Privacy in Instant Messaging Applications
What is this guide?
This guide provides the technical knowledge necessary for individuals and groups to maintain their digital privacy and security while they conduct different forms of communication
- Secure communication between individuals through instant messaging software and applications running on smartphones.
- Communication between groups through instant messaging software and applications that run on smartphones, including meetings.
- Offering technical knowledge related to the security and privacy options provided by popular instant messaging software.
- General information brief about relevant laws and practices.
Who is this guide for?
Any user can benefit from this guide.But it is directed primarily to certain groups.
This guide is mainly directed to:
Bloggers and digital activists.
Lawyers and researchers.
Explore training guides for each application:
First: Identifying the Risks
The process of securing communications varies according to the type of activity practiced by the users and the type of risks they face, and it is an ongoing process and not just a set of tools. The users need to constantly review the procedures and applications that they rely on.
1. Yes, you have something to hide
Anyone who wants to protect their privacy should not deal with their communications with the rule: “I have nothing to hide.” In fact, everyone has something to hide; Starting with personal photos, banking information, health information, sexual preferences and activities that you would engage in as a user in the public domain. The first step in the process of securing personal data and the content of correspondence and communications is to be certain that every person – including you – has something to safeguard without anyone else knowing it.
2. What do you want to safeguard?
Specify precisely a list of information and data that you want to keep out of the reach of others, for example, but not limited to, this list may include your personal correspondence, your bank information, personal photos, information about your business, or if you have activity in the public domain. Your list may include files, documents or correspondence related to your activities.
3. Who is targeting you?
It is important to have a list of who is targeting you, this will help you choose the procedures and software that are compatible with the type of attack that you may be exposed to, and the technical capabilities that those who want to target you have. You could be targeted by – but not limited to – hacking individuals or groups, to blackmail you financially, or competitors in your business, advertising companies or governments.
4. What are the potential consequences of targeting your correspondence?
Identify the consequences that would happen to you if a particular attack was successful. Also, determine whether you are the only one who will suffer the harm or will the harm include others, such as your family members, your business partners, or those with whom you communicate about activity in one of the fields you are interested in. Determining the consequences and the extent of the expected harm to you and others will subsequently reduce the harm that targeting you cause.
5. Type of software and applications
Determine precisely the type of software, applications and services that you normally use, as this will contribute to the way you choose the software that you will rely on later and on your usual practices in communicating with others. This includes the operating systems you use (whether on smartphones or computers) and the applications you rely on to communicate with others.
Second: Basic Procedures
1. Choose open source software and applications
We highly recommend that users rely on open source software, as these applications can be reviewed by programmers and digital security experts, and thus security vulnerabilities and problems can be discovered more quickly than the case of non-open source software. Do not think that not being a programmer means that you will not be able to benefit from open source. Even if you cannot read and understand code, there is another person who is able to do so, and there are thousands of programmers who review the source code for open source software, write reviews about it and publish it online, You can search for reviews of any software or mobile application online and you will find dozens of reviews related to security and privacy for any application you want.
2. Preference for encrypted applications
Encryption is simply the conversion of data (such as text, for example) from its human-understood form to an incomprehensible form – such as symbols and numbers for example – so that no person can see this data unless he has the key to decrypt it. Some popular apps use weak encryption layers and some don’t.
3. Updates and then updates
You should update all applications and operating systems that you use as soon as they release these updates, especially if they are security updates.
- Microsoft Windows users should always make sure that the operating system has been updated with the latest available update.
- Android smartphone users should ensure that they use recent versions of operating systems and that they have monthly security updates. Some smart phone manufacturers do not update their phone operating systems periodically or quickly enough, and it is recommended that users rely on the phones belonging to the Android One project. And if you are using an iPhone, always make sure that you are using the latest version of the iOS operating system.
- Users of GNU / Linux operating systems should make sure that they apply the latest updates to operating systems, especially since GNU / Linux operating systems issue almost daily updates (including the applications they work on), and it is recommended to activate the automatic update option for security updates.
- All applications that you install on your computer or smartphone must be constantly updated, as many of these updates are intended to fill security gaps.
As we mentioned in the introduction, this guide is aimed at a specific target groups, which will focus on, while any of the users in general can apply the same procedures that the guide offers.
1. Correspondence between individuals
What is meant is an individual’s communication with one other individual.
