Most mainstream messaging apps fail security test, says EFF

Most messaging technologies fail on one or more security criteria, according to the Electronic Frontier Foundation

Most messaging technologies fail on one or more security criteria, according to a secure messaging scoreboard published by the Electronic Frontier Foundation (EFF).

The scoreboard rates 39 messaging tools, including chat clients, text messaging apps, email apps and technologies for voice and video calls.

The EFF said the scoreboard rates technologies that have a large user base and carry a great deal of sensitive user communications, as well as technologies from smaller companies that are pioneering advanced security practices.

To rate the tools, the EFF used the following questions:

  • Encrypted in transit?
  • Encrypted so the provider cannot read it?
  • Can you verify contacts’ identities?
  • Are past comms secure if your keys are stolen?
  • Is the code open to independent review?
  • Is security design properly documented?
  • Has the code been audited?

According to the scoreboard, only six of the tools met all seven criteria.

The six best-scoring tools were ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text, and TextSecure.

Apple's iMessage and FaceTime products stood out as the best of the mass-market options, although neither currently provides complete protection against sophisticated, targeted forms of surveillance.

Many options – including Google, Facebook and Apple's email products, Yahoo's web and mobile chat, Secret, and WhatsApp – lack the end-to-end encryption necessary to protect against disclosure by the service provider.

Several major messaging platforms, like QQ, Mxit, and the desktop version of Yahoo Messenger, were found to have no encryption at all.

EFF technology projects director Peter Eckersley said while many new tools claim to protect you, they don't include critical features, such as end-to-end encryption or secure deletion.

“This scorecard gives you the facts you need to choose the right technology to send your message,” he said.

We hope the Secure Messaging Scorecard will start a race to the top, spurring innovation in stronger and more usable cryptography

Nate Cardozo, EFF

EFF staff attorney Nate Cardozo said the digital rights group is focused on improving the tools everyday users need to communicate with friends, family members and colleagues.

"We hope the Secure Messaging Scorecard will start a race to the top, spurring innovation in stronger and more usable cryptography," he said.

The scorecard is part of the EFF's campaign for secure and usable cryptography, which is aimed at championing technologies that are very secure and also simple to use.

Law enforcement officials calling for less encryption

However, the start of the campaign coincides with a series of calls by US, UK and EU law enforcement officials for less encryption of mass communication.

London’s police chief Bernard Hogan-Howe told a US law enforcement conference in New York encryption is hampering police investigations.

His comments come just days after the recently-appointed GCHQ chief Robert Hannigan said US tech firms were becoming the “command and control networks of choice” for terrorists and criminals.

He reiterated recent calls by his predecessor Iain Lobban, FBI director James Comey and European Cybercrime Centre head Troels Oerting for better tools to do their jobs.

Hannigan lamented that "techniques for encrypting messages or making them anonymous, which were once the preserve of the most sophisticated criminals or nation states, now come as standard”.

Making a call for greater support from tech firms, he said these services increasingly host violent extremism or child exploitation content and facilitate crime and terrorism.

Read more on Privacy and data protection