Signal Private Messaging - How secure is secure?

Jan 27 , 2020

Signal Private Messaging - How secure is secure?

Secure, encrypted messaging & calls

What to choose

A question often levied towards Omerta is "how secure are voice calls & messages on an Omerta handset"? The answer, which I say with absolute confidence, is "bulletproof"!

When I began my journey of designing a secure phone I already had a strong awareness of just how secure everyday messaging applications were. In years gone by my role was to advise senior academics about safeguarding their research data & communications - often the context of the research meant a data leak could endanger lives or destroy significant commercial deals.

With this in mind, I have a good understanding of how to safeguard data, both whilst at rest on a device & in transit (be it verbal communications or transmitting data). So when we were looking for a communication tool for Omerta my experience was heavily relied upon.

Commercial offerings and the risks presented

Most messaging applications support military-grade encryption & to be frank, most offer a degree of protection suitable for those with little to no privacy concerns. However, whilst WhatsApp & Google Duo offer incredibly robust & safe messaging, they can't offer assurances that nobody can access your communications.

Why is this? Companies who commercialize their messaging applications keep the source code for their software close to their chest. To the privacy concerned individual this means two risks exist:

1. Due to the secretive nature surrounding the company's source code, we cannot ascertain if any back doors exist for government agencies. It stands to reason, when companies such as Google have large military contracts, that they have vested interest in providing discrete access to law enforcement agencies & other government departments.

2. We also cannot evaluate if the companies are scanning our data for commercialisation - Google & Facebook absorb every key stroke we input into their systems, should we assume their messaging apps are different?

 To be clear - I believe that WhatsApp & Google Duo provide excellent, secure messaging platforms for the general public however I would not trust these platforms for anything sensitive.

Introducing Signal Private Messaging

WhatsApp & Google Duo have one thing in common - the core software used is based upon Signal Private Messaging. Signal is an excellent privacy focused communication tool and is widely regarded as the best private messenger in the industry. So good, in fact, that companies such as Facebook & Google base their systems on it.

Whilst we can easily attest to just how well Signal performs as a messaging tool, how can we be certain no backdoors exist or that it manipulates and steals user data in the background? Open Source. Signal Private Messaging is open source software & because of this it is free for anyone to use as they see fit. This also means the source code is freely available to the public & because of this the source code is regularly  vetted by Privacy Rights Groups (such as the American Civil Liberties Group) who attest that the software is secure & free from rogue code.

But seriously - what proof exists that Signal is that good?

In 2016 the US Government issued a subpoena requesting full disclosure regarding two individuals whom had been using Signal. The software developer, Open Whisper Systems (OWS), had to attend court with all the data they had from the two individuals. 

OWS did attend court & they did comply with the order (much to the FBI's delight). However, Signal was designed around the ethos "privacy by design" & the only data OWS could produce was the date the Signal account was created and the last time the user logged in. 

To conclude....

So how good is Signal Private Messaging as a secure communications application? Secure & powerful enough for multi-billion global IT giants such as Facebook & Google use it, whilst stealthy enough that state players such as the FBI & CIA cannot coerce the software developers to hand over your data.

At Omerta we choose to use Signal Private Messenger. We think you should too!