If you are one of 1.6 billion WhatsApp users, you are already using end-to-end encryption (E2EE). This secure form of communication means that any message you send to someone can only be read by the recipient—such chat messages cannot be intercepted by third parties, including governments and criminals.
Unfortunately, criminals also use encryption to hide their tracks when doing malicious things, making secure messaging apps a prime target for government regulation. In recent news, the Council of Europe has drafted a resolution to regulate E2EE, as it heads to the European Commission for its final form.
The question is, are we on the brink of losing our privacy on messenger apps?
Terror Spike Pushes EU’s Gears into Motion
In the wake of recent attacks in France and Austria, the prime ministers of both countries, Emmanuel Macron and Sebastian Kurz respectively, introduced a Council of the European Union (CoEU) resolution draft on November 6, aimed at regulating end-to-end encryption practices.
The CoEU is the proposal body that sets the direction of policies, while the European Commission will draft actionable legislation from it. Fortunately, as a legislative opening, the draft resolution is not as problematic for privacy as one would expect:
- The resolution does not make any specific proposals for an E2EE ban.
- It does not propose implementing backdoors to encryption protocols.
- It affirms the EU’s adherence to strong encryption and privacy rights.
- It serves as an invitation to experts to fully explore the security measures under the framework “security despite encryption.”
However, the resolution does propose a targeted approach:
“Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity.”
Given the trend of governments expanding the range of valid targets, this could include lawful protests as well. In the case of France, this could be the Yellow Vests movement, which was forced out of Facebook onto a secure Telegram app.
Interestingly, Telegram was the same app that Russia banned as the development team refused to create a backdoor for the government. The EU’s European Court of Human Rights (ECHR) ruled such a ban as a clear violation of free expression. The ruling bore fruit as Russia lifted the two-year Telegram ban.
Does ECHR’s Telegram Ruling Serve as a Future Safeguard?
Unfortunately, this does not seem to be the case. In 2019, ECHR ruled that free expression around the topic of Holocaust does not constitute a human right. At the same time, the court ruled that the same free expression on the topic of the Armenian Genocide does constitute a human right of free speech. These incoherent rulings reveal that ECHR doesn’t uphold universal standards.
Does the EU’s Draft Resolution Affect You?
If you are worried that WhatsApp, Telegram, Viber, and other E2EE apps will suddenly expose you to hackers and data miners, don’t be. Within the EU, we are likely dealing with a hybrid solution, in which law enforcement agencies must provide courts with sufficient reasoning to invade privacy.
On the other hand, within the Five Eyes sphere, there seems to be a massive push to legislate backdoors into E2EE messenger apps. Pushback from citizenry and NGOs such as Electronic Frontier Foundation will be critical to stave off such restrictive legislation on cryptography.
The Slippery Slope of Governments Regulating Cryptography
It is no secret that nations across the world are eager to undermine citizen privacy for the sake of alleged national security. This charge is usually led by the Five Eyes intelligence alliance. They seek to implement the broadest approach—mandating software developers to integrate backdoors into their apps. This would allow governments and tech companies to access any private data at will.
Although the governments rhetorically state they have safeguards in place against abuse, their track record is less than stellar. As Snowden leaks revealed, they seem to be unscrupulous in how they perceive citizens’ right to privacy and abuse avoidance. Moreover, backdoors are easily exploited by cybercriminals, incurring great economic damage and erosion of trust.
Mandated backdoors are not yet a reality, but governments can employ a powerful persuasion arsenal at any time a criminal/terrorist act happens. Therefore, governments have a steady momentum to erode privacy protections, arguing that:
- Terrorists/criminals have the same access to encrypted communication protocols as the law-abiding citizenry.
- Therefore, encrypted communication protocols must be undermined for the sake of the law-abiding citizenry.
Trying to achieve the balance between the two is an ongoing process, most recently put into the public spotlight by EU member states.
Why Is E2E Encryption Important?
When people don’t want to think about the consequences of the surveillance state, they often resort to the baseline argument:
“I have nothing to hide.”
Unfortunately, adherence to such naivety does not make your life safe from abuse. As the Facebook-Cambridge Analytica data scandal demonstrated, one should treat their personal data with as much rigor as one would safeguard the property in their home. When you are stripped of E2E encryption protocols, you create an environment that nurtures:
- Self-censorship as a mindset.
- Hacking and blackmail.
- Inability to be an effective political dissident or a journalist.
- Corporations and governments using your psychological profile against you.
- Making governments less accountable for their negative policies.
- Inability to effectively protect intellectual property.
Just as criminals have easy access to firearms, despite its ban and tight control across the world, so too would criminals procure other methods of communication. Simultaneously, undermining E2EE would make businesses and individual citizens vulnerable to a wide range of abuse.
What E2EE Options Do You Have at Your Disposal?
Backdoors in messenger apps can happen in three ways:
- Accidentally by poor coding, which is later patched when the vulnerability is discovered.
- Intentionally by government agencies exerting internal pressure on companies.
- Intentionally and openly by legislation.
We have yet to reach the third scenario. In the meantime, try to follow these security guidelines when choosing a secure messenger app:
- Choose apps that have a good track record of resisting pressure and are highly rated by users.
- If given an option, choose free open source software — FOSS apps. These are community-driven apps, so backdoor implementation would be quickly revealed. Sometimes, you will also find these apps under the FLOSS acronym — free/libre open source software.
- When using email, try to use email platforms with PGP or GPG encryption protocols.
Taking those factors into account, here are some good open-source E2EE messenger apps:
Signal has become a favorite among many privacy-minded users, and for good reasons. It employs Perfect Forward Secrecy (PFS) for all types of messages: text, audio, and video. Signal also doesn’t log your IP address, while giving you an option to send self-destructing messages. On android devices, you can even make it a default app for your SMS texting.
However, Signal does require a telephone number sign up, in addition to not providing two-factor authentication (2FA). Overall, this GDPR-compliant messenger app available for all platforms has yet to be topped.
An offshoot from Signal (a fork), Session aims to have even more formidable security features than Signal. To that end, it integrated all the Signal features but left out the requirement to have a phone number or email for sign up. It doesn’t log any metadata or IP addresses, but it still doesn’t support 2FA.
Its open source development is still ongoing, so you may experience bugs. Moreover, its Onion Routing protocol, in use by the Tor browser, is also under development.
Completely decentralized Briar is one of the latest FOSS apps with E2EE messenger protocols. Exclusive to the Android platform, Briar is the go-to solution for those who worry about a server storing their messages. Briar makes this impossible by employing peer-to-peer (P2P) protocols. Meaning, only you and the receiver get to store the messages.
Moreover, Briar adds an additional layer of protection by using the Onion Protocol (Tor). You don’t need to offer any info to start using Briar except the name of the recipient. However, if you change the device, all your messages will become unobtainable.
Download: Briar for Android (Free)
While still remaining open source, Wire is aimed for group messaging and sharing, making it ideal for business environments. It is not free except for personal accounts. Alongside E2EE protocols, Wire employs Proteus and WebRTC with PFS, in addition to self-erasing messaging.
Wire requires either a phone number/email to sign up, in addition to logging some personal data. It also doesn’t support 2FA. Nonetheless, its GDPR compliance, open source nature, and top-of-the-line encryption algorithms make it great for corporate organizations.
You Are Not Defenseless Against the Turning Tide
In the end, even if governments completely ban E2EE or mandate backdoors, criminals would find other methods. On the other hand, the less engaged citizenry would simply accept the new state of affairs: mass surveillance. This is why we must err on the side of caution and always push back to preserve our basic human right to privacy.