Encrypted Messaging

"Encrypted Messaging" is a bit of a misnomer. These days, all messages are encrypted (except SMS text messages), but the service provider (Google, Facebook, etc) has the keys to decrypt your messages and can read them if they want to or are ordered to by a warrant. In the context of this site, "Encrypted Messaging" refers to "End-to-End Encrypted" or "E2EE" Messaging.

E2EE Messaging means messaging protocols that can only be read by the people involved in the message. The messages are encrypted in between sender and reciever so spies and eavesdroppers can't read them, even the company hosting the service, the device manufacturer, or cell service provider. In this section I'm going to break up encrypted messaging into two subsections: instant messaging, and email.

Encrypted Instant Messaging

Encrypted instant messaging is meant to replace regular SMS to provide you and the people you're talking to with a secure, real-time communication method. Why protect your day-to-day texts? Regular SMS text messages can be read by anyone who intercepts them at any point along their journey, even amateurs. Even private messaging services like Facebook and Snapchat can be read by employees of the company.

There's also horrifying devices known as IMSI-catchers, or "Stingrays" after the leading manufacturer. In the US, these devices are on the rise and increasingly popular with law enforcement agencies and criminals all over the country. These are small, mobile devices that emulate cell towers and - without knowledge or consent from the user - capture the content of your phone calls and text messages if you are in range, even if you're not the target of them. This can include sensitive information, which the police are not obligated to discard even if it is irrelevant to their investigation. These devices can be easily and legally purchased by anyone with a few hundred dollars.

Furthermore, in late 2018 the FCC gave cell carriers new powers in an effort to curb spam and robo calls, and the poor wording of the law allows carriers to block or alter messages entirely at will.

When deciding on an encrypted messaging service, the most important thing is to make sure the person you're contacting is using the same service as you. These services only work if both parties are using the same encryption system.

Note: Avoid WhatsApp and Telegram. WhatsApp is owned by Facebook, who has a notoriously abysmal privacy record. WhatsApp is notorious for collecting metadata, which is often just as harmful as the content itself. Telegram, likewise, runs proprietary encryption that they created that many experts have deemed to be unreliable and insecure. Additionally, messages are not encrypted by default and group messages cannot be encrypted at all.

Product/Service Pros Cons

Matrix
  • Open source
  • Completely Free
  • Available on all operating systems
  • Can be bridged to communicate with other services such as Slack, Telegram, Signal, Discord, Facebook, and more.
  • Does not require any personally identifiable information to sign up, allowing for anonymous accounts
  • Decentralized
  • Can be self-hosted
  • Because of it's flexibility, it can be a little overwhelming to set up and adapt to.
  • Not audited

Session
  • Open source
  • Completely Free
  • Available on all operating systems
  • Sign-up is forcibly completely anonymous
  • Designed to be meta-data resistant
  • Decentralized
  • Not audited
  • Very early project, still under active development so expect some bugs and glitches

Signal
  • Open source
  • Completely Free
  • Available on all operating systems
  • Incredibly easy to set up
  • Audited
  • Uses phone number as a username
  • Based in the United States
  • Centralized

Wickr
  • Open source
  • Supports usernames, allowing you to not reveal your phone number to others
  • Available on all operating systems

Wire
  • Open source
  • Audited
  • Supports usernames, allowing you to not reveal your phone number to others
  • Available on all operating systems

Encrypted Email

Why encrypt your inbox, especially since most other people don't? Email providers like Google, Yahoo, and others regularly read your emails for a variety of purposes such as advertising and training their AI. The fact that these communications are readable by employees (even if only certain ones) means that any sensitive information is not safe and can be potentially stolen.

In the United States, police do not need a warrant to access emails older than six months. The fact that they can access these emails without your knowledge or consent means a hacker could, too. Even if the people you contact aren't using encryption, it's a reduction (not elimination) of risk to have your inbox encrypted in the way an encrypted email provider offers.

The most important thing to consider when deciding on an encrypted email provider is to make sure the provider promises "zero knowledge" or "end to end encryption." This means that the provider can't read your emails even if they want to without you giving them technical access.

Make sure to see how the provider makes money. Running an email server is expensive and requires great technical knowledge. "If a product is free, you are the product." Make sure the company has a viable business plan or else assume they are likely selling your data, which compromises your privacy and security.

If you want to take full advantage of encrypted email services, be sure to pick a provider that is also being used by the people you email regularly. Having an encrypted inbox can prevent warrantless searches and data breaches, but once the email leaves your inbox it will be decrypted. If you want the email to be encrypted from start to finish, you'll need to both be using the same service or protocol.

Product/Service Pros Cons

Lavabit
  • Does not work with PGP (emails can only be encrypted to other Lavabit accounts)
  • Based in The United States
  • No free tier
  • Not audited

ProtonMail
  • Open source
  • Offers a free tier (makes money by offering paid premium features)
  • Includes a free-tier VPN account
  • Based on PGP (you can securely email other providers as long as the recipient is using PGP)
  • Based in Switzerland

Riseup
  • Based in The United States
  • No mobile apps
  • Aimed more at activists, may not be available for everyone

Tutanota
  • Open source
  • Offers a free tier (makes money by offering paid premium features)
  • Does not work with PGP (emails can only be encrypted to other Tutanota accounts)
  • Based in Germany

Honorable Mention: PGP

Finally, I want to take a moment to give an honorable mention to PGP and explain how you can use it yourself. PGP stands for Pretty Good Privacy and is an open-source encryption program. Generally speaking, it is most commonly used for encrypted email but it can actually be used to encrypt just about anything.

Explaining how PGP works is actually much more complicated than actually using it. It's one of those things that sounds complicated but it's really not. When you use any type of encryption, including PGP, it creates two keys. One is called the “private key” and one is called the “public key.” The private key is private: it stays with you. Never share it, keep it safe. Maybe create a backup of it somewhere safe. The public key, on the other hand, can be spread around as much as you want. The more the better.

Think of the public key as your address and the private key as your door key. The more people you give your address to, the more people can write you. But only you can unlock the door and enter the house where you have some privacy. So when you set up PGP on an email account, you'll be given your two keys. You spread the public key to anyone who wants it so they can initiate a private email chain with you, and you keep the private key somewhere safe. It sounds complicated, but it's really not. There's tons of programs and plugins that handle this process for you.

I don’t think you should stick with your current Gmail or Yahoo Mail for lots of reasons. A major advantage to using an encrypted email provider is that even in your inbox, the emails are encrypted. This means they’re safe from data breaches or warrantless police surveillance. However, I get it. If you want to use PGP with your existing email provider, there’s two relatively easy ways to do it.

The first is a browser plugin called Mailvelope. For most people, this will be the best solution. If you’re the type of person who goes to “gmail.com” to check your email, this is the solution you’ll want. You simply add it to your browser as a plugin, it generates all your various keys, and you simply use it whenever you want to encrypt, decrypt, or sign an email. The second option is if you’re a mail-client type of person – aka Outlook. If this is your preferred method of accessing your email, then consider switching to Thunderbird. This open-source mail client recently updated to ship stock with Enigmail, an email plugin that enables PGP. Just like Mailvelope, you’ll have lots of options to encrypt, sign, or decrypt messages on an as-needed basis.

Previous Next