This is my White Whale: a messaging application I can use securely on any device I own, mobile or desktop, and any device my recipients are likely to own.
Recently, Open Whisper Systems released the iOS version of their Signal application that allows users to synchronize contacts and messages to a desktop application running as a Google Chrome app. Finally! I can send a message typed in through a full-sized keyboard and it will arrive on Sarah’s iPhone, or my parents’ Android phones, or any of their computers. It will arrive securely and without anyone or anything scanning it for marketing or surveillance purposes.
I have been waiting and hoping for this for quite some time. I think it is very close to replacing PGP-/GPG-encrypted email as the method of secured communication between individuals and among groups.
Comparison to email with PGP/GPG
Have you ever tried to send email secured via PGP or any of its derivatives? It’s daunting. I like daunting technical stuff when I can learn something useful from it, but I also like not annoying my wife and having my messages actually read much more. Some conceptual understanding seems to be required in order to use GNU Privacy Guard (GnuPG or GPG) effectively on the command line, and perhaps even as a plugin for an email client like GPGMail for Apple Mail or Engimail for Thunderbird. Compared to GPG, the use of Signal is a breeze. But that’s what they were going for, and it mostly works.
For the paranoid, similar to Threema and GPG, Signal allows you to double-check that your chat buddy is the same person you thought it was via a fingerprint. Threema does this via a QR code your phone’s camera scans in and compares. GPG lets you do this by comparing a string of hexadecimal characters yourself. Something like:
ED1B B3DB F817 F0AC 6549 3403 9774 CE21 01A3 2838
Signal does both: you can scan a QR code or look at the text.
Where does it not work, in comparison to GPG? As near as I can tell, file attachments are limited to images. So if you have an incriminating video or a stack of top-secret pages in PDF form, or even something as mundane as a bank statement or insurance claim you need to transmit, this service won’t cut it. 1
Comparison to Threema
I’ve been using Threema ever since a buddy recommended it to me over WhatsApp back when it was bought by Facebook. It cost a little bit, but I figured “Why not? Since I’m paying for it, there’s a good chance I’m not the product here.”
Threema covers most of my needs in a secure messaging application on a mobile device, and throws in some other neat features to boot:
- It’s easy to embed stuff into the messages:
- locations (opening in Apple Maps on iOS)
- audio clips (great for when you don’t have time to type out a message, but you can speak one)
- Threema does not require you to divulge your mobile phone number, whereas Signal does
- Polls in a group chat are possible
- You can send simple thumbs up/down answers to questions with just two taps on the screen
Sounds great, right? It also offers desktop messaging, but there is a huge caveat here: that is only possible when you write your own application to be used with the Threema API, at an exorbitant price per message sent. That’s probably okay for a company with an IT budget — not great for individual consumers trying to plan a vacation together or decide where to go for dinner tonight.
Comparison to WhatsApp
WhatsApp has been around a lot longer and therefore has a much more devoted fan-base — particularly among countries that used to (or still!?) charge for an individual text message. It’s got a lot of similar features to Threema. It even recently got a security overhaul, implementing the same encryption algorithm that Open Whisper Systems developed for their own Signal App. So what’s not to like? Briefly:
- Ads (ew)
- Facebook ownership (ick)
- About-face on ads and privacy policies
- Is there a desktop app?
Open Questions and Criticism
I’m hopeful these things will iron themselves out. After all, this is a very young app (at least as it pertains to iOS; users of the Android mobile version have had longer to test out the Desktop app).
- Synchronizing contacts and groups failed the first couple times immediately after installing the desktop…but maybe the failure was me being impatient.
- I’m not sure how to start a new group on the Desktop version. Perhaps that has to happen on the mobile version for now.
- Can you use it as an app on non-phone mobile devices, like iPads or Android tablets? Example: let’s say I have an iPhone and an Android tablet. I can get my iPhone to sync up my contacts for use with the Desktop version, but then where does that leave me on my Android tablet?
- Google Chrome Apps may take some getting used to, and UI/UX purists will protest the unorthodox placement of the settings, lack of menu bar, etc.2
Why isn’t everyone using it?
Well, it’s pretty new. The blog post about support on the Desktop for iOS appeared near the end of September 2016, and the update to the iOS app just appeared on my phone last week. Plus, the masses may have just finally gotten used to WhatsApp as an alternative to texting, and they’re probably not interested in shifting to yet another piece of software for sending instant messages. Or maybe those who jumped away from WhatsApp to Threema are not interested in the ability to use a full-sized keyboard via a desktop app, and combined with the improved end-to-end security implemented in WhatsApp3 and low userbase, maybe Signal is not (yet) attractive enough to lure away WhatsApp users.
Other neat stuff
While waiting for Signal for Desktop to come out for use with iOS, I played around with a couple other Desktop apps.
