Encrypted Instant Messaging

What is Encrypted Messaging?

"Encrypted Messaging" is a bit of a misnomer. These days, all messages are encrypted (except SMS text messages), but the service provider (Apple in the case of iMessage, for example) has the keys to decrypt your messages and read them if they want to or are ordered to. In the context of this site, "Encrypted Messaging" refers to "End-to-End Encrypted" or "E2EE" Messaging.

E2EE Messaging means messaging protocols that can only be read by the people involved in the message. The messages are encrypted in between sender and reciever so spies and eavesdroppers can't read them, even the company hosting the service, the device manufacturer, or cell service provider.

Why do I need Encrypted Messaging?

Regular SMS text messages can be read by anyone who intercepts them at any point along their journey, even amateurs. Even private messaging services like Facebook and iMessage can be read by employees of the company.

In the United States, Stingray devices are on the rise. These are mobile cell towers that - without knowledge or consent from the user - capture the content of your phone calls and text messages if you are in range., even if you're not the target of them. This can include sensitive information, which the police are not obligated to discard even if it is irrelevant to their investigation.

Furthermore, in late 2018 the FCC gave cell carriers new powers in an effort to curb spam and robo calls, and the poor wording of the law allows carriers to block messages entirely at will.

What should I look for in an Encrypted Messaging Service?

The most important thing is to make sure the person you're contacting is using the same service as you. These services only work if both parties are using the same encryption system.

AVOID: WhatsApp and Telegram. WhatsApp is owned by Facebook, who has a notoriously abysmal privacy record. WhatsApp is notorious for collecting metadata, which is often just as harmful as the content itself. Telegram, likewise, runs proprietary encryption that they created that many experts have deemed to be unreliable and insecure. Additionally, messages are not encrypted by default and group messages cannot be encrypted at all.

Product/Service Pros Cons

Matrix
  • Open-Source
  • Completely Free
  • Available on all operating systems
  • Can be bridged to communicate with other services such as Slack, Telegram, Signal, Discord, Facebook, and more.
  • Does not require any personally identifiable information to sign up, allowing for anonymous accounts
  • Decentralized
  • Can be self-hosted
  • Not End-to-End Encrypted by default, encryption must be turned on by the user
  • Because of it's flexibility, it can be a little overwhelming to set up and adapt to.
  • Not audited

Session
  • Open-Source
  • Completely Free
  • Available on all operating systems
  • Sign-up is forcibly completely anonymous
  • Designed to be meta-data resistant
  • Decentralized
  • Not audited
  • Very early project, still under active development so expect some bugs and glitches

Signal
  • Open-Source
  • Completely Free
  • Available on all operating systems
  • Incredibly easy to set up
  • Audited
  • Uses phone number as a username
  • Based in the United States network)

Wire
  • Open-Source
  • Audited
  • Supports usernames, allowing you to not reveal your phone number to others
  • Available on all operating systems

Wickr
  • Open-Source
  • Supports usernames, allowing you to not reveal your phone number to others
  • Available on all operating systems


Encrypted Email

What is Encrypted Email?

"Encrypted Email" is a bit of a misnomer. These days, all emails are encrypted, but the service provider has the keys to decrypt your messages and read them if they want to or are ordered to. In the context of this site, "Encrypted Email" refers to "End-to-End Encrypted" or "E2EE" Email.

E2EE Email means emails that can only be read by the people involved in the message. The emails are encrypted in between sender and reciever so spies and eavesdroppers can't read them, even the company hosting the service, the device manufacturer, or ISP.

Why do I need Encrypted Email?

Email providers like Google, Yahoo, and others regularly read your emails for a variety of purposes such as advertising and training their AI. The fact that these communications are readable by employees (even if only certain ones) means that any sensitive information is not safe and can be potentially stolen.

In the United States, police do not need a warrant to access emails older than six months. The fact that they can access these emails without your knowledge or consent means a hacker could, too.

What should I look for in an Encrypted Email Provider?

The most important thing is to make sure the provider promises "zero knowledge" or "end to end encryption." This means that the provider can't read your emails even if they want to without you giving them technical access.

Make sure to see how the provider makes money. Running an email server is expensive and requires great technical knowledge. "If a product is free, you are the product." Make sure the company has a viable business plan or else assume they are likely selling your data, which compromises your privacy and security.

If you want to take full advantage of encrypted email services, be sure to pick a provider that is also being used by the people you email regularly. Having an encrypted inbox can prevent warrantless searches and data breaches, but once the email leaves your inbox it will be decrypted. If you want the email to be encrypted from start to finish, you'll need to both be using the same service or protocol.

Product/Service Pros Cons

Lavabit
  • Does not work with PGP (emails can only be encrypted to other Tutanota accounts)
  • Based in The United States
  • No free tier
  • Not audited

ProtonMail
  • Open-Source
  • Offers a free tier (makes money by offering paid premium features)
  • Includes a free-tier VPN account
  • Based on PGP (you can securely email other providers as long as the recipient is using PGP)
  • Based in Switzerland

Riseup
  • Based in The United States
  • No mobile apps
  • Aimed more at activists, may not be available for everyone

Tutanota
  • Open-Source
  • Offers a free tier (makes money by offering paid premium features)
  • Does not work with PGP (emails can only be encrypted to other Tutanota accounts)
  • Based in Germany