Instant Messaging - Karegohan-And-Kamehameha/privacyguide GitHub Wiki

Introduction

For many of us instant messaging has become not just an important part of our lives, but also the main means of communication with other people. However, the majority of popular instant messengers are either inherently insecure or have been backdoored and compromised on purpose. Nevertheless, I was hesitant about even writing this section of the guide, because more often than not we do not have a choice of what we use for IM communication and have to stick with whatever is used by our tech illiterate friends or the companies we work at. More often than not, those solutions fall short in terms of privacy, therefore when using them it is important to remember that all of the information revealed using these solutions can be accessed by government agencies, creator company employees, and possibly other adversaries. The aforementioned solutions can still be used, but it is advised not to reveal any sensitive or compromising information using them. There is a lot of confusion surrounding the subject, therefore the first thing that needs to be done is understanding the terminology.

Protocol − a system consisting of the network, algorithms, ciphers, and other rules used for communication.

Client − a piece of software used for communications using a protocol. Most protocols come with official clients, which often causes confusion between the two, there do however exist third party clients that support multiple protocols. In terms of privacy the protocol is usually more important than the client, but the latter should not be neglected either.

Server − the back-end of the protocol, where the messages are being sent for transmission to the client of the other party. It regulates the network.

P2P or Peer-to-peer − a form of communication in which the clients are connected directly, without using a server.

Below are some of the protocols and clients used for instant messaging. For privacy purposes both the protocol and the client have to be FOSS to consider a connection relatively private, but in the case of centralized networks the entity that hosts the server also has to be trusted. End-to-end encryption can provide a basis for this trust, but it is only the case if the client and server software are FOSS, making it is possible to confirm that the protocol has not been compromised.

Proprietary Social Networks

Facebook, Twitter, LinkedIn, Google+, MySpace, Vkontakte, Odnoklassniki, QZone, Tuenti

Social media private messaging is the worst possible solution when it comes to privacy, not only are your messages there closely monitored by governments and, possibly, other third parties, but anything said there is also connected to any information present in your profile, including likes and public comments. Additionally, social networks track people around the web using their social buttons. If you can not avoid using social media altogether, then at the very least you have to block it globally in uMatrix or an alternative and only unblock it on the official website, not fill your profile with any real, personally identifiable information, do not use your real phone for registration − use TextNow or another virtual number service instead, and do not reveal any sensitive information in the messages.

FOSS Distributed Social Networks

Diaspora, GNU Social, Hubzilla, Movim, Minds, and many others

These privacy oriented social networks are a much better solution for privacy than proprietary ones, however some of the rules mentioned in the section above still apply. Your messages can still be connected to any activity related to your public profile and you still have to trust the host of your pod, as well as the host of the pod of the person you are messaging.

Proprietary Messaging Protocols

Skype, OSCAR, QQ, Gadu-Gadu, MSNP, Steam, YMSG, Discord, BBM, Hike, Hookt, GroupWise, KakaoTalk, WeChat

These protocols are not private and should not be treated as a secure means of communication. Some of them have known connections to government agencies and are a part of PRISM, others have a history of being compromised with sensitive information revealed to the public.

FOSS Centralized Messaging Protocols

XMPP, Signal, IRC, Matrix, Mumble, Zephyr, SIP/SIMPLE, Surespot

These are open protocols, the servers for which can be hosted by anyone. You still have to trust the particular servers used by you and the people you communicate with. Some of them come with built-in end-to-end encryption, others require a third party solution, such as OTR.

Other Centralized Messaging Protocols

Telegram, Wickr, Threema

These protocols have implemented end-to-end encryption and received security audits, but are not completely FOSS. They are considered to be relatively secure, but due to the closed-source server side implementation it can not be verified.

FOSS P2P Messaging Protocols

Bitmessage, Tox, Ricochet, GNU Ring, Retroshare

These protocols can be considered the most private, because they do not rely on a server for communication, instead they use a peer-to-peer model that connects you directly to the person you are communicating with. This does however allow adversaries to gather metadata, such as the IP addresses of the people you connect to, therefore it is recommended to use a VPN or TOR when using these protocols.

Proprietary IM Clients

(excluding those with own protocol)
WhatsApp, ICQ, AIM, Viber, Trillian, eBuddy XMS, IBM Sametime, iChat, Kik, Libon, Line, Apple Messages, Paltalk, QIP, Sicher, Upptalk

These clients are proprietary and are published under restrictive licenses. Some of them have implemented end-to-end encryption, but due to their closed source nature, the integrity of the clients can not be verified. Using FOSS clients instead of them is the recommended solution.

FOSS Multiprotocol Clients

Miranda NG, Pidgin, Adium, Telepathy, Kopete, BitlBee, Empathy, Jitsi, Kadu

These free and open source clients can be consider trustworthy. Nevertheless, it is important to remember that even if the client is open source, the communication is only as secure as the protocol − using these clients to communicate via a proprietary protocol or an open protocol without encryption completely defeats the purpose of choosing them over proprietary ones.