Choosing the Right Messenger

One of the most common questions users have when it comes to privacy is about messaging services. It seems almost all of them mention some level of privacy or encryption to entice the user to sign up for their service, but how can you be sure you’re using the most secure, privacy respecting platform?


This is a companion discussion topic for the original entry at https://blog.privacytools.io/choosing-the-right-messenger/

Great article. Maybe it would be good to put link on top of Real time communication section.

But again, it is not mentioned that Signal messenger is LLC (for profit), funded mainly by Signal foundation. And that Keybase is backed by VC.

Also, some info on p2p messengers might be useful

it’s good to have a secure messenger, but the reality is that you select the messenger where your contacts are :frowning:

More or less true. I’m not using FB messenger, even though most of my contacts are using it. Will probably delete FB account soon. I also plan to delete Whatsapp (as soon as Riot introduces E2EE by defualt, maybe when RiotX is ready), most likely by intentionally blocking my number. Then if my contacts want to contact me, they’ll have to use Signal, Wire, Keybase, Riot, XMPP, Jami… or SMS :d That’s more than enough ways to reach me.

Also, maybe I’ll find new contacts (friends) in communities such as this (or Mastodon, Matrix, Pixelfed…) :smiley:

1 Like

Hi,
I read the article and I found some mistakes, that I already reported on PTIO on reddit:

  1. Jurisdiction: Wire is a company based in Swiss. Wire is a Swiss GmbH, Untermüli 9, CH-6300 Zug (“Wire”) is committed to protecting your information. Wire does not rent or sell your data to third parties. Moreover, the service jurisdiction is still based in Swiss and the servers are still based in UE (out of 14 eyes).
  2. Metadata: Wire stores in its servers the date and time of registration and IP geographical coordinates; it also stores the date and time of creation, creator, name and list of participants of a conversation for 72 hours. Wire will only access and share your data if necessary or required by law or legal process, to provide the service or solve customer support requests, to enforce the Terms of Use and/or protect its rights. Additional technical data: Wire stores additional technical data (such as the type of device through which you authorized the Wire application) to be able to route data between user devices. The Wire service is designed to keep additional technical data to the minimum required to operate the service. More information about additional data can be found in the Privacy Whitepaper and the Security Whitepaper. Optional data: If you agree to give Wire access to your address book contacts, only hashed phone numbers will be used to match you with other users. The content of your address book is never uploaded to or stored on our servers. Sharing data like address book contacts, anonymous usage statistics, and crash logs is completely optional on your part. You can opt-out anytime (see FAQ).

So Wire is still a Swiss company with Swiss headquarter and EU server jurisdiction at least according to their privacy policy dated 1/9/2018, their Web site and blog.
Wire stores unencrypted metadata necessary to the services in order to work and up to 72 hours.

Let’s take a look at signal, considered the state of art (wrongly in my opinion, you can read the reasons here):

  1. Jurisdiction: Signal is a non-profit foundation based in USA, their server jurisdiction is based in USA (5 eyes).
  2. Metadata: Signal stores in its servers the date and time of registration and the date of last connection. Moreover, it has recently introduced the possibility of masking the sender of a message or data while leaving visible the date and time, sender and recipient IP. Other instances where Signal may need to share your data:
  • To meet any applicable law, regulation, legal process or enforceable governmental request.
  • To enforce applicable Terms, including investigation of potential violations.
  • To detect, prevent, or otherwise address fraud, security, or technical issues.
  • To protect against harm to the rights, property, or safety of Signal, our users, or the public as required or permitted by law.
    Additional technical information is stored on our servers, including randomly generated authentication tokens, keys, push tokens, and other material that is necessary to establish calls and transmit messages. Signal limits this additional technical information to the minimum required to operate the Services. Contacts. Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contacts are registered.

So Signal is non-profit foundation fully located in USA (headquarter and servers) at least according to their privacy policy.
Signal does not store unencrypted sensitive metadata, it masks the sender of a message while leaves visible the date and time, sender and recipient IP necessary to the service in order to work.

Conclusion: wire is better than signal considering the company and servers jurisdiction. Signal is (slightly) better than wire considering metadata. Moreover, wire allows anonymous registration via email and anonymous usage via username while signal requires phone number in both cases. Wire is fully audited both protocol and application while signal has only protocol audit. Finally, wire supports the servers federation (and private server instance) and it is developing a new protocol (MLS) together with IETF while signal will never support it.
So if you are coherent you should also remove signal or readmit wire.

