Secure digital communication

Tools you should use to communicate.

The following tools have high security standards and are generally trusted by most independent computer security professionals.

Signal for secure instant messaging and phone calls.

is an instant messenger available on Android, iOS, Mac OSX, Windows, and Linux. Signal is developed by a non-profit foundation that releases the underlying source code and designs for independent computer security professionals to audit and approve.

ProtonMail for secure email

is a provider of end-to-end encrypted email. It has one of the strongest reputations for security in the industry.

Many journalists have a public-facing ProtonMail email address for new sources to contact them. If you want to email someone that had a ProtonMail email address, you should email them from another ProtonMail account. and cannot even be read by ProtonMail employees. Whereas if you send an email to a ProtonMail user from an unencrypted email service like Gmail, then your email provider (and law enforcement) can still read what you sent.

Tools you should NOT use to communicate.

This below list is incomplete. No matter what, you should stick to communicating with Signal and ProtonMail whenever possible.

Telephone calls

You should treat phone calls on telephone networks as unencrypted. Assume the government or someone else is listening. Even if you think that nobody is listening to your phone calls, it is entirely possible that the person you are calling is under surveillance.

You should also assume that your adversary will be able to obtain the metadata of your phone call:

• Who you called

• When you called them

• The cell phone towers connecting you, which provide a rough location of where the callers were.

SMS/text messaging

Traditional email

Traditional email services like Gmail are not end-to-end encrypted. Your browser may have an encrypted connection to Gmail, and Gmail uses encryption to send the email to your recipient, but your email exists unencrypted on their mail servers. Law enforcement can request access to these emails.

Social network direct messaging

The messaging tools from Facebook, Twitter, Instagram, Snapchat, and WeChat are typically not end-to-end encrypted. Employees of these social networks and law enforcement may be able to see what you send.

Snapchat

Snapchat is known for being an easy way to send disappearing messages, but this does not make Snapchat secure for activists.

Workplace messaging apps

Slack, Discord, Google Meet, Microsoft Teams, and other apps are typically not end-to-end encrypted. Employees that make these apps as well as law enforcement may be able to see what you send.

Zoom

You should instead make video calls with Signal. However, as of this time of writing, Signal does not support group calling or screen sharing.

WhatsApp

However, Signal is run by a foundation that publicizes the source code and designs for Signal so they can be independently audited by security researchers. WhatsApp uses some of the same technologies, but WhatsApp itself cannot be audited in the same way. Because of this, nearly all security researchers advise people to use Signal instead.

iMessage

iMessage is a messaging service offered by Apple for users of their devices. Apple has historically had a strong stance on security and they claim that iMessage conversations are end-to-end encrypted, but iMessages has several problems:

• iMessage is not available for non-Apple phones. iMessage falls back to sending an insecure SMS in this case.

• iMessage is a proprietary system that is not easily audited by the security community.

Use Signal instead.