Secure messaging update: Threema Web vs. Signal Desktop and ProtonMail

Hey, there are neat new toys to play with! In brief: mobile chat apps are progressing and ProtonMail looks nice for secure email. I put a TL;DR down there for you.

I write about this stuff occasionally.

Threema vs. Signal, again some more

Since my last missive, Threema has released Threema Web for the Android platform…but not yet for iOS or Windows Phone.1 Threema Web promises to offer everything I like about Threema on my phone combined with the convenience of using it on a desktop or laptop computer, where I can type with all 10 fingers. At least I hope so. They haven’t rolled it out for iOS devices yet, and I don’t have an Android device, so I’m not sure. But I’m betting Threema Web continues to allow you to be more anonymous on the internet than Signal, which requires registration with a phone number and allows anyone with Signal and knowledge of your phone number to contact you that way. Threema lets you choose whether to be contactable that way, which I highly appreciate.

Nevertheless, I have started seeing more of my contacts showing up on Signal than in the past. Some of them are undoubtedly using it because of my nagging, but apparently not all of them. For example, I see Airport Liner (our favorite shuttle service from Regensburg to Munich Airport) is using Signal now, too. Probably most people don’t care too much or simply trust WhatsApp not to sell them out to its corporate parent (Facebook), now that WhatsApp offers end-to-end encryption2 based on the same technology as Signal. But I still don’t trust them.

Another thing I liked better about Threema vs. Signal from the beginning was the ability to encrypt short audio clips and send them as messages. Threema’s had that for a long time, but Signal must have gotten it in a recent update (to iOS). That feature is extremely useful when your hands are full or you’re at a stoplight and don’t have time to type out what you could say more quickly.

And of course, Signal does secure phone calls — IIRC, the app grew out of the fusion of a secure audio app (RedPhone) and secure text messaging app (TextSecure). I don’t use it for that very much, but it does work.

Still banging on about secure email

Yeah, I still am. It’s not an easy topic to cover. There are

  • competing standards within standards3,
  • somewhat elegant desktop solutions4, but mostly only clumsy apps on mobile devices
  • inherent weaknesses baked in historically5, and of course
  • the raison d’être for the likes of Gmail, Hotmail, Yahoo! Mail: ad revenue. If their machines can’t read your email, they can’t sell you.

I followed the mailpile project for a couple years, even playing with it at home on a Raspberry Pi or my Linux desktop machines, but it appears to progress only haltingly at best, felt clunky to use, and presumes that you (eventually, when they perfect their product) want your mail to be on your local devices only — like a RasPi or a memory stick you keep on your keychain. That’s not really what I want; I want mail on a server somewhere6 that is only readable for the intended recipients.

They’re really playing up the Swissness.

Then internet pal Harvey Morrell called my attention to ProtonMail. This could be a game-changer. You get:

  • public key encryption7
  • a smooth webmail experience in the desktop
  • iOS and Android apps
  • free, paid, and paid-a-lot tiers of service


I was pretty skeptical at first. Webmail can’t be as secure as an offline private key, because the webserver has to have your private key in order to decrypt messages intended only for you, thus defeating the purpose, right?

That’s true…unless there is another layer of encryption on top of that private key preventing its misuse. Wikipedia explains it: yes, the server behind ProtonMail has the private key needed to decrypt messages encrypted for you, but that private key is symmetrically8 encrypted with your login password, and decrypted on the brower-side to display secured message content only in the browser. So: ProtonMail cannot use your private key (even though it lives on their servers) because your login password prevents that. It’s the first web-based email service with public key encrpytion that sounds promising to me, because it actively promotes its inability to decrypt your email upon demand (of anyone — not even you).

Automatic encryption for ProtonMail users, Optional for everyone else

When you send a message from ProtonMail to another ProtonMail user, it’s encrypted for the recipient automatically. Super-duper easy. But what about sending a message securely to someone who is not a ProtonMail user? You can send a conventional plain-text message if you want. But you can also symmetrically encrypt the message for the recipient by providing a password. Then ProtonMail sends the recipient only a link to retrieve the message, and the recipient enters the symmetrical password then. Keeping that symmetrical password secure is up to you! 9

Composing a message for a non-ProtonMail recipient
Pick a password, confirm it, give a hint if you like.
Here is what a non-ProtonMail recipient sees when you send an encrypted message.

Another nice feature, particularly to help wean you off of your current email provider, is that you can ask ProtonMail to send you a daily reminder at your non-ProtonMail address if there are unread messages in your ProtonMail inbox. Slick!

More to come?

ProtonMail still has a way to go. It does not yet support the full functionality of PGP the way GPGMail or Enigmail does: only in-line PGP works for incoming encrypted messages from outside ProtonMail. This means: if you want to send me “ProtonMail sounds promising!” as an encrypted message at my protonmail.com address, you have to encrypt it using my public key (ask me, I’ll give it to you) and send me an email with this text as its body:

Suggest some products to me based on that, Gmail!

