Instant secure communication is a basic expectation in the 21st century. It’s a way of keeping in touch with friends, family, work colleagues, and casual drinking buddies — without the formality of email, and with an easily accessible record of what was said.
And because communication takes place over the internet, it is, to all intents and purposes, free — unlike SMS (Short Message Service) and MMS (Multimedia Messaging Service) for which telcos would charge users an exorbitant fee to send, and sometimes even to receive messages.
Having just endured another isolated Christmas dinner (thanks, Covid), I have never been more grateful for the images of turkeys, cranberry sauce, trees, and happy, smiling faces flashing through the ether, as disparate and dispersed groups of people communicated seasonal greetings while hundreds of miles apart.
Granted, it was a little tricky at times. Certain people communicate only using certain platforms. Half of Mrs. Rutland’s family communicates using only WhatsApp while the other half uses Signal. My mother and my sister both use Telegram, while my brother and father use Facebook messenger. My wife, my daughter, and I use a different messaging method altogether — although there is some crossover.
For my mother-in-law to send me a Merry Christmas greeting, she needed to bounce it through my wife’s sister, who would then pass it on to my wife, who, because we were in the same physical space, would simply tell me rather than engage in any more technological nonsense.
Messaging is a fragmented ecosystem, and it’s not getting better anytime soon
Shouting over the Garden Walls
There are around a dozen messaging apps in common use today — each boasting a similar feature set, and differing degrees of privacy and security.
As demonstrated by my joyful Christmas Day communications fiasco, this is not an ideal situation. To keep in touch with everyone I know using instant messaging apps, I would need to have almost all of them installed on my phone, and I would be constantly forwarding chats from one app to another. It is far from ideal.
The reason behind this is that the app users install on their phone is not just an app — it’s a gateway to a walled garden, where, like delicate flowers, users are kept deliberately isolated from users in other gardens.
Walled gardens exist to keep users inside, and with some notable exceptions such as Signal and Telegram, usually offer a vast range of services to encourage them to sign-up and stay. Messenger comes bundled with Facebook for instance — a vast network, the prime purpose of which is to acquire intensely personal data which can be used or auctioned to sell advertising space. Apple wants you to be dependent on Apple products and services.
There is no incentive to allow communication between apps — and every reason for the platforms to attempt to ensnare you and your friends ever more securely inside their virtual greenhouse.
But the problem with messaging platforms goes deeper than the lack of interoperability.
Governments Hate Encryption
Even the least privacy-sensitive of the messaging platforms allows users to employ end-to-end encryption to keep the contents of their messages private. However, in many cases, such as with Telegram, it isn’t turned on by default, and enabling end-to-end encryption with Apple’s iMessage service becomes useless if you have iCloud backups enabled.
End-to-end encryption means that messages are encrypted on your devices and decrypted on the recipient’s device. There is no stage in the delivery process during which the contents of the encrypted message can be snooped by third parties or carriers.
This presents a problem for governments and police forces who like to know what people are planning. Is a group chat simply a work night out in the making, or the beginning of a nefarious plot to overthrow the state? Are the pictures being shared on Christmas day simply Insta-worthy snaps of a perfectly prepared pork loin, or are they schematics for a device which could destroy mankind?
Lawmakers want to put an end to private conversations to which they are not privy — in the name of safety and security, of course — and are making steady progress towards getting their way.
In 2020, the US Attorney General, UK Home secretary, and the Australian Minister for Home Affairs, along with representatives of Japan, India, Canada, and New Zealand, issued a statement calling on tech companies to ensure end-to-end encryption is “not implemented in a way that erodes public safety.”
