Secure Messaging? More Like A Secure Mess.
There is no such thing as a perfect or one-size-fits-all messaging app. For users, a messenger that is reasonable for one person could be dangerous for another. And for developers, there is no single correct way to balance security features, usability, and the countless other variables that go into making a high-quality, secure communications tool.
Over the next week, we’ll be posting a series of articles to explain what makes different aspects of secure messaging so complex:
Back in 2014, we released a Secure Messaging Scorecard that attempted to objectively evaluate messaging apps based on a number of criteria. After several years of feedback and a lengthy user study, however, we realized that the “scorecard” format dangerously oversimplified the complex question of how various messengers stack up from a security perspective. With this in mind, we archived the original scorecard, warned people to not rely on it, and went back to the drawing board.
Along with the significant valid criticisms of the original scorecard, EFF has heard supporters’ requests for an updated secure messaging guide. Throughout multiple internal attempts to draft and test a consumer-facing guide, we concluded it wasn’t possible for us to clearly describe the security features of many popular messaging apps, in a consistent and complete way, while considering the varied situations and security concerns of our audience.
So we have decided to take a step back and share what we have learned from this process: in sum, that secure messaging is hard to get right—and it’s even harder to tell if someone else has gotten it right. Every day this week, we’ll dive into all the ways we see this playing out, from the complexity of making and interpreting personal recommendations to the lack of consensus on technical and policy standards.
For users, we hope this series will help in developing an understanding of secure messaging that is deeper than a simple recommendation. This can be more frustrating and takes more time than giving a one-and-done list of tools to use or avoid, but we think it is worth it.
For developers, product managers, academics, and other professionals working on secure messaging, we hope this series will clarify EFF’s current thinking on secure messaging and invite further conversation.
This series is not our final word on what matters in secure messaging. EFF will stay active in this space: we will continue reporting on security news, holding the companies behind messaging apps accountable, maintaining surveillance-self defense guides, and developing resources for trainers.
Here, we want to offer our contribution, based on months of investigation, to an ongoing conversation among users, technologists, and others who care about messaging security. We hope this conversation will continue to evolve as the secure messaging landscape changes.
Users interested in secure messaging can also check out EFF’s Surveillance Self-Defense guide. The SSD provides instructions on how to download, configure, and use several messaging apps, as well as more information on how to decide on the right one for you.