In the age of ubiquitous government surveillance, the only way citizens can protect their privacy online is through encryption. Historically, this has been extremely difficult for mere mortals; just watch the video Edward Snowden made to teach Glenn Greenwald how to encrypt his emails to see how confusing it gets. But all of this is quickly changing as high-quality, user-friendly encryption software becomes available.
App maker Open Whisper Systems took an important step in this direction today with the release of a major new version of its Signal encrypted calling app for iPhones and iPads. The new version, Signal 2.0, folds in support for encrypted text messages using a protocol called TextSecure, meaning users can communicate using voice and text while remaining confident nothing can be intercepted in transit over the internet.
That may not sound like a particularly big deal, given that other encrypted communication apps are available for iOS, but Signal 2.0 offers something tremendously useful: peace of mind.
Unlike other text messaging products, Signal’s code is open source, meaning it can be inspected by experts, and the app also supports forward secrecy, so if an attacker steals your encryption key, they cannot go back and decrypt messages they may have collected in the past.
Signal is also one special place on the iPhone where users can be confident all their communications are always fully scrambled. Other apps with encryption tend to enter insecure modes at unpredictable times — unpredictable for many users, at least. Apple’s iMessage, for example, employs strong encryption, but only when communicating between two Apple devices and only when there is a proper data connection. Otherwise, iMessage falls back on insecure SMS messaging. iMessage also lacks forward secrecy and inspectable source code.
Signal also offers the ability for power users to verify the identity of the people they’re talking to, confirming that the encryption isn’t under attack. With iMessage, you just have to take Apple’s word for it.
Strong, reliable, predictably-applied encryption is especially important at a time when the world just found out, via a report by The Intercept, that American and British spies hacked into the world’s largest SIM card manufacturer and stole the encryption keys that are used to protect communication between handsets and cell phone towers. With these keys, spies can eavesdrop on phone calls and texts just by passively listening to the airwaves.
Signal development is also noteworthy because its makers, Open Whisper Systems and that company’s founder Moxie Marlinspike, are gaining a reputation for combining trustworthy encryption with ease of use and mobile convenience. Open Whisper Systems recently partnered with the makers of the messaging app WhatsApp to add encryption to that popular product (WhatsApp is not yet fully encrypted across all platforms and media types).
“We want to make private communication simple,” says Marlinspike, who designed the encryption protocols that power his company’s apps. “Our objective is to do new cryptographic research and development that advances the state of the art while simultaneously making it frictionless and accessible for anyone.”
iPhone users can find Signal here. For Android users, the product is, at the moment, split into two apps: TextSecure for private texting and RedPhone for private voice calls. “We’re working towards a single unified Signal app for Android, iPhone and the desktop,” says Marlinspike.
It’s important to keep in mind that no technology is 100 percent secure, and an encrypted messaging app can only be as secure as the device you install it on. Intelligence agencies and other hackers can still exploit security bugs that have not been fixed, known as zero day exploits, to take over smartphones and bypass the encryption that privacy apps employ. But apps like Signal go a long way to making mass surveillance of billions of innocent people infeasible.
Update: Changed wording in the lede to better reflect the caveats deeper in the piece.