Electronic Frontier Foundation finds Skype, WhatsApp and more are disappointingly insecure
Secure communication is something we all crave online, particularly after Edward Snowden's NSA revelations increased public interest in privacy and security. With dozens of messaging tools to choose from, many claiming to be ultra-secure, it can be difficult to know which one to choose and which one to trust. Electronic Frontier Foundation (EFF) has published its Secure Messaging Scorecard which rates a number of apps and services according to the level of security they offer.
It's a fairly exhaustive list that includes numerous well-known names, as well as several more niche products. What is concerning, however, is that many of the most popular tools -- WhatsApp, Yahoo Messenger, Skype, SnapChat, and Facebook chat -- received very low ratings for failing to protect users and their communication data.
EFF's Technology Projects Director Peter Eckersley says: "Many new tools claim to protect you, but don't include critical features like end-to-end encryption or secure deletion. This scorecard gives you the facts you need to choose the right technology to send your message".
The findings of the EFF are worrying. It highlights, for instance, that the desktop version of Yahoo Messenger uses no encryption whatsoever, but many other popular chat tools also scored very poorly.
In testing the tools and services, EFF asked seven key questions: is data encrypted in transit?; is the encryption key accessible to the service provider?; can the ID of the person being spoken with be confirmed?; in the event of encryption keys being stolen, is past communication safe?; can source code be independently reviewed?; is the cryptography used well-documented?; has an independent security audit been performed?
Facebook chat only checked a couple of boxes (in-transit encryption and code auditing), and it was the same story for Google Hangouts and SnapChat. Skype scored points for not only encrypting data, but also keeping it from Microsoft's eyes, but failed in the remaining five categories. Apple's FaceTime fared very well, missing out only on contact identity verification and independent code review. Signal, TextSecure, Silent Phone, CryptoCat, Silent Text, and ChatSecure + Orbot all passed every test, while QQ and Mxit failed on every single count.
The lengthy list of communication tools was chosen to represent those used most frequently. EFF Staff Attorney Nate Cardozo said:
We're focused on improving the tools that everyday users need to communicate with friends, family members, and colleagues. We hope the Secure Messaging Scorecard will start a race-to-the-top, spurring innovation in stronger and more usable cryptography.
Will the findings prompt you to switch to a more secure messaging tool, or are you already confident in the choice you have made?