So you want to send a short, instant, text-based dispatch to another human. The options are endless -- iMessage, Slack, Instagram, WhatsApp, Skype, Snapchat -- but their security is variable. Short of whispering words into another person's ear, it's difficult to guarantee that no one else will ever be eavesdropping.
For anything you wouldn't want to be seen by your ISP or used against you in a court of law, end-to-end encryption is necessary. It works by giving every user of an app a public key and a private key. Messages sent to you are encrypted with your public key and can only be opened with the private key. To anybody without your private key -- including the app company or a government that comes for the data later -- the text is indecipherable.
What the messaging service keeps on their servers also matters. Even without reading your texts, law enforcement could make deductions from its metadata -- like who you've been talking to and when -- or from your uploaded contact list. Or perhaps you've backed up your entire chat history in the cloud.
Messaging apps may come with other security features: the ability to set messages to self destruct, which matters if you're concerned about someone who lives in the same house or shares your device more than a sleuthing hacker. Other features allow you to send messages anonymously.
Even the privacy nonprofit Electronic Frontier Foundation does not recommend any single messaging app.
Now the choice of medium to send confidential information gets a little more complicated -- so much so that even the privacy nonprofit Electronic Frontier Foundation does not recommend any single messaging app.
Messaging apps only work when the people you want to message are on them. Signal is generally the privacy expert's choice for secure comms, but your aunt might not have it. SMS reaches everyone with a phone number but is largely unsecured. iMessage has end-to-end encryption but is only available on Apple devices. WhatsApp and Facebook Messenger have massive global reach but also share a common liability: Facebook.
At its core, your choice of app comes down to your specific security situation versus the need for convenience like backups versus who you need to reach.
Let's start with the most ubiquitous platform, the one where you don't even need someone's phone number to find them. Facebook Messenger has 1.3 billion users on last count. Yet conversations are not end-to-end encrypted by default. For that, you have to go into "secret conversations" -- an option that's only on iOS and Android apps, not in browsers. Those chats are not only encrypted with Signal's industry-standard protocol but also can be set to self destruct. The downside: It's Facebook. Privacy experts are wary of what the social media titan -- whose business model is to sell data to advertisers -- could do with information about how you message.
The same wariness of Facebook Messenger extends to the otherwise well-protected WhatsApp. Mark Zuckerberg's company acquired WhatsApp in 2014, promising that it would function independently; then two years later WhatsApp said it'd start sharing data with Facebook. WhatsApp has some 1.5 billion users and says it may disclose to Facebook details like when you last used the app and how often. The company initially said this would be used to make product suggestions and show ads, but it now states, "Today, Facebook does not use your WhatsApp account information to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook."
Despite this, WhatsApp also uses Signal's method for end-to-end encryption, meaning that Facebook cannot access the content of your messages regardless of how its user agreement might be revised in the future. WhatsApp also says it does not store messages on its servers after they're delivered. However, if users select to back up their chat history from within the app -- to iCloud or Google Drive, for instance -- they could be vulnerable if those platforms are breached.
When Facebook Messenger and WhatsApp temporarily had an outage this March, the CEO of Telegram claimed that 3 million new users signed up to his service in 24 hours. The security-focused messaging app has been around since 2013, with some 200 million active users as of 2018. The app contains the options to self-destruct messages, unsend them or even retroactively wipe out entire chats (on both your side and the recipient's).
However, end-to-end encryption is not turned on by default. To get it, you have to use "secret chats." Regular conversations are encrypted between your device and Telegram's server and also between Telegram's server and the recipient's device. The company says this is to ensure you have cloud backups and access to your chat history on any device. Some cybersecurity experts have also questioned Telegram's encryption method, which was developed in house and is not open source.
Besides developing the benchmark end-to-end encryption protocol, Signal is generally the privacy advocate's choice of most-secure messenger app. Chats are fully encrypted by default, as is metadata like who you're talking to. Messages can be set to self destruct and can be sent anonymously.
In 2016, Signal was subpoenaed and could only produce the last date that a user's app accessed its servers and the time when the account was created, proving how little data it actually holds. "The Signal service was designed to minimize the data we retain," Signal's founder Moxie Marlinspike told The New York Times after the investigation's details came out. The open-source app is vouched for by Edward Snowden, and the nonprofit Signal Foundation's chairman is none other than a co-founder of WhatsApp.