Secure Communication

[Kendo]

As a developer of security for web applications, I don't pay a lot of attention to the plethora of apps for private messaging on mobile phones. While private messaging may seem to be related to copy protection, it is not. In fact its userbase is totally different.

For example copy protection is the prevention of copy and rights management to control you can read/view intellectual property. Alternatively, private messaging is mainly sought by those engaged in illegal activity.

For private messaging between employees of a company, almost any intranet based messaging platform can be most secure. For tighter controls with options of DRM and copy protection we provide Safeguard Webmail. As the innovators of secure communication and developers of the most secure DRM and copy protection solutions we fully understand the process and its limitations.

So when we read that ASIO and the FBI have intercepted messages between drug importers and other criminals, we are not surprised. But we are surprised at how stupid those that hope to conceal their activity by using using third party privacy apps really are.

For example, don't they realise that by simply using such a privacy app can raise a red flag?

How does one get noticed? Everyone needs to realise that Internet traffic is monitored by thousands of entities, and not just national security agencies. If you have through some activity been flagged as a suspect, someone will be monitoring your Internet activity. And even if you are unknown, simply visiting a web site promoting secure applications can get you flagged.

Sure, using a VPN that rotates end point connections is supposed to be private, but again, simply using a VPN can get you flagged. And while privacy providers may be continually devising new methods to protect identities, the authorities will always be up to speed because they have to prevent the most serious of threats like terrorism plots.

In summary, no service can be 100% secure because none can operate outside of the law, and no service will openly admit that everything passing through their datacentre is open to scrutiny by AI surveillance.

[Support]

no service will openly admit that everything passing through their datacentre is open to scrutiny by AI surveillance.

Allowing private messaging services to exist creates honey pots that can be monitored.

[magnadev]

I see that some phone apps don't actually use a phone number or email address, and that some only use a randomly generated keycode and no further identification is required. Paying by bitcoin can keep it anonymous.

[TobiNoc]

when we read that ASIO and the FBI have intercepted messages between drug importers and other criminals

Did they actually intercept messages, or simply read the messages on someone's phone?

I can appreciate the latter because by simply opening the person's phone, a call history will show what messages were sent and received.

[Support]

In any case, regardless of whether an email address or phone number is used as an identifier for login, every account has an ID number and it is that ID number that is used to log messages, etc. Yes, everything still needs to be logged, otherwise how can any user find which messages are meant for them?

Can that secured?

An app can send an encrypted keycode for each message request and the message can be encrypted, so any data collected between sender and receiver can be secured, but how secure remains to be the question. A point to note with encryption is that the more secure the encryption, the more that data increases in size, and the more obscure the encryption the computer resources of national security agencies will still crack it.

However, after all of this, the hosting server will have a record of all messages and while a user's keycode may not be associated with any phone or email, IP addresses will be logged, even if for internal security review to ensure that their database has not been compromised.

Anyone gaining access to that database will have the keys to the city. No doubt there will also be a backup on the cloud.

Which one of the services that are supporting criminal activity can you trust?

[Kendo]

FYI of all the secure messaging services reviewed, Threema seems to come out on top, and yes they use unique user IDs instead of phone numbers or email. In fact it was Threema that was mentioned in the news about a recent drug ring arrest here in Australia.

But unique IDs are nothing new because ArtistScope has been using unique UserIDs since they invented "call-to-home" DRM more than 2 decades ago. With our apps that unique UserID is sent with every file/page request, making login unnecessary while ensuring that access cannot be shared or granted to unauthorized people.

[Nurogen]

they use unique user IDs instead of phone numbers or email

I wonder if they are using randomly generated numbers, like with password generators. Are they storing that ID in registry or as a cookie?

if so, how secure can that be?

[Support]

I wonder if they are using randomly generated numbers, like with password generators. Are they storing that ID in registry or as a cookie?

It doesn't matter how they generate the ID as long as it is original. Any duplication would be a huge problem because private messages could be read by uninvited parties.

How they are stored on a user's device is irrelevant. Once the device is open anyone using that device will be able to read the messages. They could also get the UserID to reply to messages and bait traps.

if so, how secure can that be?

How secure any solution is depends on how sophisticated it is and whether they have covered all avenues of exploit. As a user of such a service you will have no idea - have they included every feature that they claim, or did they simply copy the feature list from their competitor's website?

[Nurogen]

Wouldn't using unique ID as the username further validated by password be secure?

[Support]

Wouldn't using unique ID as the username further validated by password be secure?

Yes, that would solve the problem mentioned previously.