Claiming your privacy: messaging apps

This week we launched our private messaging media campaign, encouraging New Zealanders to use secure, private messaging apps. We’ve worked with Mohawk Media to make a great little video, an accompanying comic and an infographic to tell the story.

I really love it and hope you do too.

We think private messaging is important. Why? Because we value your privacy as much as you do and we think that in today’s privacy hostile environment, you should be able to claim your privacy without someone trotting out that corny, tired and misleading saying “if you’ve done nothing wrong, you’ve got nothing to hide.” To me, that’s someone saying they don’t care about free speech just because they have nothing to say right now. It’s also disingenuous and misrepresents privacy. I haven’t done anything wrong (lately) but I still should be able to talk to my loved ones, express my frustrations to my friends and talk about intimately personal details with my wife in private simply because it’s not anyone else’s business.

Unfortunately, the reality is that most traditional communication tools like sms or email are not private. We want to make it easy for New Zealanders to use secure, private communication tools. And we want you to be using best-in-breed, modern systems that are easy to use, and implement great encryption.

We’ve decided to start with messaging apps because they’re fast replacing SMS and email as default communication tools for many New Zealanders. We all routinely send short messages to our friends, family, flatmates or workmates. Lots of people have facebook messenger groups for flat communications. Instant messaging services have become a pretty normal part of the way social interactions and organisation happens these days. So it made sense to us to target messaging apps.

Why Whatsapp, Signal & Facebook Messenger?

Because under the hood they use the same end-to-end encryption technology. The people behind Signal created TextSecure, a well regarded, modern, green-fields, end-to-end cryptographic system. WhatsApp used TextSecure when they decided to move to end-to-end encryption because it’s the best option available. The tech behind these apps is quality and the user experience is great. My whole family use Signal now - it’s how we coordinate who’s home when, if we’re going out or picking up last minute groceries and all that mundane living stuff. My friends and I use WhatsApp to organise social events and who’s bringing what food or drink.

I’ll admit, I begrudgingly included Facebook Messenger’s secret conversations. Everything in my professional training tells me opt-in policies or protections don’t get taken up. But, Kiwi’s use Facebook, it’s where they are. Messenger is the 2nd most downloaded free app on iPhone and it’s the most popular free app in Google Play Store. Messenger’s scale of use and popularity forced us to try and get you to use secret conversations in the place you already message.

There are plenty of other messaging apps that provide some level of privacy, and some that provide opt-in end-to-end encryption (e.g. Google’s new Allo app). You can read about them, and their security, in the EFF’s Secure Messaging Scorecard (they're currently building v2, but you can find a link to their v1 scorecard in that link). But there’s a reason we chose Signal and Whatsapp - the technology they run on is best-of-breed and the user experience is good.

What about PGP?

*sigh* Firstly, email is great, but people are using messaging for social communication more and more - it’s a medium we want to help people do securely. Also, let’s be honest, setting up PGP email is just too hard for most people. I’ve found it way too hard, and generally don’t use my PGP key unless I absolutely have to (e.g. for vulnerability disclosure coordination stuff I do for NZITF). If you really *do* want to send me PGP-encrypted email then my public key is on keybase.

Anyway, private messaging its a thing. Loads of people use messaging apps, you probably think they’re private  but many aren’t (or are only private-ish).

What can you do today to claim your privacy?