Cybersecurity expert Ben Finn explains why journalists should prefer encrypted messaging application Signal, over other similar applications for the protection of themselves and their sources when communicating sensitive information.
Encrypted messaging applications are an imperative part of keeping your sources and yourself safe when executing journalistic work. The most commonly used are Signal and Telegram, in operation for ten and eight years respectively and both available for free download on iOs (Apple) and Android (Google). Telegram is more widespread with 200 million users compared to Signal’s 40 million users. Other popular messaging platforms such as WeChat and Whatsapp are not recommended: as WeChat is not encrypted and is monitored by the Chinese regime, it must never be used to communicate sensitive information. In a policy change, Whatsapp has recently made all metadata accessible by its parent company Facebook, as well as increased its metadata collection scope.
Journalists should undoubtedly use Signal when security is a top priority, as the encrypted app is being developed by a security-conscious, non-profit organisation. All conversations use end-to-end encryption (E2EE) by default, blocking even Signal servers from reading its user’s private messages. All chats and groups have the option to enable disappearing messages. The application is powered by donations, does not profit off the selling of any data and collects very limited metadata.
Protection against digital forensics
Using applications with end-to-end-encryption is highly recommended particularly when doing sensitive reporting that relates to government activities, as their forces won’t be able to access message details via any internet service providers (ISP). Signal includes features like ‘sealed sender’, which encrypts the sender and recipient details and security code, which detects whether the device used by a contact has changed. Should a device be seized, these features protect users against the infamous Cellebrite digital forensics software that may allow intruders to access any past information. Signal is particularly useful when the technology literacy of a contact is low, as important security features are set by default.
If security is not the primary concern, Telegram has a stronger set of features that include photo editing, locating users nearby and scheduled messages. Signal does not support all document types and message history is not maintained when a device changes or app reinstalls. Telegram can be used when tech knowledge is higher in both parties and careful enough to keep their private information in secret chats. As there are disputed suspicions that Telegram may have connections with the Russian government, it is not recommended to use in Russia.
- Open Sourced, non-profit, funded by donations
- Constantly improving security with innovative features
- Protection against Cellebrite’s digital forensics software.
- Phone numbers are displayed even in group chats, which creates the risk of being tracked.
- Phone numbers not shown to other users.
- Limited metadata tracking and GDPR compliant, although IP addresses are logged on servers.
- Distributed servers throughout the world reduce subpoena-able footprint in the world.
- Telegram is suspected to have connections with the Russian government and there’s a widespread concern about its proprietary encryption protocol’s integrity.
- End-to-end encryption is only enabled for secret chats and voice calls when both parties are online.
- Disappearing messages only enabled with secret chats.
Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been working in Myanmar and researching how to maintain proper security in the context of an oppressive nation-state. In the last few months, he has been working with multiple groups in Taiwan to train them on proper security and safety measures.