Citing concerns for “highly vulnerable members of our societies like sexually exploited children,”” the document demands that tech companies embed back doors in their software to monitor Terms of Service violations and “enable law enforcement access to content in a readable and usable format where an authorization is lawfully issued”
The statement followed repeated efforts by legislators to strong-arm tech companies into compliance with bills such as 2020’s EARN-IT act in the US, and an ongoing but less acronym-worthy European Union effort dubbed “[Security through encryption as well as security despite encryption](https://www.statewatch.org/media/1352/eu-council-security-despite-encryption-10728-20.pdf”
Although it currently appears that measures have stalled on both sides of the Atlantic, it’s unlikely that a statement urging companies to help them will be the end of efforts. As I mentioned, few messaging platforms have end-to-end encryption enabled by default, and all will cooperate — to some degree — with law enforcement.
Your Messaging Apps Aren’t as Private as You Think They Are
When using a messaging service, you hand over all control to the company operating that service, and you depend on them to keep your communications private and secure.
It’s not always a good idea, and the various providers are able to hand over certain data to whoever asks for it. Some are willing to do so — others less so. The best providers make sure that they don’t even have the technical ability to view your messages or say who you’ve been in contact with; the worst will spill the beans to anyone who shows up with a valid search warrant.
Here’s what the best and worst IM services can provide to law enforcement.
The Most Secure Instant Message Services
- Signal : Only the date and time a user registered, plus the last date of a user’s connection to the service. No message content.
The Worst Instant Message Services (Everything Else)
Apple iMessage : Device backups, including encryption keys if target has iCloud backup enabled, and stored messages if target has enabled messages in iCloud.
Line : Suspect’s registered information including profile image, display name, email address, phone number, LINE ID, date of registration, usage information, and up to seven days worth of text chats if end-to-end encryption has not been enabled.
Telegram : IP and phone number, but only in the case of terrorist investigations.
WhatsApp : Limited message content, address book contacts, and WhatsApp users who have the target in their address book contacts. WhatsApp also keeps a record — updated every 15 minutes — of the source and destination for each message.
You may have noticed that the ‘good’ list is fairly short, while the ‘bad’ list includes practically every other service. For a more comprehensive breakdown of what law enforcement can get from your messaging service, check out this FBI training document obtained following a Freedom Of Information Act request filed by Property of the People, a US non-profit dedicated to government transparency.
Another important thing to note is that messaging services require some kind of identifying information to start using the app. Even Signal — arguably the most secure and anonymous platform — needs a cell number. A cell number can be tracked, revealing your travel habits, and approximate location. It’s a clue to who you are, and police can use special equipment, electronically masquerading as cell towers, to pinpoint you further.
If only there was a messaging protocol which allowed you to overcome all of the shortcomings of instant messaging platforms, and was so simple and intuitive that even your Grandma could use it. (Can you see where this is going?)
Going Old-School with Email
Email is the OG of instant messaging. It has been around in one form or another since the 1970s — and suffers few of the problems related to closed messaging platforms.
Email ignores walled gardens and spreads, weed-like, from one ecosystem to another. A Gmail user on Android can send messages to a Yandex.mail user on Apple; A ProtonMail subscriber can receive messages from a corporate email server on the other side of the world.
If one provider disappears or is taken offline, it doesn’t affect the rest of the email network, and users can quickly sign up for a new account with another provider — without losing any of their contacts or conversations.
But email has different issues. It’s formal and not at all suited to the chat format we’re used to in messaging apps; it isn’t secure by default; and although emails are typically encrypted while in transit, they are usually stored unencrypted on the email server. A law enforcement request to Google, for instance, could see the entirety of your Gmail account exposed to scrutiny.
Your aunt may use email to send angry missives to her local newspaper, but for the rapid back-and-forth of a group discussion or friendly banter with your buds, it’s a non-starter.
With email, you can handle your own encryption — scour the web for personal blogs belonging to security-conscious techies, and you’ll occasionally come across one where the author publishes their public key — a wall of cryptographic text you can use to send messages which can only be read by the recipient.
If you’re lucky enough to receive an email from my colleague, Glyn Moody, you will note the 3,000+ character PGP public key block with which he signs off his emails. Should you choose to, you can encrypt your response using this key, and be assured that only Glyn Moody will be able to decrypt the contents.