That’s in-line PGP, and it’s probably fine for text messages. All the email programs that support PGP do this kind of en- and decryption for you automatically.

Recipient sees the clear text without any extra effort.

But it gets clunky when a message has more than one part to be encrypted. This is common when there is a plain-text version of the email message and a fancy HTML version of the email message wrapped up in one email, or any attachments. PGP/MIME is clearly the right way to go for that use case, but ProtonMail does not support it yet — at least not for in-bound messages.

It also does not yet support storing and using the public keys of non-ProtonMail users. This means you can’t send an encrypted email to someone who is not a ProtonMail user. At most, you can notify them that an encrypted message is waiting to be retrieved (see above). I wonder if that will ever change; it would be convenient for users already comfortable with the likes of PGP, but it could discourage their free customers from ever coughing up for a paid tier of service. I suppose that’s a feature they could include on the paid tier: paying customers are already paying and don’t need further motivation to use the service.

TL;DR

Whether you

  • need secure private messaging for political or journalistic reasons,
  • are merely trying to not to be the product big internet companies sell to their advertisers, or
  • just like the technology,

try Threema and Signal and their desktop app options for chatting, and consider ProtonMail for securing your email messaging. The techiest among us will get by just fine with PGP encryption layered on top of conventional electronic messaging, but maybe these apps are a lower barrier to entry for friends, family, and colleagues who care about the principles but can’t invest in the learning curve associated with old-school public key encryption.

  1. Haha, “who cares, right?” I fear that some day my employer will force one on me. They’re so cheap and apparently work just fine for things like email and calendaring — the things the company wants you to be doing on their devices. []
  2. of content, but not metadata! []
  3. in-line PGP or PGP/MIME? []
  4. kudos to GPGMail for Apple Mail and the venerable Enigmail for Thunderbird extensions []
  5. encrypt the body of the message however you like, but the headers will remain plain as day []
  6. My server or someone else’s? Either option is OK for me. []
  7. à la PGP []
  8. this means one password does both encryption and decryption. Public key encryption is asymmetrical, using the recipient’s public key to “lock” a message for the recipient and the recipient’s private key to “unlock” it. []
  9. Consider sending it through Signal or Threema. []

Signal instant messenger app — now on all my platforms!

This is my White Whale: a messaging application I can use securely on any device I own, mobile or desktop, and any device my recipients are likely to own.

Recently, Open Whisper Systems released the iOS version of their Signal application that allows users to synchronize contacts and messages to a desktop application running as a Google Chrome app. Finally! I can send a message typed in through a full-sized keyboard and it will arrive on Sarah’s iPhone, or my parents’ Android phones, or any of their computers. It will arrive securely and without anyone or anything scanning it for marketing or surveillance purposes. Continue reading Signal instant messenger app — now on all my platforms!

More thoughts on consumer privacy and electronic communication

The Guardian and NDR are reporting allegations that Google handed over journalists’ private personal data en masse in response to “catch-all” warrants against WikiLeaks’ employees, and then was not allowed to inform its clients, the journalists, that it did so for more than two years. On the NDR article page you can watch an interview in English with Sarah Harrison, an editor at WikiLeaks.

WikiLeaks’ founder asserts that Google was complicit in the USA’s violation of its own constitution. I am not a lawyer, journalist, spy, political agitator, or hacker1. But the slippery slope facilitating that hand-over of data, irrespective of its legality, creeps me out. Continue reading More thoughts on consumer privacy and electronic communication

  1. in the criminal sense. But I do try to make software do what I want it to do where I am allowed to, so I guess I am a hacker in that sense. []

Who else is reading my messages to you?

I have never been a Facebook user. I think that surprises a lot of people, but it’s true. I heard about Facebook around 10 years ago in the midst of an intercontinental move and a big career change. It sounded too much like the high school snobs invading my refuge of online communities, and so I didn’t pay any attention. When it caught on among pre-teen and post-fifties users, and everyone in between, we took a look and decide it was way too ugly to spend any time with. Then privacy concerns started to arise:

  • intensely personal stuff leaking out onto advertisers’ radar, or into public view
  • drastic revamps of data collection policies in quick succession
  • user-unfriendly opt-out mechanisms

A lot has changed, of course. Facebook hold-outs are the exception now, not the norm. Just so we’re clear: I’m not judging anyone. 1 It’s got broad appeal and usefulness for a lot of people, and I miss out on a fair amount of social info by staying away from it.

I am not TedMy Facebook abstinence may seem on the surface like just one step down the kooky road to technology paranoia. I’m interested in the technology of communication primarily, but secondarily uncertain about the implications of big companies and their privacy policies. And the recent purchase of WhatsApp by Facebook doesn’t leave me with a warm fuzzy feeling of trust that you and I are the only ones reading the messages we exchange.

