Account creation with the messenger may require a valid email address or a phone number. In some cases, the messenger may only accept a phone number attached to a SIM card as opposed to a VoIP number.
  • The messenger may require direct access to your contacts and continually “scan” your contacts for additions. In some cases, the messenger may utilize connected Wi-Fi networks and location data to “guess” who may be a viable contact.
  • Some messengers may aggregate data attained from third parties.
  • Some messengers display ads, which often come with their own trackers and invasive practices.
  • Some messenger servers collect and store metadata, such as to whom and when a message was sent or received.
  • The messaging service may collect telemetry and usage data such as setting preferences, frequency and duration of interaction

This list is dependent on the messenger and its corresponding privacy policies and is not designed to be all inclusive.

These “encrypted” messaging apps also may share your data. Depending on the messenger, your data may be shared with advertisers, third-parties needed to carry out the service (ex: cloud providers), or third-parties not necessary for carrying out the service (ex: data brokers).

Generally, people may feel as long as the messaging services aren’t reading the contents of their messages, then their privacy is not at risk. This assumption is troublesome because in many cases, the real “juice” is often in the metadata - or any data attached to but ultimately existing outside the message contents itself. In some cases, Metadata can be just as sensitive as the contents of the message.

Metadata is crucial and often includes (but is not limited to) who a message was sent to and when the message was sent. These two data points may seem insignificant, but a large part of the “story” can be told using these two pieces of information.

For rather obvious reasons, who a message was sent to itself can be significant enough on its own, especially if the users have been identified with rather unique identifiers, such as a phone number attached to a SIM card. Knowing when a message was sent to a user can establish a pattern; especially if the central servers relaying your messages are logging and storing these particular data points – as many do.

Over time, just with tracking these two metadata data points alone, we can start establishing clear patterns - for example, User A may message User B every Thursday at 5:00pm for approximately an hour.

Combine this metadata with other data messengers may collect and store on their servers – like location data, saved contacts, and device information -- and users will find that a lot can be “told,” all without ever reading the contents of their messages!

Reasons to use private and secure messengers

1. Strong encryption protocols

The encryption implemented by a messaging platform shouldn’t have any workarounds for the server or user. The messenger’s chosen encryption algorithm(s) should be robust and not easily decipherable in the event any third-party attempts to "sit in on the conversation." Private keys (or copies thereof) should not be stored on the messenger’s servers.

The implementation of E2EE by the messaging service shouldn’t allow for intended or unintended circumvention - for example, storing backups or chats unencrypted, as is the case with many cloud-based messaging services.

Ideally, the protocol the messenger uses should be a respected one that has been audited for reasonable security and privacy.

2. Limit data collection

This is a bit of a spectrum and what’s tolerable ultimately depends on a user’s threat model. Those with sensitive threat models may be more inclined to use messaging platforms that do not collect any personal information.

However, truly private and secure messengers should aim for minimal data collection, if any data collection is required at all. Generally, a private and secure messaging service shouldn’t require users to submit personal identifiable information upon account creation or service use.

On a more technical level, a secure messaging service should probably avoid logging and storing of IP addresses, invasive fingerprinting practices, storing metadata for indeterminable amounts of time, and collecting excessive telemetry.

What data is collected and stored on its servers should be encrypted and more sensitive data should be stored in a decentralized manner - for example, user saved contacts would ideally be stored on the end users' devices, as opposed to being stored on a central server not under the user's control. Ideally, the messaging service would wipe any “logs” at specified intervals and give users the choice of data deletion.

3. Minimize unintended data sharing

When sending a message to someone, it’s reasonable to assume that message is meant for that person only. However, on a privacy-unfriendly messenger, a user may be (unknowingly) sharing rather sensitive information with the messaging service’s servers. This unintended data sharing can include information stored on the servers that may be directly accessed by the provider (as is the case with cloud-based solutions); the information could also be shared with other third parties for purposes other than rendering the service, such as for marketing or advertising.

E2EE should prevent unintended third-parties from reading your message contents. A secure messaging protocol should limit what data – metadata or otherwise - is shared with the relaying servers. Limiting data collection also limits what can be shared or leaked in the event of service provider-related data breach on or theft/takeover of a user's device. Privacy-friendly secure messengers shouldn’t voluntarily share information with third parties.