There's No Quick Fix For Securing Communications: EFF Ditches Secure Messaging Scorebard
from the all-things-to-all-people-leaves-most-people-underserved dept
The EFF hasn’t released a scorecard for secure messaging apps since 2014. The scorecard has been updated several times, but there’s no current quick reference guide for secure messaging that considers all the tech (and legal) developments over the past four years. The EFF’s guide was handy, but it also was the target of legitimate criticism. Simplifying complex issues is helpful, but not if it inadvertently omits critical considerations.
The EFF recognizes there’s no quick and dirty way to solve everyone’s security issues. Consequently, the EFF has announced that it will no longer be providing a secure messaging scorecard. It will still provide plenty of useful info for those seeking secure options, but it cannot in good faith claim to address every potential issue in an easy-to-follow infographic.
No single messaging app can perfectly meet everyone’s security and communication needs, so we can’t make a recommendation without considering the details of a particular person’s or group’s situation. Straightforward answers are rarely correct for everyone—and if they’re correct now, they might not be correct in the future.
[A]ny recommendation is much more like a reasonable guess than an indisputable fact. A messenger recommendation must acknowledge all of these factors—and, most importantly, the ways they change over time. It’s hard enough to do that for a specific individual, and nearly impossible to do it for a general audience.
There are too many factors to consider to reduce secure messaging options to a simple checklist of features. The features people need depends on the threats they’re facing. In some cases, governments and law enforcement are the primary concerns, making secure end-to-end encryption a must. In other cases, it’s fellow citizens (ex-spouses, angry co-workers, etc.) who are an issue, making ephemeral messaging more desirable than solid encryption.
Also thrown into the mix are options users have when using secure messaging apps, including default options (like cloud backups) users may not be aware of that somewhat compromise the security of their communications. On top of that, there are local laws and local government efforts that affect the security of users. For instance, Telegram’s base messaging service is used by millions of Russian citizens. Unfortunately, the base offering is secured by keys held by Telegram, which has just been ordered by a Russian court to turn those over to the government.
Fortunately, this isn’t necessarily bad news. While a cheat sheet is definitely preferable to digging through a lot of research (some of it impossible to parse by novice users), there’s still plenty of information out there that provides info on tradeoffs and step-by-step instructions to hardening your personal security. The EFF will continue to provide as many security tools as possible for those seeking to secure their communications, but it will no longer be a single sheet of Y/N inputs.
Security is hard. Personal security — and personal privacy — is something that requires a great deal of continuous attention by those seeking to keep their private communications private. While the rise of default encryption has made it easier for many people to secure devices and info on them, it has been accompanied by an increase in cloud-based backups and other, often automatic recovery options that undermine the security of stored communications.
Laws controlling government access to communications and data continue to change and our own Justice Department is pushing for legislation compelling service providers to break encryption on demand. Elsewhere in the world, governments are reacting to terrorist attacks and a plethora of speech issues by increasing their direct control of internet communications platforms. The threat models constantly shift and there’s very little available that works well for everyone, especially when the main threat is state-sponsored hacking.
Everyone should take an interest in securing their communications. The EFF just wants you to know it’s not as simple as downloading a couple of apps. There’s no one-size-fits-all solution and the EFF would rather no one visiting its site walks away with that impression. There’s no shortage of information available but there will be no future messaging scorecards that understate the complexity of the situation.
Filed Under: scorecards, secure messaging, threat models
Comments on “There's No Quick Fix For Securing Communications: EFF Ditches Secure Messaging Scorebard”
In my experience Signal users tend to be the most religious about using their app over all others, despite their questionable business partnerships and stubborn requirement of a phone number identifier.
Really a very very nice article.
Scorebard? What’s a scorebard? 😉
It’s part of a 1/5 star title, that’s what it is.
A scabbard with tally marks?
Re: An author with a grudge…
…one that defines his very existence and dominates his works. ;]
Re: Scorebard? What's a scorebard? ;)
To score or not to score, that is the question.