What have I got to hide?

I am sure I don’t have any need to hide my communication from any foreign or domestic government agency. I’m not running a spy ring or acting as a go-between for any freedom fighters resistance movements, terrorist cells … um, dubious third parties. But I’m not sure I trust those big companies (Facebook, Google, Microsoft, Apple) and also smaller ones (Dropbox, LinkedIn, Xing, perhaps Twitter)

  1. to handle my data with MY best interests in mind, and
  2. to keep my stuff2 safe from external prying eyes

What’s in it for me?

Who benefits when their machines read my stuff? They suggest new professional contacts or funny tweeters to follow or car rental agencies for that next vacation we’re thinking about. To a rather limited extent, Clippy letterI guess that’s a perk for me. More often though, when I want more, I seek it out myself. I tend to get annoyed when a real, live person pigeon-holes me directly — I find such behavior by a machine intensely disturbing. But I think they stand to gain a lot a lot more than I do. Maybe that’s the cost of using those otherwise-free services. I read somewhere that when a profit-oriented company offers you a free product or service, YOU are the commodity being exchanged. At least Clippy gave you the option to tell him to take a hike. Buying a license to use that software resolves any qualms I might have about that.

What am I going to do about it?

I’m not turning into a recluse or a vigilante or an rms-accolyte (despite my choice of selfie above and the recent beard). But I am considering my choices of technology providers perhaps more carefully than I or others have in the past. Using Threema instead of WhatsApp is part of that.

I read a couple of good articles on this topic recently:

Threema keeps your short messages encrypted all the way from your mobile device (Android or iOS) to the recipient. It’s a tiny company making smart choices about the technology they use to ensure that. They can’t turn over your message contents to any other party (governmental or hacker), because they can’t.

  1. They don’t log them.
  2. Even though the messages temporarily reside on of their servers while awaiting retrieval by the recipient, they are in an encrypted state, and only the recipient can decrypt them.

Yeah, but what about email?

Another part of that security-conscious electronic communication is using email in an encrypted way. That’s much harder to implement: effective security is not simple, and vice versa. 4 While you can use Threema to send short text messages or videos or pictures from your phone (or iPod touch, though I haven’t tried that yet) à la WhatsApp, you can’t use it to send just any file securely. Encrypted email is a really good choice for that.

Other apps and services?

Skype (owned by Microsoft), Facetime (owned by Apple), Google Talk (owned by…you know), LinkedIn, Last.fm, Spotify also potentially capture stuff about me. And I have explicitly signed up for that. Do I mind? Yes, but not enough to not use their services. When it’s pure text, written by/to me, I see a bigger risk of invasion of my privacy than what could come of

“We noticed you like Led Zeppelin. How about this Allman Brothers Band playlist?”

If Facetime or Skype starts parsing my phone calls with my parents (is that even possible? Let’s ask Siri.), you can be sure I’ll find another way. I don’t use the other social networking services much. I peek in there every now and then to see if I’m missing something. So far, so good.

And the Regensblog? Twitter?

Those are intended for public consumption, but the content is supplied by the end user. 5 We’re conscientious about not revealing more about ourselves via those services than our comfort levels allow. So extra layers of technical security seem pretty useless there.

Does this mean I’m not going to use WhatsApp anymore?

Not really. It means I’m going to prefer other means — Threema for now, but if something better comes along, I’d consider that, too — but I’m not ready to cut myself off from the majority of WhatsApp users. The bottom line is that this topic doesn’t stick in everyone’s craw, but that doesn’t mean I want to lose touch with them. If you have my mobile phone number, you can still reach me on WhatsApp, but be prepared for me to suggest we keep it just between you and me.

What’s your take on all this?

Am I way off-base here? Idealistic beyond any realistic expectation? How have you managed to reconcile your own sense of privacy with the desire to stay in touch with friends and family? I would love to hear another perspective. Let’s chat. Right here, out in the open.

  1. Except Facebook, and similar companies with too much interest in my details, I guess. []
  2. What kind of stuff? Travel plans, insurance policies, bank statements — super boring stuff, unless you’re perpetrating identity fraud, right? []
  3. German for “Threema: an app to annoy the NSA” []
  4. Still, if you would like to exhange email with me and guarantee that no one else can read it — neither a governmental agency nor a hacker infiltrating a mail server — let me know that I am happy to help you set it up. It can work nearly seamlessly in email programs on Windows, Mac OS or Linux alongside plain old email traffic. For a lot of people, the big catch is that encryption is hard or impossible to implement on top of webmail systems like Gmail or Yahoo! mail, but the barrier to entry is much lower on stand-alone mail clients like Apple Mail, Microsoft Outlook or Mozilla Thunderbird. []
  5. It stings when you accidentally confuse a public tweet and a direct message, but an ID-10T error can happen to anyone. []