Heading to a protest, organizing with activists, or suddenly concerned about the politics of your parents? Don’t use SMS or Snapchat to chat about it – you need something safer.
To help you pick the right messaging app, Teen Vogue talked to a trio of security experts: Zeynep Tufekci, an associate sociology professor at the University of North Carolina, and the author of a book about networked protest; Alec Muffett, a software engineer who previously worked on security at Facebook; and Moxie Marlinspike, the security researcher who founded Open Whisper Systems, which developed the encryption used by WhatsApp and other messaging tools.
To secure your messaging, they advise three steps. First, update your apps and Android or iOS to the latest version. Second, set a long PIN of at least eight characters to unlock your handset. And third, avoid SMS for texting, instead using a secure messaging app – whether it’s Facebook Messenger, WhatsApp, or a stronger tool such as Signal.
What each of those apps have in common – and what’s lacked by SMS and Snapchat – is end-to-end encryption. Think of that like a tunnel protected by secret handshakes that keeps your messages from being read by anyone else, including the company that makes the app.
Check your threat level
To decide which app you need, assess your “threat model.” That’s security industry jargon for taking the time to consider who might be after you and what to do about it.
“If you’re a whistleblower like Edward Snowden, or if you are a politician, or if you are a journalist who regularly deals with people at risk of deportation, or if you work regularly in countries with harsh, repressive governments… you will have a different threat model to someone who just wants privacy because they’re talking about intimate or personally important stuff,” says Muffett. In such extreme cases, Tufekci suggests you use Signal to get in touch with experts such as the Electronic Frontier Foundation, who can teach you the finer points of digital security.
For the rest of us, the end-to-end encryption in WhatsApp is enough to keep our chats out of snoopers’ hands. Indeed, privacy invasion may not come from the NSA or security services, but the people in your life — if you want to keep your parents or siblings from seeing your messages, you don’t need a secure app so much as a PIN to unlock your phone.
In fact, the biggest threat with any message is the person you’re sending it to. If you’re planning a trip to a protest or getting involved with activism that you don’t want someone else to know about, that friend wavering about joining in can turn you in by screenshotting one of your messages, no matter what other precautions you take. “There’s no tech solution” to that, Tufekci says.
If you’re worried about your attendance at a protest being noted by authorities, put your phone in airplane mode or turn it off so they can’t use IMSI catchers, a gadget that collects SIM details. Leaving your phone in airplane mode avoids that threat but allows you to take pictures and turn your connection back on quickly in an emergency. Of course, unless you’ve worn a mask, someone can simply snap your photo, but there’s no reason to necessarily avoid being identified at a protest, as they’re completely legal in most cases in the United States.
Most of your messages don’t need to be private — where you’re going to meet your friends is probably of little interest to anyone but them — but there are plenty of times you may want protection. If a message landing in authorities’ hands would cause you stress, you need to choose wisely before hitting send. Thankfully, WhatsApp and Messenger both offer end-to-end encryption — but be warned, Snapchat doesn’t.
WhatsApp’s end-to-end encryption is turned on by default, so if it’s your messaging app of choice, your work is done, for the moment. Facebook Messenger offers similar protection called Secret Conversations — Muffett was the lead software engineer — but you need to turn it on first and it’s annoyingly hidden away. Facebook explains how to do it here. Because of how the system works, your messages will only be visible from your phone, not on your computer.
You can step up your level of protection with Signal. That messaging app uses the same encryption system as the other two, from Marlinspike’s Open Whisper Systems, but is particularly tight with privacy and security settings. Plus, both WhatsApp and Messenger share “metadata” with Facebook, which owns both apps. Metadata is not the content of your messages or pictures, but who you sent them to and when. If you don’t want that shared, use Signal.
Aside from WhatsApp and Signal, Telegram is another well-known messaging app, but Muffett notes that end-to-end encryption is not turned on by default nor does it work in group messages — and a lot of security experts don’t trust it. Snapchat is fine for sending photos to your friends, but doesn’t use end-to-end encryption and that means that even when deleted, your photos and text “may be lingering somewhere on Snapchat’s computer farm in a recoverable form,” warns Muffett. “Historically this has been exploited at least once to recover people’s snaps.”
Once you’ve picked your app, decide if you want to backup your chats. In WhatsApp, chats are backed up by default, but they aren’t encrypted. For top security, turn off backups — but realize that comes with a trade-off, as your conversations are gone forever if you lose your phone.
In Signal, you can set the app to erase your conversations after a certain amount of time, similar to Snapchat. You can manually erase chats in WhatsApp too, but in both cases remember that whoever you sent the messages to also has a copy and they can leak it intentionally or otherwise if they don’t keep their own phone secure.
Backdoor in WhatsApp?
Don’t panic over recent reports that WhatsApp isn’t secure. In January, The Guardian reported that the messaging app’s encryption had a “backdoor”, a hole placed in the code allowing messages to be read without anyone knowing. That’s been debunked by security and privacy experts — some 70 of the best in the business — who argue it’s actually a design decision that ensures your messages get through as reliably as possible, and would be difficult to abuse to snoop on your conversation.
Encryption works by exchanging a security code between users, sort of a “secret handshake”, Tufekci says. If someone’s handset or SIM changes, that code changes. Encryption systems can either refuse to send the message or just send it anyway. To make WhatsApp easier for most people, it sends the message; for top-end security, Signal doesn’t, but that means some messages don’t arrive — it’s a trade-off. In Security settings, you can ask WhatsApp to notify you if someone’s security code does change.
If you’re not likely to be a target of state-level surveillance, Muffett, Tufekci, and Marlinspike agreed you’re okay to keep using WhatsApp.