In the midst of the seemingly ongoing series of mass surveillance disclosures, a secure email service called Lavabit shut down. The owner said he has been threatened with criminal charges for refusing to comply with a secret surveillance order to turn over information about his customers, after which he decided to pull the plug.
The Lavabit shutdown leaves 410,000 former users looking for a new way to securely send messages. While I was not a Lavabit user, I would like to join them in their quest. I’m concerned about the disclosures of mass surveillance by the US government, and I believe I’m not alone.
Are most mainstream ways to communicate so insecure?
Short answer: yes. Edward Snowden leaked documents which prove that ‘the NSA operates a complex web of spying systems that intercept internet and telephone conversations from over a billion users from dozens of countries around the world’. Google, Facebook, Apple, Microsoft and other companies directly aid the NSA’s programs. Many governments tap ‘normal’ telephone and text messages from providers on a large scale. This is not only a problem for journalists, lawyers and dissidents. There are good arguments for a right for everyone to hide things from the government.
An overview of secure alternatives
Below are three alternative services for secure emailing, the sending of direct messages, and audio or video conferencing. To store my research and make comparison easy, I created a site that lists all collected information about these services at securemessaging.silkapp.com. I’m by no means a security expert, so I hope people can help me by adding more services and providing additional information.
Secure email services
StartMail is an upcoming secure email service from the people behind anonymous search engine StartPage. They are not live yet, but I thought they were interesting enough to include.
Any request or demand from any government (including the US) to deliver user data, will be thoroughly checked by our lawyers, and we will not comply unless the law which actually applies to us would undeniably require it from us. And even in that hypothetical situation, we would refer to the fact we have no personal user data to share.
Exact features and pricing is unknown. I’ll update the site as soon as there is more information.
Autistic/Inventati is an Italian group of activist whose fundamental aim is ‘to provide free communication tools on a wide basis’. Their email service provides SSL, TLS and certificates, and promise minimal logging. There is no space limit, but downloading your messages is encouraged. They won’t analyze the content of your email, won’t log your IP, have filters and spam filter.
They also provide a lot of information about encrypting the content of your mail and encrypting your personal files.
The service is free, but you have to fill in a form where you explain why you would like an account, and you are expected to make donations to keep the project alive.
Overview of email services
Here is how these email services stack up against their mainstream alternatives:
Threema is based in Switzerland, and offers an iOS and Android client to let users send messages to each other. The service features end-to-end encryption, so messages and passwords are safe. Threema features optional manual key verification, which means that users can verify that they are speaking to each other so the connection is trusted. Otherwise, the feature set is that of a good messaging app: filetransfers, location sharing, media sharing, it’s all there. The app costs $2.
Wickr is based in the US and offers end-to-end encryption, minimal logging, and secure deletion. The last one is pretty interesting: you can set messages to self destruct, automatically deleting them from the receivers phone after a set amount of time. This considerably lowers the chance that someone might read the message you have sent, should the device of the receiver fall in the wrong hands. Note that the receiver can still make a picture of the message, or record it with other means. But given that you trust the person you send the message to, it’s a nice option.
The app currently is free, with paid upgrades planned for the future.
This open source IM client for iOS supports encrypted ‘Off-the-Record’ messaging through existing services like Facebook chat, Google chat, and more. This means that when you and a friend chat over the Google chat network using ChatSecure, your messages are totally encrypted. Compatible clients are available for Android, Blackberry, Linux, Windows and OS X.
The app is free.
Overview of secure direct messaging services
Below is an overview of these services and their mainstream counterparts. Note that Apple’s iMessage provides end-to-end encryption, but the backup of these messages on iCloud does not. You’ve been warned.
Audio and video conferencing
Ostel is an open sourced system of multiple federated servers and clients to make end-to-end encrypted voice calls. There is an Android, iOS, Blackberry, Mac, Windows and Linux client available (through clients that support the protocol). This thread on HackerNews points out that there is no ‘signaling encryption’, whatever that means. The apps are free.
Overview of VoIP and conferencing services
Below is an overview showing how these VoIP and conference services stack up against their mainstream alternatives. Note that Apple’s Facetime provides end-to-end encryption, which should mean there is nothing to turn over when requested. Since Apple is known to provide direct aid to spying programs, caution is still adviced.
These services are listed at securemessaging.silkapp.com. I hope this site can serve as an open repository for secure messaging services. If you have any additions or suggestions to the information about the services, please go to the site to submit them.