For years, smartphone users have been out of luck if they wanted to call or text everyone in their address books for free using encryption. iPhone users could send each other encrypted texts with iMessage, and free apps existed to help Android users communicate with each other securely. But there was no way to send secure messages from an iPhone to an Android phone, or vice versa, unless you signed up for a monthly subscription plan and got the person you wanted to communicate with to sign up for it too.
That's changing today, as San Francisco-based Open Whisper Systems is adding encrypted texting to its encrypted calling iPhone app Signal, with the release of Signal 2.0. Now, no matter which smartphone you own, you’ll be able to call or text any other smartphone for free with end-to-end encryption turned on. To have a conversation that’s protected from hackers, wiretappers, or the communication platform itself, the people that are part of the conversation just have to download a free app.
Signal is compatible with Open Whisper System’s years-old Android offerings—secure calling app Redphone and secure texting app TextSecure—meaning the creation of an ecosystem for secure communications that didn’t previously exist as a free option.
“Eventually we’ll have one app called Signal on Android, iPhone and desktop,” says Open Whisper Systems founder Moxie Marlinspike, a well-known developer in the cryptography community. “We want to develop apps that are a joy to use where the cryptography is invisible. Apps that are better than their insecure competitors.”
Signal 2.0 comes at a controversial time. Last month, the Intercept reported that intelligence agencies had compromised the security built into millions of smartphones by stealing encryption keys from Gemalto, one of the world’s largest SIM card manufacturers. With those keys, the NSA and its British equivalent GCHQ, which allegedly masterminded the theft, could theoretically tap data, texts, and calls from phones with a Gemalto SIM card without notifying a phone company or going through a legal process. (This method wouldn’t work for communications that were getting an additional encryption layer from an app like Signal.)
“Every time [Intercept parent company] First Look publishes a story, our installs go up,” says Marlinspike. “It’s well-documented that calls and messages you send over [phone networks] are not private. Things like Signal are a way to have private communication from your phone and also a better experience. Sending media messages to your friends will be frictionless and high quality and a lot better than sending MMS.”
Marlinspike set off a huge debate within the crypto community last week by suggesting that GPG—a long-used encryption protocol many use for e-mail—should be killed off because it's too burdensome for normal users. It's "a glorious experiment that has run its course," he wrote, calling for easier, simpler tools for users that have encryption built in.
Open Whisper Systems, a non-profit supported by donations, grants and even government funding (from the State Department) releases its apps for free and open-sources its code in the hope that other messaging platforms will adopt it. Only one big company has done so thus far. Last year, WhatsApp, the messaging behemoth owned by Facebook, added the TextSecure protocol to the Android version of its app meaning that hundreds of millions of people sending WhatsApp messages between Android phones suddenly had end-to-end encryption. “The most effective way for us to enable ubiquitous end-to-end encryption in messaging is to create technology anyone can use,” says Marlinspike. “We don’t want to compete with Facebook Messenger. The net result is more effective if we do it open-source.”
Marlinspike doesn’t disclose user numbers, but says Open Whisper Systems’ apps are “used all over the world.” He is especially pleased by its popularity in Brazil, where media have recommended his apps as a great option for free global calling and texts. “What’s awesome is they don’t mention encryption and privacy,” says Marlinspike. “They just like that the apps are simple and free.”
Not everyone is a fan of super-easy, free encryption apps. There is a heated battle under way globally over “the right to encrypt.” End-to-end encryption means that communications cannot be tapped by outsiders, including law enforcement, who have started asking for a "golden key" to access such system despite warnings that it would make the systems insecure. The F.B.I. has complained for years that the Internet is “going dark"—in other words, becoming encrypted, making it harder for the intelligence community and law enforcement to pursue digital leads.
Last week, a Brazilian county judge threatened to ban WhatsApp because the company was unable to give law enforcement messages from a user who was suspected of forcing underage users to send him naked photos of themselves. In the U.S. and in the U.K., officials have said that technology companies—such as Apple and Google—that put security software into their smartphones so that the content can only be decrypted with a user’s PIN are making the world a more dangerous place.
Marlinspike says that people who want to use encryption for nefarious reasons already know how to do so. "People engaged in that kind of activity already have the tools they need," he says. "They're just cumbersome to use, so it's ordinary people like ourselves that are the victims of mass surveillance, since we're not willing to use difficult and complex tools for our everyday communication."
The Signal texting app functions like any messaging app, with the ability to add photos and send group messages. But it does have one privacy feature that you don't usually see with a messaging app: an option to "enable screen security."
This feature would make it harder to pull information from a forensic examination of the phone. Frederic Jacobs, a co-lead developer on Signal with Christine Corbett, explains: "When you switch apps or bring any app on iOS to the background, a screenshot of the application is done. That will then be displayed in the app switcher when you see the preview of the last statuses of the apps you last launched. The fact that the operating system takes a screenshot has security implications and some users might prefer to prevent that screenshot from being stored on their device, so we have a workaround that prevents that screenshot to be taken by the operating system."
The no-screenshot option is turned off by default, but it's another reason law enforcement isn't going to love this app, or the secure cross-platform communication it enables. (Except when they themselves are using it.)