EFF ranks Messaging for Safety and Security: iMessage/Facetime Strong
The Electronic Frontier Foundation (EFF) has recently ranked various electronic messaging systems for safety and security. It may not be a big surprise that no mainstream electronic messaging product passed all of the EFF’s criteria, but some did come close, the most notable of which are Apple’s FaceTime and iMessage services.
The EFF has tested three dozen products to see if they used encryption to protect communications at the provider level and while they are in transit. They also examined whether the products tested allowed independent review of their security procedures and had source code that was audited.
In order to get a perfect ranking, a product would need to meet the following criteria:
- Communications encrypted in transit.
- Communications encrypted so that the provider cannot read them.
- The ability to verify the identities of your contacts.
- Security for past communications if your keys are stolen.
- Code open to independent review.
- Properly documented security design.
- Code that has been thoroughly audited.
Even though Apple does have an advantage over products offered by Facebook, Google, Yahoo and BlackBerry, their iMessage and FaceTime offerings don’t provide enough protection against surveillance that would be sophisticated and targeted.
BlackBerry Messenger, WhatsApp, Facebook Messenger, WhatsApp, Google Chat and Hangouts, Skype, AIM, Secret, SnapChat and Yahoo Messengers were all criticized by the EFF as they fail to provide end-to-end encryption. This means that messages sent with the help of these services are just as insecure as a regular email message. On the other hand, FaceTime and iMessage communications are encrypted.
Just like Skype, BlackBerry Protected and BlackBerry Messenger, Apple’s services don’t have a certificate signing mechanism in place, which means that users will not be able to certify their own messages for authenticity or verify the identity of their contacts.
Apple iMessage and FaceTime, plus BlackBerry Protected all passed the test when it comes to having a secure design that is properly documented, but the majority of other services, like Google Hangouts, Skype, Facebook Messenger and BlackBerry Messenger did not.
One of the biggest complaints brought forward by the EFF is that the majority of tools which are designed to be used by the general public fail to implement security best practices, which would include providing end-to-end encryption and having a source code that is open and can be reviewed independently. Products offered by Apple, Skype, Facebook, BlackBerry and Google are all closed source. Only a few specialty services that are largely unknown to the general public like ChatSecure + Orbot and CryptoCat have gotten perfect rankings in the EFF’s report.
When it comes to user privacy and security in general, the EFF notes that Apple has shown a large amount of improvement when it comes to their commitments to privacy and transparency. Apple has been congratulated for the initiatives they’ve taken to protect user data from the government. The company does this by requiring a proper warrant before disclosing content, publishing guidelines that law enforcement agencies must follow if they want access to private information belonging to users, informing users about data requests made by government agencies, as well as fighting to defend its users’ privacy in court cases and before Congress.
Apple’s CEO, Tim Cook, has published an open letter to customers last month in which he reminds them that unlike Facebook and Google, his company doesn’t build a customer profile based on their browsing habits or content of their communications in order to sell it to advertisers and doesn’t try to monetize the content users store in the cloud or on their devices.
Latest posts by James Vrionis (see all)
- Barron’s talks Apple Inc. “problem” — What is it? - April 18, 2015 02:37 PM PST
- American International Group Inc (AIG) Reprices AG Select-a-Term Nationally; Launches in NY - February 9, 2015 08:41 AM PST
- Google Inc teams with WePay to enable Google Wallet - January 28, 2015 09:25 AM PST