Got a non-image file you want to send securely? Consider miniLock, which also runs on the desktop as a Chrome app. It’s conceptually the same thing as GPG: a public key your recipients have to know and a private key only you should know and crypto algorithms keep files secure. The difference here is that it’s compact enough to eliminate one piece of the puzzle: the public key (a.k.a. the miniLock ID) is small enough to fit in a Twitter post. Here’s my miniLock ID:
By comparison, here is one of my GPG public keys rendered as plain text:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mI0EV/pOVwEEAK2N+OjnNTtRzjOCULK51CpWZLp7EnXZxlhUVZ/d7RYHmwYH79rx 9/hMJifZb0+dgmWmd0UfFCMAJ/YIkJELviJJqIkFFBqjZ3tL531nElBET922ekJK Sye5dN2LIa9v0YUkaJsXzk+G+esb0SHKLIuYjT6DUsDaDHPJ3WVQVN2XABEBAAG0 N1Rlc3RlciBLZXkgKEl0J3MgYWxyZWFkeSBleHBpcmVkISkgPGZha2VAY2xpZmYx OTc2LmNvbT6IvgQTAQIAKAUCV/pOVwIbAwUJAAFRgAYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AACgkQl3TOIQGjKDii2gP+LcP59q87BvSjqjbE2jvvItvSXztaFD8h IVX7of7czjPlOp5xK6L/et7vFUR24VKhoNV0FXBiGLkxJNqQtzptwRQNv4b96EsD WJWuW6Cmru9XWp+uBj662+NZ2tDk7RIsHIVz+GD9G6WORacEvkjrdsu6BE7bCTF8 8O9wf1HJr524jQRX+k5XAQQA8tUKU8jZr9c7JRHNXuOXJjdDFObUj73+RIk3UJ64 T17QREYo57rZn3BItXr0eOXbHxC1EOdUuQ4tbHuBT/2YV3qcjLAECPu2m3q7pMeC iXrbj4kAm3R0N0oJq5V8RUektczQHO8ZrI6CzzOMYKqawT6/GieakMLa/TMdcIVY +NUAEQEAAYilBBgBAgAPBQJX+k5XAhsMBQkAAVGAAAoJEJd0ziEBoyg4iyED/jLj Q/CgOBp627H1ThQXYgrl3390cHFeyQxk80uL6+SK/L1ZX2N0ULisq9uCda82GqcZ +S4l0nj2G7JbRfUNWT2rtBLG9sGGjbxkHpmiW5u532/XYvR8QaKNEWNrX+q3cwnl 1koiAXZ7UmdI/LCE1Hh5C8zP3u7yByvtyqo321XY =7gW6 -----END PGP PUBLIC KEY BLOCK-----
The miniLock key is certainly easier to store somewhere as plain text — like in your password manager program of choice (I like Password Safe, but use anything you like). You need another program just to keep track of keys for GPG-style public key cryptography, and then you have to painstakingly program interfaces to make easy use of it outside of the command line.
Cryptocat is another secure instant messaging program I’ve been playing around with. It’s got a bit of a checkered past, but it’s better now, even though it lost its support for mobile platforms. The UI is kind of clunky on Linux (hey…what isn’t?) and Mac OS X, but strives to offset that by being cute. I guess it works okay, but now that Signal for mobile platforms and Desktop is here, I think there is little need for it anymore on my machines.
Cryptocat and miniLock are both by Nadim Kobeissi.
Slack is a really fun-to-use collaboration platform. It was made by software developers for software development, but Sarah and I use it for planning trips with our pals in other towns or even other time zones. We also use it for collecting recipe ideas, strategizing our moving plans, or collecting links to funny web pages we know the other person will enjoy later.
You can store files with it, chat with it (on- and off-line), and link it into other online applications your organization probably uses for daily business (think CRM, travel, HR or time/resource management software). It’s usable on the desktop or mobile platforms. It all seems pretty secure, so what’s not to love?
It’s free to use in the hope that you upgrade to a paid plan, but the free plan is limited to a certain amount of messages and file storage before the older content starts to become unavailable. Your messages have to be organized into channels and your contact partners have to be invited to participate in your chats. For focussed, project-based on- and off-line communication including file-sharing, Slack is awesome. For general spontaneous “How ya doin’?” chatting, it’s way overblown.
Signal, with its mobile and desktop versions, seems to be the best thing going now if you need to reach
- people on different OSen
- with different hardware preferences (type with 10 fingers or two thumbs?)
- who don’t want to drive the marketing machines
These benefits are all in addition to Signal’s potential as a tool for political purposes: journalists protecting their sources, victims of persecution evading their tormentors, etc.
It’s a bonus that the system is free (as in beer as well as in speech). If you’re already using WhatsApp (but feel dirty about feeding Big Data your bits) or Threema (but sometimes wish you could enter your messages with all ten digits), you might give Signal a try. You can donate to the Freedom of the Press Foundation to keep development going.