Popular applications provide a set of security and privacy options that the user can activate. You can find more details through the following links:
Signal Private Messenger security and privacy options
WhatsApp security and privacy options
Facebook Messenger security and privacy options
Jitsi Meet security and privacy options
Wire Secure Messenger security and privacy options
We recommend that you use some apps that provide more privacy and security than their counterparts:
For bloggers and digital activists, you can rely on Signal and Wire; the two apps use end-to-end encryption. Do not share any information or sensitive data via regular email (unless it is GPG encrypted) or via WhatsApp and Facebook Messenger.
Journalists can rely on Signal and Wire to communicate with each other or between the journalist and the source, and if the source does not use either of the two applications, you can rely on Jitsi application, as it will not require the source to install any software on his phone or computer,. And you can also rely on Jitsi in the event that the source does not want to reveal their identity. You can view the security and privacy options via this link.
Lawyers and researchers in civil society organizations can communicate with each other and with their clients, eyewitnesses, or victims through the two apps Signal and Wire or rely on Jitsi app, as it will not require the other party to install any software on their phone or computer, and Jitsi can also be relied on in the event that the other party does not want to reveal their identity. You can view the security and privacy options via this link.
2. Correspondence Between Groups
All applications provide the ability to create groups (depending on the options provided by each application), but we advise bloggers, digital activists, journalists, lawyers, and civil society researchers to rely on the following applications:
Wire: You can get Wire without disclosing your mobile phone number (using e-mail only) and the application provides the possibility of group chatting (text, voice or video), the exchange of files and pictures, and automatic deletion of messages, and the application also has versions that work on Microsoft Windows and GNU / Linux, Mac OS, Android and iOS.
Signal: In general, we recommend using Signal whenever possible. Signal app provides the ability to create groups for text chat, exchange files and photos, and automatic deletion of message, but does not provide voice or video messaging for groups. The app has versions that work on Microsoft Windows, GNU / Linux, Mac OS, Android and iOS.
Jitsi: An app that’s mainly for meetings and can be relied upon as a tool for group chatting (audio or video).
Fourth: Online Meetings
In meetings, it is preferable to rely on Jitsi app, for the following reasons:
Jitsi does not require any application to be installed to use as it can be used directly from browsers on computers.
Jitsi has an Android and iOS app that is easy to install and use without the need for any technical knowledge.
Jitsi provides a layer of end-to-end encryption.
Jitsi can be used for secure audio and video conferencing and is a safe alternative to other applications such as Zoom.
Jitsi application can also be used to make public meetings via the web (webinars) easily, with the ability to broadcast the meetings via YouTube in real time.
Fifth: Sharing Files and Pictures
Seventh: Auto Deletion
Auto deletion is an option provided by various instant messaging applications that enables users to activate automatic deletion of text messages after a specified period of time.
Signal provides automatic deletion of text messages, files and images that are exchanged through it, whether in chatting between individuals or groups.
Wire provides automatic deletion of text messages, files and photos that are exchanged through it, whether in chatting between individuals or groups.
WhatsApp does not provide automatic deletion of messages, while messages can be deleted manually after a short time of sending them.
Facebook Messenger does not provide, by default, automatic deletion of messages, while messages can be deleted manually after a short time of sending them. And the Secret Conversation feature provides automatic deletion of messages and an encryption layer.
Eighth: Are There Legal Repercussions for the Possession of Encrypted Instant Messaging Software?
Before talking about the legal provisions related to the possession of instant messaging software, it is necessary to emphasize adherence to the technical standards that were previously mentioned, among them the presence of a timed messages deletion, especially since the presence of correspondence content on applications without deleting them may expose the user to legal risks, and the use of the application becomes useless in providing legal protection.
Regarding legal concerns, the matter is still not clear at the level of practical application, but our direct reading of some provisions of the Law on Combating Information Technology Crimes indicates that possession alone of instant messaging software is not a sufficient justification to bring an accusation against the user who owns the application, rather it must be accompanied by possession of the software to commit a crime. Article 22 of the Law criminalizes various forms of possessing encrypted software: If the possession is for the purpose of committing or facilitating the commission or concealment of one of the crimes punishable by the Anti-Cybercrime law.
There is also another matter related to the existence of a legal justification related to the possession of these software, and in this case the response of the user must be, that the goal of using these software is to protect the privacy of the user, especially since most messaging software are not secure and may use user data for commercial purposes or get stolen by hackers, and the user must know that protecting private life is a constitutional right, and every user has to maintain their privacy however they want, as long as it’s not in violation of the law.