Secure digital communication

You should use Signal and ProtonMail to communicate online.

Tools you should use to communicate.

The following tools have high security standards and are generally trusted by most independent computer security professionals.

Signal for secure instant messaging and phone calls.

Signal is an instant messenger available on Android, iOS, Mac OSX, Windows, and Linux. Signal is developed by a non-profit foundation that releases the underlying source code and designs for independent computer security professionals to audit and approve.

Download Signal for your computer or phone here.

ProtonMail for secure email

ProtonMail is a provider of end-to-end encrypted email. It has one of the strongest reputations for security in the industry.

Many journalists have a public-facing ProtonMail email address for new sources to contact them. If you want to email someone that had a ProtonMail email address, you should email them from another ProtonMail account. Emails between ProtonMail users are end-to-end encrypted and cannot even be read by ProtonMail employees. Whereas if you send an email to a ProtonMail user from an unencrypted email service like Gmail, then your email provider (and law enforcement) can still read what you sent.

Tools you should NOT use to communicate.

This below list is incomplete. No matter what, you should stick to communicating with Signal and ProtonMail whenever possible.

Telephone calls

You should treat phone calls on telephone networks as unencrypted. Assume the government or someone else is listening. Even if you think that nobody is listening to your phone calls, it is entirely possible that the person you are calling is under surveillance.

You should also assume that your adversary will be able to obtain the metadata of your phone call:

  • Who you called

  • When you called them

  • The cell phone towers connecting you, which provide a rough location of where the callers were.

SMS/text messaging

SMS is an incredibly insecure protocol, and should not be used for communicating. SMS messages are unencrypted and phone numbers are frequently subject to being stolen via SIM-jacking. Popular Mechanics has a deep dive into the security issues around SMS.

Traditional email

Traditional email services like Gmail are not end-to-end encrypted. Your browser may have an encrypted connection to Gmail, and Gmail uses encryption to send the email to your recipient, but your email exists unencrypted on their mail servers. Law enforcement can request access to these emails.

It is possible to layer on additional encryption with tools like Pretty Good Privacy (PGP) or S/MIME, but using these tools is typically far more complicated than just using Signal instead.

If you must use email, ProtonMail is an email provider with a reputation for security.

Social network direct messaging

The messaging tools from Facebook, Twitter, Instagram, Snapchat, and WeChat are typically not end-to-end encrypted. Employees of these social networks and law enforcement may be able to see what you send.

Facebook Messenger's Secret Conversations are an exception. Secret Conversations are presumably end-to-end encrypted, but it is difficult for independent security professionals to audit this. You should use Signal instead.

Snapchat

Snapchat is known for being an easy way to send disappearing messages, but this does not make Snapchat secure for activists.

Snapchat promised that their messages disappear, but they got in trouble with the US Federal Trade Commission when it came out that they were storing messages after "disappearing." Recently, Snapchat claims to have added end-to-end encryption, but you should still stick to using Signal.

Workplace messaging apps

Slack, Discord, Google Meet, Microsoft Teams, and other apps are typically not end-to-end encrypted. Employees that make these apps as well as law enforcement may be able to see what you send.

Slack's enterprise plan offers encryption key management, but this system should not be considered resilient to law enforcement. Use Signal instead.

Zoom

As of June 2020, the Zoom video chat app does not intend on offering end-to-end encryption for users on Zoom's free tier. This is partially to allow law enforcement access to these Zoom calls to cut down on illegal behavior on the Zoom platform.

You should instead make video calls with Signal. However, as of this time of writing, Signal does not support group calling or screen sharing.

WhatsApp

WhatsApp is significantly more secure than most messengers. Under the hood, it uses the same security protocols as Signal.

However, Signal is run by a foundation that publicizes the source code and designs for Signal so they can be independently audited by security researchers. WhatsApp uses some of the same technologies, but WhatsApp itself cannot be audited in the same way. Because of this, nearly all security researchers advise people to use Signal instead.

iMessage

iMessage is a messaging service offered by Apple for users of their devices. Apple has historically had a strong stance on security and they claim that iMessage conversations are end-to-end encrypted, but iMessages has several problems:

  • iMessage is not available for non-Apple phones. iMessage falls back to sending an insecure SMS in this case.

  • iMessage is a proprietary system that is not easily audited by the security community.

Use Signal instead.