Not all encryption apps are created equal

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

Ever since National Security Agency whistleblower Edward Snowden uttered that quotable truism in 2013, companies have raced to compete in a new marketplace of privacy-conscious consumers. Practically every month, yet another privacy app is pitched to tech journalists, promising to protect users’ communications with strong encryption and revolutionary ease of use.

That’s a big change from the pre-Snowden days. Encryption is now more accessible than ever before, and it’s ultimately a good thing for the public that companies are competing on privacy and security. But not all privacy apps are created equal. The truth is that cryptography is hard, and consumers should be wary of startups offering magic solutions to some of its oldest and most intractable problems.

Over the past few weeks, security experts have been calling shenanigans on some of the most egregious claims made by this new batch of encryption apps. The latest is Zendo, a messaging app profiled breathlessly by TechCrunch last week, which claims to use an old, uncrackable encryption method known as one time pads. On paper, it works like this: Every time a message is sent, the sender and receiver use a large key of random numbers they’ve previously shared (traditionally on a pad of paper) to obfuscate the message in transit. After the recipient decrypts the message, the key is destroyed, making it impossible for eavesdroppers to break the code.

Zendo’s creators describe one time pads as “the unicorns of cryptography,” but just like in folklore, people who claim they’ve befriended crypto unicorns tend to be met with skepticism. As cryptographer Joseph Bonneau explains on his blog, making uncrackable one time pads requires that you generate a ton of purely random data — an impossible task for the processor on your iPhone or Android; for Zendo to send messages quickly, it has to generate numbers pseudo-randomly — i.e., less securely — using math functions that can be cracked and are therefore not suitable for one time pads. More important, like many mass-market apps such as Apple’s iMessage, Zendo is not open source, meaning there’s no way for experts to verify how secure it really is.

That opacity is a red flag for many security experts, and it should alarm consumers too. Companies have financial incentives to protect intellectual property, but obscuring the innards of their apps can have dire consequences for users’ security. On the other hand, keeping code open can give an advantage to attackers if there aren’t enough people hunting down bugs.

Even when an app’s code is publicly available, hype can sometimes drown out security concerns. A recent profile of Pavel Durov, a former CEO of the Russian social network VKontakte, describes his popular messaging app Telegram as a revolutionary product that eschews commercial incentives and uses "hard-core encryption" to fight government surveillance.

“Secure messaging should be free for everyone. Displaying ads alongside your private communication seems out of place, even immoral,” he told Wired UK, mentioning “end-to-end encryption, self-destructing messages and self-destructing user accounts” as some of his app’s main features.

But unlike its competitors WhatsApp, Signal and TextSecure, Telegram doesn’t actually enable end-to-end encryption by default. That means that until you turn the feature on, your messages can still be read by Telegram. That’s problematic because users tend to assume they’re secure and rarely change their default settings. And according to cryptographers who have reviewed Telegram’s code, the encryption itself is poorly designed and implemented.

Email privacy is even more complicated. Several paid services now advertise solutions for simple email encryption, attracting average users who can’t get the hang of Pretty Good Privacy (PGP), a powerful but unwieldy piece of encryption software written in the 1990s. StartMail, a privacy-friendly email service based in the Netherlands, says it offers “one-click PGP encryption” that makes “state-of-the-art privacy protection easy and available to everyone.” The company name-drops Snowden in its press releases and claims on its website that it “never reads your email.”

But there’s a big difference between saying you won’t read user emails and not being able to. Services such as StartMail are easy to use because they outsource the encryption to remote servers. That means your messages are encrypted on a server, not your local device, and the company in the middle — at least for some small window of time — is able to see your keys and decrypt messages, willingly or otherwise. A competing service, Virtru, provides encryption but doesn’t store any mail content, but that still means it controls everyone’s keys, which could be stolen en masse or requested by governments.

In other words, if a complicated process is made easy, it’s probably because you’re trusting someone else with your privacy.

These offerings are, of course, improvements on the commercial privacy tools that existed prior to the Snowden revelations. After all, most ordinary people are more worried about privacy threats like cybercriminals and identity thieves than about NSA snooping, and some protection is better than none. According to a Pew poll released last month, only 34 percent of Americans have changed their online habits in response to Snowden’s surveillance revelations.

But there is a standard of privacy we should demand in our communication tools, and it starts with cutting out the middleman and using open-source, end-to-end encryption by default. Third parties should never access or store any keys or unencrypted messages, and the code should be fully transparent for outside experts to examine.

This kind of encryption software is improving, and in some cases (as with Open Whisper Systems’ free Signal and TextSecure apps) is becoming fairly easy to use. Using off-the-record messaging, an encryption protocol that works with chat clients such as Adium and Pidgin may not be as glamorous as using Facebook or Google’s Gchat, but it isn’t hard to set up and has stood the test of time — even against powerful adversaries such as the NSA.

The lesson here is simple, and Bonneau summarizes it well, saying, “If a new crypto tool is first announced in a press release or popular science magazine, don’t use it.” Good security needs to be tested and proved over time. The question becomes whether the most secure solutions will be trendy and attractive enough to win out in the end.