A good review of both here.

Except you didn’t point out anything I got wrong, but did a great job proving my blog right, and then left out important details.

Wire recently lost a great deal of trust and standing in the privacy world because they quietly sold their company and moved it to the US.

This is wrong. Wire is a company based in Swiss. Wire is a Swiss GmbH, Untermüli 9, CH-6300 Zug (“Wire”) is committed to protecting your information. Wire does not rent or sell your data to third parties. Moreover, the service jurisdiction is still based in Swiss and the servers are still based in UE (out of 14 eyes).

Wire now has investors to answer to who will want a return on their millions of dollars.

Wire is a company not a foundation, nothing changed after the new founding round. Wire is a European GmbH company whose profit is linked to subscriptions for companies and users with advanced features.

So not only did Wire hide the fact they moved to the US,

This is wrong. In connection with the financing, our holding company moved from Luxembourg to the U.S., as we believe this will be helpful in future fundraising necessary to support our strong growth. Notwithstanding the foregoing, our current and future customers are licensed and serviced from Wire Switzerland, our software development team remains in Berlin, Germany, and our hosting is European-based link.

they also signed a partnership with the feds, then added “necessary” to their privacy policy and even remove the word privacy from their motto.

Any reference? I just know these.

Also, Signals policy clearly states in which circumstances they work with law enforcement and Wire added “necessary” to their circumstances without explaining what they will deem necessary.

This is not precise. Wire will only access and share your data if necessary or required by law or legal process, to provide the service or solve customer support requests, to enforce the Terms of Use and/or protect its rights.

Wire stores in its servers the date and time of registration and IP geographical coordinates; it also stores the date and time of creation, creator, name and list of participants of a conversation for 72 hours.
Signal stores in its servers the date and time of registration and the date of last connection. Moreover, it has recently introduced the possibility of masking the sender of a message or data while leaving visible the date and time, sender and recipient IP. Signal only encrypts sender not recipient. Moreover, the IP addresses are still visible.

So in both case you can retrieve users identity if you are not using a VPN. Wire allows anonymous registration via email, so if you are using a VPN, nobody can retrieve your identity. Signal requires phone number, so you need a burner phone plus a VPN.

Finally, wire allows a private server instance for company and MLS protocol for server federation.

We still don’t know how will Signal or Wire or Riot look in a year. They all may change for better or for worse (for private users)

The main problem with centralized service is that - they are centralized. If Moxie is caught e.g. for tax evasion, and they offer him to compromise Signal or he goes to jail - what will he choose to do?

What is being referred to here is that we first started discussing this on November 4th. That Wire blog post wasn’t written until Nov 12th. See this discussion as we were trying to figure out what was happening.

At the time we were not getting any answers from Wire.

At the time we were not getting any answers from Wire.

Of course, but now you can state that is wrong.

I am very confused by the metadata section. Can you maybe explain in more detail which metadata is encrypted in some messengers (you mention Signal and Wickr) that isn’t encrypted in others? How can the IP geographical coordinates or the list of participants in a conversation be encrypted, both is required for technical reasons to send a message? Also on https://www.privacytools.io/software/real-time-communication/#federated it has the disadvantage “Some metadata may be available (e.g., information like “who is talking to whom,” but not actual message content if E2EE is used).”, how is this a disadvantage? Isn’t this information always somewhere for technical reasons (also when using centralized or p2p systems)?

Nobody disagrees that Wire Swiss GmbH is based in Switzerland. The issue is that Wire Swiss GmbH is owned entirely by another American company.

1 Like

Nobody disagrees that Wire Swiss GmbH is based in Switzerland. The issue is that Wire Swiss GmbH is owned entirely by another American company.

This does not mean anything. Wire is Swiss based and server are EU based so data are protected by Swiss and EU laws, not USA laws (exception of USA users). USA has to ask to both Swiss and EU court in order to obtain the metadata and they have 72 hours.

However, I already showed that PTIO is not coherent and biased about wire delisting if you compare it to signal, keybase, etc. This is particularly true about jurisdiction, metadata and privacy (link1, link2 and link3).
The only argument that supports, and is coherent, about wire delisting is its stance about private users link. If you provide such evidence about delesting, you are right.
Unfortunately, you do not like discussion and comparison especially if it shows incoherence about your arguments link.
Finally, this is my last message, because I do not want both of us to waste more time on this point.
Good luck.

It’s totally OK to use services that are not on PTIO recommended list, and you think those are good for you and your threat model :wink: