There's No Quick Fix For Securing Communications: EFF Ditches Secure Messaging Scorebard
from the all-things-to-all-people-leaves-most-people-underserved dept
The EFF hasn't released a scorecard for secure messaging apps since 2014. The scorecard has been updated several times, but there's no current quick reference guide for secure messaging that considers all the tech (and legal) developments over the past four years. The EFF's guide was handy, but it also was the target of legitimate criticism. Simplifying complex issues is helpful, but not if it inadvertently omits critical considerations.
The EFF recognizes there's no quick and dirty way to solve everyone's security issues. Consequently, the EFF has announced that it will no longer be providing a secure messaging scorecard. It will still provide plenty of useful info for those seeking secure options, but it cannot in good faith claim to address every potential issue in an easy-to-follow infographic.
No single messaging app can perfectly meet everyone’s security and communication needs, so we can’t make a recommendation without considering the details of a particular person’s or group’s situation. Straightforward answers are rarely correct for everyone—and if they’re correct now, they might not be correct in the future.
[...]
[A]ny recommendation is much more like a reasonable guess than an indisputable fact. A messenger recommendation must acknowledge all of these factors—and, most importantly, the ways they change over time. It’s hard enough to do that for a specific individual, and nearly impossible to do it for a general audience.
There are too many factors to consider to reduce secure messaging options to a simple checklist of features. The features people need depends on the threats they're facing. In some cases, governments and law enforcement are the primary concerns, making secure end-to-end encryption a must. In other cases, it's fellow citizens (ex-spouses, angry co-workers, etc.) who are an issue, making ephemeral messaging more desirable than solid encryption.
Also thrown into the mix are options users have when using secure messaging apps, including default options (like cloud backups) users may not be aware of that somewhat compromise the security of their communications. On top of that, there are local laws and local government efforts that affect the security of users. For instance, Telegram's base messaging service is used by millions of Russian citizens. Unfortunately, the base offering is secured by keys held by Telegram, which has just been ordered by a Russian court to turn those over to the government.
Fortunately, this isn't necessarily bad news. While a cheat sheet is definitely preferable to digging through a lot of research (some of it impossible to parse by novice users), there's still plenty of information out there that provides info on tradeoffs and step-by-step instructions to hardening your personal security. The EFF will continue to provide as many security tools as possible for those seeking to secure their communications, but it will no longer be a single sheet of Y/N inputs.
Security is hard. Personal security -- and personal privacy -- is something that requires a great deal of continuous attention by those seeking to keep their private communications private. While the rise of default encryption has made it easier for many people to secure devices and info on them, it has been accompanied by an increase in cloud-based backups and other, often automatic recovery options that undermine the security of stored communications.
Laws controlling government access to communications and data continue to change and our own Justice Department is pushing for legislation compelling service providers to break encryption on demand. Elsewhere in the world, governments are reacting to terrorist attacks and a plethora of speech issues by increasing their direct control of internet communications platforms. The threat models constantly shift and there's very little available that works well for everyone, especially when the main threat is state-sponsored hacking.
Everyone should take an interest in securing their communications. The EFF just wants you to know it's not as simple as downloading a couple of apps. There's no one-size-fits-all solution and the EFF would rather no one visiting its site walks away with that impression. There's no shortage of information available but there will be no future messaging scorecards that understate the complexity of the situation.
Filed Under: scorecards, secure messaging, threat models
Companies: eff
