Sunday Letter
Messaging Apps
Dear reader, Messaging has been to the Mobile revolution what email was to the Internet. The combination of widely-available mobile internet and the rapid profusion of messaging apps means that you can get in touch with just about anyone, anywhere, for virtually free.
The problem these days is not ease of communication – it’s perhaps the over-ease of communication. We’re bombarded by a plethora of pings from people all wanting slices of our time. We’ve all had times where we saw a message come in, but can’t remember which app it came in through. And we’ve all experienced the frustrations of trying to convince your friends and colleagues to all adopt the same messaging app as you.
The ubiquity of messaging means that it has massive potential as a channel through which to deliver other services. Just witness the explosive growth of WeChat and its entire ecosystem. Soon messaging apps will be used to make payments to other people, and interact with companies and their services. Chatbots which automatically respond to requests are rapidly becoming better (racist tendencies notwithstanding). Fusang team members book leave through a chatbot integrated into our Slack platform.
Curious about how this all started? I’ve attached at the end of this email a (rather long) infographic detailing the timeline of the history of instant messaging.
I want to discuss here instead the different security and encryption features of leading messaging apps.
The Good
WhatsApp
Perhaps the most globally-ubquitious messaging app today, WhatsApp now has 1.5 billion users (20% of humanity), with 60 billion messages being sent every day. WhatsApp implemented the Signal Protocol in 2016, rolling out end-to-end encryption to all users automatically. End-to-end encryption means that messages are encrypted/decrypted using the Public/Private key encryption that I’ve written about previously, such that no-one in the middle, including the company itself, can read the content of messages.
WhatsApp’s implementation of end-to-end encryption represents the largest ever mass roll-out of a secure encryption protocol, and they have done more than anyone else to bring the value of encryption to the public consciousness.
While there are certain trade-offs (let’s face it…who actually scans those QR codes to verify the keys of people you are talking to), I believe that this represents the most secure widely-used messaging platform available today. As in most things, there needs to be a balance between security and functionality, and WhatsApp represents this sweet spot, at least for now. Many people, including WhatsApp’s founders, have concerns about Facebook’s potential plans to monetise WhatsApp.
iMessage
Apple’s built-in messaging platform, by integrating with native SMS, allowed for the seamless integration of IP-based messaging, before it became as widespread as it has today. Apple’s strength has always been such user design: adding functionality without customers having to do anything (indeed, often without customers even know that such functionality has been added).
As Apple’s business model is based on selling hardware, and not based on selling ads or customer data, there is little worry that they will compromise the end-to-end encryption built into iMessage. The single biggest drawback of iMessage is that it is only usable on Apple devices.
Telegram
Founded in 2013, Telegram offers a secure messaging platform, although not based on the public Signal Protocol. Telegram has recently become popular among the crypto-community, especially as it allows for very large group chats: making it an ideal marketing platform. Russia recently attempted to ban Telegram, arguably helping to increase its adoption (failed governmental bans are perhaps the best marketing a messaging app can have).
Signal
Open Whisper Systems, founded by the encryption guru Moxie Marlinspike, developed the Signal Protocol used today by many platforms such as WhatsApp. They have done more than just about any other company to bring strong encryption to the public in an easy-to-use fashion.
The Signal app itself is likewise based on the Signal Protocol, but makes a number of design choices that make it the strongest encryption app in use today. For example, unlike WhatsApp, Signal does not store any metadata beyond the phone number you used to sign up for the service. Although the content of WhatsApp messages cannot be read by anyone else, the WhatsApp servers do store metadata such as who you have messaged, and when. Such metadata can be more revealing than you might as first think. Consider these examples:
- They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
- They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
- They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.
The key downside of Signal is that its use is nowhere near as widespread as WhatsApp or other messaging platforms – and a messaging platform is only as useful as the number of people you can message on it.
The Bad
Facebook Messenger
Commonly known just as “Messenger”, it now has 1.3 billion users (meaning that combined with WhatsApp, Facebook now controls messaging apps used by ~40% of humanity). While Facebook Messenger encrypts data in transit, it does not prevent the company itself from reading messages server-side. Facebook needs access to the data to sell ads. Like WeChat, Facebook is attempting to build an ecosystem of services around Messenger – including cryptocurrency payments.
Snapchat & Instagram
Like Facebook Messenger, both Snapchat and Instagram encrypt messages in transit, but do not provide end-to-end encryption: meaning that the companies themselves can, and do, read the contents of messages. Both apps make money by selling ads targeted to users based on the content of their messages.
The Ugly
WeChat
Quite apart from not being encrypted, WeChat openly provides information to the Chinese government. This is not limited to the tracking of messages sent by specific individuals, but apply app-wide to certain key words. Discussions of morality or governance aside, the fact that thousands of WeChat staffers and other people tasked with manually inspecting and screening messages can view everything you send should give you pause. This is the reason many companies ban employees from sending sensitive data over WeChat.
That said, WeChat has built a brilliant ecosystem around its core messaging platform, allowing users to do everything from ordering takeout, to paying their electricity bills. The platform WeChat has built remains the envy of many other messaging apps, and is a shining example of the way that messaging can, and will, be integrated into every part of our lives.
SMS
The original mobile messaging “app” is still very much in use, although in many countries these days it has largely been relegated to providing notifications. I still remember the days when I thought having 300 free monthly SMS included in my phone plan was excessive: “How could anyone ever send that many in 1 month?”
The great strength of SMS is its ubquitious interoperability. All mobile phones support it. Unfortunately, you can’t send them for free internationally. And more importantly, all information sent by SMS is completely unencrypted, free for anyone “listening in” on the connection to view.
This is especially worrying as many companies still use SMS to send the 2FA (Two-Factor Authentication) codes that I wrote about in a previous newsletter. Apart from them being intercepted by a “man-in-the-middle” attack, there have been instances of hackers porting peoples’ phone numbers to new SIM cards (claiming to the telco that they had “lost their phone”) in order to steal verification codes for cryptocurrencies.
So what messaging apps do you use? Is security and encryption something you’ve thought about? Has your company jumped on the messaging train? Does your bank still use old-school, unsecured SMS verifications?
Hit reply and let me know!
Yours Sincerely,
Henry Chong