Sending email this way is secure, and even if the message ends up with the NSA, they won’t be able to read it without Glyn’s cooperation.
You can set up an email account with any provider you choose. You can run your own email server in your own home, you can set one up on a $10 per year Virtual Private Server, or if your security concerns tend towards the extreme, you can rent a no-logs, anonymous, offshore VPS on which to host your email server.
Email has the potential for everything you need in a highly available, indestructible, end-to-end encrypted, virtually untraceable messaging service.
The only problem is that it’s painful to use.
Keep Your Messages on the Down-Low with Delta Chat
The siren call of messaging services is their convenience and user friendly interface. It’s easy to understand what’s going on; conversations can be grouped and messages shared; you can record and send voice messages by holding down an icon; even your elderly uncle can get to grips with WhatsApp, Telegram, or Signal after a few minutes of training.
It’s this convenience and intuitiveness which makes messaging apps so much more popular than the potentially more secure and private, encrypted email alternatives.
The screenshot above shows Delta Chat - an app which follows the traditional Instant messaging formula and layout. It’s intuitive and all of the elements are instantly recognizable to anyone who has used the alternatives.
You’re looking at a group chat between three people. Messages are typed in the bottom input field; you take or attach photos using the third icon from the right; you can send voice messages by holding down the microphone image. There are even colored check-marks which show whether a message has been successfully sent, received, or read.
Delta Chat is, in every sense that matters to users, an instant messaging app. Its killer feature is that it’s an encrypted email client in disguise — meaning that it has the ease-of-use associated with the former, but all of the security advantages of the latter.
With Delta Chat, you can exchange messages with anyone who has an email address. If they are using Delta Chat as well, the app automatically exchanges public keys between senders, using a process imaginatively titled Autocrypt. The large block of cryptographic text is still sent, but users don’t need to worry about it. There is no central control, and no tracking.
It does not need your phone number.
Choosing an Email Provider to Use with Delta Chat
As Delta Chat is, at heart, an email client, you need an email address to go with it. It should probably go without saying that security-conscious individuals should use an account which is separate from their main address. More importantly, you should stay away from the big ‘free’ providers who will have no problem with handing over your encrypted emails along with sender and recipient details and associated metadata.
In case you don’t know which providers I’m talking about: Gmail, Hotmail, Yahoo, and AOL Mail (which surprisingly still exists).
The creators of Delta Chat are currently in the process of evaluating commercial email providers with a view to compiling a list of recommendations. Until their research is completed, I’m not 100% comfortable recommending any one provider. You’ll need to do your own research and use your own judgement.
Running an email server on a secure remote VPS is an excellent idea, although if you want to keep your data close to hand, it’s fairly simple to set up a complete solution on a $10 Raspberry Pi Zero in around 30 minutes. An added bonus of running your email server from home is that in an emergency, you can swallow the SD card to destroy any evidence.*
Realistically though, you’re probably not that paranoid (although the same cannot be said of this author).
*We neither advise nor advocate the swallowing of storage devices of any kind.
Delta Chat Limitations
No software is perfect, but as a messaging app built with security and interoperability in mind, Delta Chat comes close.
The downside is that because it doesn’t come attached to any central servers, your message security and storage is your own problem.
Private keys and messages are kept on your device, meaning that if anyone is able to break past your nine-digit pin code, your communications are theirs to see. You can’t remote-wipe your message history or attachments.
A more common issue is that you cannot remotely back up or restore your messages from a central server. If you buy a new handset, you will need to export your messages from within the app, then use a file manager to copy your encryption keys to the new device.
It’s not a deal-breaker, but it’s not exactly convenient either, and we’re hoping that at some point in the future the developers will add the functionality to automate and synchronize backups with secure, personal cloud servers such as Nextcloud.
Delta Chat is Open Source and Free Software, meaning that you can use, see, change, and share it at will, with everyone. If you think a feature is missing, you can always add it yourself.