Top stories

Security lapses plague messaging and video apps

Written by germany

Whereas people frequently use any number of messaging and communications tools in their private lives, work is a different matter. At the office, phone calls, e-mails and face-to-face meetings are largely still standard practice in many industries, at least when it comes to private businesses. Government agencies seem to lag far behind. This seems especially true of offices and agencies that deal with sensitive or even secret information.

That is because such agencies not only depend on the functionality of messaging apps but also on their ability to protect data as well as comply with privacy laws. Still, no government — not Germany, nor any others in the EU — had mastered this complex problem before the new COVID-19 pandemic forced the world to begin video conferencing. Now, digitalization has been catapulted forward by the need for such tools in this time of social distancing. So what apps are on the market and what are their pros and cons?

From WhatsApp to Signal

WhatsApp is undoubtedly the benchmark messaging app of the day. European Union politicians concluded much of their Brexit negotiations using the tool; it even gave rise to a new term within the European Commission — “WhatsApp diplomacy.”

However, in February, the European Commission suddenly instructed employees to switch to the popular messaging app Signal due to growing security and data privacy concerns with WhatsApp.

Read more: Whatsapp security flaw makes thousands of groups to be accessible online

Despite WhatsApp’s much-lauded end-to-end encryption, which only allows the sender and recipient of a message to see its content, it was learned that companies, such as the Israeli surveillance technology firm NSO Group, had developed programs that allowed third-party users to hack confidential information on the app. One victim of that security lapse was Amazon CEO Jeff Bezos, whose WhatsApp account was hacked in 2018.

Read more: Jeff Bezos, blackmail and the Saudi crown prince

But what is different about Signal? Unlike WhatsApp, Signal is not a commercial program developed by a communications company, but rather one developed by data privacy activists and cybersecurity experts. Signal’s program code is open source and available to all online, allowing it to be constantly updated and improved.

Beyond that, for more than a year now, Signal has been employing the principle of the sealed sender, which hides a message’s metadata — information on the sender, recipient and time attached to every message. Signal also claims that is the reason it does not store the IP address of a message’s sender.

Threema is a similar messaging tool. It, too, encrypts messages end-to-end and forgoes the collection of metadata. Yet Threema goes a step further. The app does not require users to create a profile with their e-mail address or telephone number. Instead, it simply assigns users an anonymous ID. Threema’s program code, however, is not entirely open source.

Viber, ICQ and Zoom

But security is not the only criteria an app is measured by. One can see this when looking at the messaging app Viber. It also features end-to-end encryption on its free voice-over IP (VoIP) and instant messaging (IM) app. And after numerous complaints, that same encryption was also applied to Viber’s picture and video services. Yet, those security lapses were not the most grievous problem with the app according to critics. Rather, Viber’s approach to data privacy raised the ire of observers.

A free app, Viber’s business model becomes crystal clear when one looks at its terms of use: Users must agree to allow the company to use their personal data, such as a user’s address lists, for years, and even allow Viber to sell it to third parties.

Similar concerns have also been voiced about an updated version of the app ICQ, now named ICQ New. The app, which was one of those singled out by Edward Snowden in 2013 for forwarding private data to intelligence services, is owned by Mail.Ru Group, a major Russian internet company. ICQ and Mail.Ru Group have vehemently denied any unlawful use of customer data.

Security concerns have also plagued Zoom, which was initially hailed as a corona-era godsend. The video conferencing app’s popularity skyrocketed when the virus put the world on lockdown because it promised to deliver what the world needed: uncomplicated interconnectivity. The stable and easy-to-use app also boasts the ability to allow up to 100 people to participate in video conferences.

It now seems, however, that praise of Zoom was premature. Security gaps were so grave that stories of unauthorized third parties hacking into video conferences began to make headlines. Before long the FBI even issued an espionage warning about the app when it was found that strains of its encryption code had been routed through servers in China. Last week it was also reported that tech giant Google officially prohibited employees from downloading the app onto their work computers over security concerns.

Governments developing their own apps

Unlike private users, governments have other options: Namely, they are free to contract companies to develop bespoke communications tools that only they can use. This seems to be a trend at the moment. Around the time when the European Commission instructed employees to switch to Signal this February, reports also emerged that the European diplomatic corps had also begun work on its own bespoke messaging service.

In late March, the German Chancellery also confirmed that it had begun testing a messaging app from the Berlin-based company Wire. The company not only touted the app’s technical and security advantages, but also its ability to guarantee adherence to strict EU data privacy rules by virtue of Wire’s location within the EU. Ulrich Kelber, Germany’s data protection commissioner, specifically instructed authorities to pay close attention to that particular issue when looking for safe communication options.

Such concerns have also led the Hanover-based company stashcat, which provides communication tools to state police in Lower Saxony, to tout its own expertise when it comes to security and data protection. German telecoms trade media has reported that Germany’s Ministry of Defense and its army, the Bundeswehr, have been testing stashcat messaging tools since the coronavirus pandemic broke.

No way to fully protect oneself

So which messaging tool offers 100% security? The answer is as simple as it is unsettling: None. As hackers and cybersecurity experts have said all along, there is no such thing as 100% security. Instead, users must be content with programs that offer trade-offs on security and privacy.

Beyond that most basic concern, individual apps all have a number of unique advantages and disadvantages. For even the most secure apps are of little value if no one else is using them, if they are too expensive, or if they function poorly — the reasons why most small companies have the hardest time competing with giants like Google, Apple and Facebook.

Thus, as not all messaging apps that work well for individuals can do the same for authorities and big companies, and as individuals cannot afford to develop their own apps, one reality will likely dominate the near future: Most individuals will use one or more apps for private communication, one for work, one for groups, one for video calls and yet another just to try out.

DW’s editors send out a selection of the day’s news and features. Sign up here.

Leave a Comment