FYI.

This story is over 5 years old.

Tech

How to Convince Silicon Valley to Make an NSA-Proof Messaging App

The Electronic Frontier Foundation hopes its new privacy framework will be a strong sales pitch for industry and startups alike.
Image: EFF

The Electronic Frontier Foundation wants to take encrypted messaging to the masses, and it's starting with a Secure Messaging Scorecard that aims to lay out the bare minimum of cryptography needed to make messages secure by comparing the many apps and services currently on the market. The goal, the group says, is to spur on a flood of innovation that could eventually result in a secure app that everyone will actually want to use.

Advertisement

The scorecard's rankings are based on seven criteria that include whether messages are encrypted in transit, which nearly every service passed, and whether users are able to independently verify their interlocutor's identity to avoid man-in-the-middle attacks—when a third party intercepts communications by using fake keys. All of the major platforms like iMessage, Blackberry Messenger, Google Hangouts, and more, failed in this category.

"What we're trying to do here is establish the lines on the board that people need to play by. We want there to be a clear roadmap for both big tech companies and open source projects to build more secure messaging, and more useable secure messaging," the EFF's Peter Eckersley told me.

The rubric was met with staunch criticism from members of the security community, who claim that the scorecard is vague and misleading. The scorecard gives points for having an app audited for flaws, for example, but does not provide information on the quality of the audit. This point of contention, among others, have led some security experts to question the validity of the rubric.

However, the project's founding members claim the main goal of the initiative is to kickstart a market gold rush to build a usable and secure messaging app, driven by the prospect of positive press and public goodwill. A comprehensive list of cryptographic standards was not the chief purpose of the rankings.

Advertisement

A basic table outlining the rubric. Image: EFF

"For some of the bigger players who have a tool where security was not the major selling point, like iMessage or WhatsApp, any of these big tools—they can say, 'How can we make these tools get a higher score on the scorecard?' And we set it up so that, by the act of doing that, they'll actually make security better," Joseph Bonneau, a fellow at the Princeton Center for Information Technology Policy, told me.

Bonneau was the resident cryptographer on the team that put together the scorecard. According to him, the scorecard could act as a bottom-up catalyst for the development of a secure app, starting with engineering.

"A lot of engineers at these companies want to add these features," he said. "Having the scorecard lets them go back to their bosses and say, 'Hey, we should really prioritize this, and here's a good external reason: We can get good publicity because of this scorecard.'"

The market for secure messaging apps has exploded over the last several years, with dozens of startups and small companies building services that aim to provide robust encryption for user communications. Just a few of these include RedPhone, TextSecure, and CryptoCat.

While these services provide a modicum of security to varying degrees—at least more than the big players—their achilles heel is that not enough people actually use them. If the scorecard succeeds in encouraging more companies to invest in developing a secure app, the EFF hopes that this hurdle can be overcome.

Advertisement

The arrival of small competitors is a great way to motivate companies to add features

"[A secure and usable app] is the holy grail. We are on an eternal quest or that tool," Julia Angwin, the author of Dragnet Nation and scorecard contributor, told me. "The bare minimum is that the person you're corresponding with is going to have to install software, even if its just an app on their phone. For a lot of people, that's just a bridge too far. They already have plenty of communication tools in hand that they feel are adequate."

The best outcome of the scorecard and its accompanying projects could conceivably be that bigger companies who already boast massive user bases for their messaging apps, like Apple, step up their encryption game.

Apple's iMessage and FaceTime platforms already use end-to-end encryption, a standard that Eckersley, Bonneau, and Angwin see as a good start. A vast improvement would be opening their code up to independent review and allowing users to verify their communication partner's identity to avoid interception, they say.

"I think we're going to see the big guys doing this," Angwin said. "The arrival of small competitors is a great way to motivate companies to add features."

This might be somewhat of a pipe dream, however. Apple has never been very keen on loosening its grip on its proprietary software. Pressure from government organizations like the FBI, who went totally ballistic over Apple's decision to beef up the encryption on the iPhone 6, could also diminish the company's incentive to develop secure messaging apps.

"Apple has certainly taken an early lead amongst the big tech companies in deploying these secure features, but the early leader doesn't always win the marathon," Eckersley said. "We have heard that Google, WhatsApp, and Yahoo all have serious secure communications projects in the works. There's going to be a contest to see who can do this best."

This kind of race to the finish line in terms of who can develop a secure app first is exactly what the EFF hopes to achieve with the scorecard. Eckersley said it's just the beginning. The EFF's next steps include testing for real-world usability in secure messaging apps, and researching scalability.

"We're just setting out on the task of building a way to send secure messages between humans over the internet and on our phones," Eckersley told me. "There's reason for optimism that in a few years, this will be a solved problem."