Want Private, Secure Communications? Your Choices Are Limited
Your email service reads your emails. Your test messages are plain-text. Your phone calls can be tapped. How do you communicate securely and privately?
Into your life, it will creep
It starts when you're always afraid
Step out of line, the man come and take you away"
For What It's Worth - Buffalo Springfield
OK, Buffalo Springfield may not have been speaking to all of us with those lyrics, but paranoid or not there is plenty of reason to want to have private, secure communications. Keep in mind that secure, private, communications aren't about answering the question "what do you have to hide," but actually are about "why do you have a right to my information?" You own the info you're communicating. It is your property. We vigorously protect all sorts of our property - real estate, money, cars, intellectual property, etc. - but we often just sort of forget about our regular data and information. That's for a few reasons, including that we've been conditioned to just share freely - thank you social media and everything that has led up to it.
A Working Definition
So let's define what private, secure communications are, at least for the sake of this conversation. Let's try this on for size:
Private, secure communications are communications where the parties involved are aware of all parties involved in the communication, and that the communication is protected from any and all 3rd party access without the consent of all involved parties.
Simple in concept perhaps, but devilishly difficult in practice. There have been many, many tries over the years, from the Cone of Silence to PGP. Well, no singular solution is going to address the entirety of this definition's needs. For example, no piece of communications software or tech is going to ensure that nobody else is in the room with me either reading what I type or read over my shoulder, nor listening as I have a verbal conversation, though the software may be exceptional at ensuring encrypted, private communications between the parties across the Internet.
At the end of the day, though, for the vast majority of us, the privacy and security we want and need for communications is primarily a question of online snooping. Overall, we're focused on preventing a 3rd party intercepting the packets and reading them, or an AI trainer reading our text-based messages and improperly using them, or even our mail service scraping our messages to choose advertising options to share with us. So for purposes of protecting online communications we may want to update our definition to the following:
Private, secure Internet communications are communications protected by end-to-end encryption (E2EE), with strong authentication capabilities, no API hook for 3rd party inspection of messages, offering messaging, data, and voice communications between two or more participants, making all participants aware of all parties to the online communication.
This definition is more realistic given the constraints of what a communications app could possibly do, and at the same time rules out a great number of apps. We immediately exclude almost all "traditional" email solutions, all SMS/MMS texting solutions, and, frankly, all "legacy" voice solutions (land-line, traditional cell phone, etc.). Yes, I'm considering the "plain old telephone system" (POTS) as part of the Internet in part because most land-lines are now serviced by some form of voice over IP somewhere in their path, at least here in the US. Besides, who doesn't have their voicemail sent to a 3rd party transcription service - a clear violation of our definition. All social media "private message" options are also out - these are always stored by the 3rd party social media provider. So what are we left with?
Runners Up
I had really thought about listing a few different messaging solutions and noting where they fall down in meeting this working definition, but at the end of the day it isn't my purpose or my business to take shots at solutions that don't quite meet the need. There are a number of offerings that mostly get the job done, and those are better than plain old email, text, and VOIP. iMessage, WhatsApp, and others fall into this category.
The Only Truly Secure, Private Communication Solution I'm Aware Of
The Highlander was famous for the phrase "there can be only one," but in this instance there should be far more than one, even though there is only one. That one is Signal. Signal checks all our boxes:
- E2EE means that even Signal doesn't have a way to read your messages (this is the biggest differentiator that most communications systems fail at)
- Spoofing messages is extremely difficult once you've validated the other person you're communicating with (strong authentication), and you are aware of everyone involved in the communication
- There are no "hooks" to allow 3rd party inspection of the content before or after transmission
- Text messaging, file sharing, audio, and video messaging are all available via Signal
Signal goes well beyond these criteria as well, allowing users to choose to identify themselves by either phone number or made-up username, setting automatic expiration of messages in a conversation, and many other features. As a practical matter, Signal supports Android, iOS, Linux, Windows, and MacOS. Signal previously allowed you to use it for unsecured communications like SMS texting when you were attempting to communicate with someone who didn't have Signal. (iMessage still does this) Signal stopped allowing this after recognizing that is could lead users to mistakenly believe they were sending secure communications when they were not. Attention to details like this is part of what sets Signal apart.
We're not likely to see many competitors to Signal either. Why? Because secure communications means that your communications can't be used to specify advertising sent to you via other vectors. It means that there are no "other" revenue streams for making use of data from your communications, and as such only not-for-profit organizations will fully implement a secure communications solution like this. If you don't believe me, let me point out that the Signal software and protocols are open-source, and in fact underpin WhatsApp, however Meta has chosen to make certain modifications to fit their business model.
So I'm recommending Signal to you for your private communications, which is to say, I'm recommending it for most of your communications. After all, what right to I have to your information?