Whether ’tis nobler in the connection protocol to suffer
The slings and arrows of outrageous MITMs,
Or to take arms against a sea of insecurities,
And, by encrypting, end them.
Thus fear of terrorism does make cowards of us all,
And thus the native hue of secure communications
Is sicklied o’er with the pale cast of backdoors,
And enterprises of great pith and moment
With this regard their currents turn awry,
And lose the name of action.
Strength is being able to crush a tomato.
Dexterity is being able to dodge a tomato.
Constitution is being able to eat a bad tomato.
Intelligence is knowing a tomato is a fruit.
Wisdom is knowing not to put a tomato in a fruit salad.
Charisma is being able to sell a tomato-based fruit salad.
A tomato based fruit salad is salsa!
Hey guys, I found the bard.
I would guess the scorebard is the guy who writes the lyrics…
Of course, the old scorecard didn’t make a recommendation. It instead laid out a bunch of (somewhat) competing systems, and concisely gave information about which capabilities those systems had, and prospective users could decide for themselves how important any (or all) of those capabilities were to them. By ditching that in favor of “do your own research; here are a half-dozen articles telling you what to consider”, EFF has really taken a step back.
“Everyone should take an interest in securing their communications.”
Yes, well, there’s the problem: that just isn’t possible. It’s widely known there’s no such thing as ultimate / perfect security – it all depends on the specific threat model you’re facing. As noted, things even the NSA cannot possibly do from a distance could be achieved without much difficulty by a family member with physical access to your hardware and vice versa.
And someone with a legitimate need for security at least has a fair chance to evaluate the threat faced and do his/her best to defend against it specifically. But the huge majority of us isn’t actually facing any concrete, defined adversary: we’d like to be as secure as possible, from all sides, with no ability to define a threat that is unknown in nature, with no boundaries to pin down.
And that way lies madness; there is not a situation where you couldn’t find something more to do to make you even more secure (or think of a potential adversary that could defeat your current scheme), nothing is ever enough because you don’t know what you’re supposed to be facing. There’s also no “secure enough” – realistically speaking, zero protection is already “secure enough” for most people, which is why the tabloids aren’t overflowing with horror stories of the consequences of inadequate security (for individuals). Beyond the odd phishing attempt, crypto malware infection or even rarer full-blown identity theft, most of the time there are simply no consequences for being careless with your data, which is why the rest of us finds the entire concept so difficult to explain to the “why should I care” Facebook Generation.
And that turns the whole affair from a “what would this cost me?” to a “well how much have you got?” situation which just saps you of all you sanity without ever at any point delivering “enough security” for those of us who might care.
Which is not to say nobody should ever bother doing anything at all – by all means, do the best you can think of / can be bothered to do. More is always better than less. Just keep in mind that any extra security is always extra hassle, and none of it will ever be enough to keep you objectively “safe” – any sufficiently determined and resourceful actual adversary, regardless of which kind, WILL eventually get past everything you do because it only takes one unpatched/zero day vulnerability, one mistake, one slip to give it all away and we all make mistakes.
It’s all much like the lock on your door, present not so much to guarantee nobody could ever possibly break in but to hopefully deter anyone who might want to; if your life does depend on security, you should really make sure it is not the only thing protecting you. For the rest of us… we can only hope that whatever security we do use will end up being stronger than whatever real threat we might end up facing – if any…
OK, I’ll bite. How is it impossible for everyone to take an interest in the security of their communications (excluding the brain dead, etc.)?
Re: there's no such thing as ultimate / perfect security
Which is relevant to the point how, exactly?
thanks for all the good you have done..
The smarter ones of us, understand. ITS HARD to keep up with all the advances, and LACK of advances..
It would be nice to have your opinions on many subjects as well as acknowledgement that SOME may not be the END-ALL BE-ALL that we might want to get..
We understand that MANY companies are not advancing their OWN software in a considerate fashion TO THE CONSUMERS IN THIS WORLD. There only consideration is to the corps and seeing how much they can CHARGE and make more money..
Thanks for your services and continue as you may..and help us every F-ing chance you get..