WHY USING FACEBOOK MESSENGER HURTS US ALL
"Facebook is collecting the most extensive data set ever assembled on human social behavior." ~ MIT Technology Review
“A society in which people can be monitored at all times is a society that breeds conformity, obedience, and submission.” ~ Glenn Greenwald
I'm going to make the assumption that you value your privacy; you don't want people, businesses, or governments knowing anything more about you than what you explicitely choose to share with them. Or maybe you don't care? Read on.
I wonder if you know that many ideas about government snooping - previously considered to be conspiracy theories - have come out into the open as being true? The most high profile exposures are related to Edward Snowden, former NSA contractor, and Julian Assange of WikiLeaks.
Two videos that will bring you up to speed, if not scare the crap out of you:
Here's Glenn Greenwald's TED talk on why privacy matters: https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
Here is a talk at Chaos Communication Conference 2013 that reveals some privacy violating technology being used four years ago that will blow your mind:
BUT I HAVE HUNDREDS OF FRIENDS I COMMUNICATE WITH DAILY USING FACEBOOK MESSENGER [or Facebook's WhatsApp]!
While it would be in everyone's best interest, privacy-wise, for you to stop that, this is not what the author is asking of you. Start small. Inform your friends about how important privacy is. Invite them to start communicating with you using one of the many free secure messaging apps out there. The most popular ones have versions for phone, desktop, and web. Many of your friends will prefer the convienence and familiarity of Facebook Messenger over privacy. Depending on your preferences, you don't have to stop using that method to communicate with them. While it is useful to deny snoopers (Facebook, Google, United States' National Security Agency (NSA), FBI, Police, etc.) your information, your habits and routines, etc., you can at least be aware that everything you say that is not encrypted is being vacuumed up and stored in huge databases. If you are okay with that, then maybe you are also okay with never wearing clothes, never closing the curtains on your window, removing all the bathroom and bedroom doors inside your house, and posting all your secrets to your public Facebook stream?
You have a passcode or some sort of security in your phone, right? Same goes for email. How often do you hand your phone to someone for the purpose of them looking at all your pictures and messages? If you didn’t have anything to hide, you wouldn’t care. But you do. Everyone does. Privacy is something that makes you a human. You might be okay with security agencies, companies, or governments having your private information. You might trust Facebook, Twitter, and Google. But what if they get hacked and your information falls in the wrong hands? Someone targeting your company or family. Would you still be okay with that? Would you be okay knowing that your photos, emails, or chats are in the hands of someone who can blackmail you?
HOW AM I HURTING OTHERS BY USING FACEBOOK MESSENGER?
We are now 100% sure that the NSA not only copies all location data, messages, chats, emails, and phone calls of all Americans and foreigners in the USA, but also Americans and foreigners in other countries.
Let's do a thought exercise.
For a moment, put yourself in the shoes of an NSA employee who wants to find and track drug dealers that are not working for Big Pharma. You begin by running a query on the database for anyone who has said [in either email, phone, text, social media post, or messaging] any of the following phrases:
- score some
- buy some weed
- do some
- get wired
- get high
- get wasted
- trip on
- come down
- coming down
- under the table
Let's call these "alert phrases".
Your query returns billions of records. You narrow it down to a one month date range. You narrow it down further by filtering for "only conversations where a location could be identified and that location was Los Angeles." Then, grouping by user, you save this recordset as "Threat Level 2" (low). Your next query is to find a match of anyone in that same time period who has been within 5 meters of these Threat Level 2 people for more than ten minutes or has communicated with them from anywhere. Save the resulting recordset as "Threat Level 1" (low). If anyone in the Threat Level 1 group has used any of the above alert phrases or has a criminal record, you move them to the Threat Level 2 list. Now, with that list, let's rank the users by how many of their fellow Threat Level 2 users they are connected to by either "same location for ten minutes" and/or communication. We'll put these "popular" people in a new list and call it "Threat Level 3" (medium). These guys are our suspected dealers.
From here we can do all kinds of nifty queries. Maybe look at travel habits, spending habits, etc. You could look for locations that come up most and surveil the ones with the highest number of Threat Level 2 or 3 users visiting. Get creative and you can find a huge number of potentially "guilty" people.
How does this hurt Mr. Law Abiding Joe Shmoe? This exercise demonstrates just how connected we all are. Merely by associating with someone who associates with someone who might be breaking the law, you get put on a list. Maybe being on a Threat Level 1 or 2 list isn't cause for you to care right now. But how sure are you that
(a) laws will not get more strict in the future so that something you do now becomes illegal;
(b) you run for office;
(c) you support a political party or candidate that becomes unpopular or even outlawed; or
(d) you or someone close to you gets into some kind of trouble and that list is used to tip the balance against you or them? What if a law gets passed that anyone on a Threat Level 2 list can no longer use their passport? Use your imagination.
What scenarios can you come up with? I'd love to hear them!
HOW DO I STAY OFF THOSE LISTS?
That's probably difficult, if not impossible. But at least you can reduce the chances and/or your "Threat Level". If you want to start privatizing at least some of your conversations - and you will be surprised how many of your friends already are - how do you choose an encrypted messaging app? The four most popular ones out there are Telegram, Signal, Wire, and WhatsApp. There are other apps but app popularity does matter if you want to use an application that more of your friends are using or will use. Also, the more popular apps have a higher likelihood of having been "battle tested", meaning they have been put through a greater variety of situations to weed out bugs and vulnerabilities.
For the purpose of keeping it as simple as possible, I'd like to narrow our list down to two apps. While most acknowledge that Signal is the most secure, its usability and feature set are lacking. And WhatsApp is owned by Facebook and has come under fire for sharing users' sensitive information. So our list is narrowed down to Telegram and Wire. My personal favorite for a few years now has been Telegram because of its maturity, speed, feature set, flexibility, and reliability.
A friend far more knowledgeable about encryption than I suggested I try his favorite, Wire. I had already been using Wire for about 6 months because an important client uses it, so I was not unfamiliar with it. Until now I only used it with that one person.
I had a negative view of Wire because I found
(a) the interface to be cumbersome;
(b) it lacks features I enjoy Telegram having;
(c) the desktop application ran unstable on my systems; and
(d) how many bugs I encounter while using it. But I thought maybe I could put up with those bugs in order to enjoy the increased privacy my friend assures me that Wire offers.
So I dove in and invited quite a few friends to join me in using Wire. It's been a few weeks now and, as I bounce back and forth using both Telegram and Wire all day every day, I'm sad to report that Wire still has too many annoying bugs for my pleasure. The latest bug: I had two Chrome browser windows open. A tab in one browser window is using the Wire web application. I close the entire window, so that tab, of course, goes away. In the other browser window I open a new tab, go to Wire.com, and click "Open in web." I get this message: "Wire is already open in another tab." That's just one. Play with it for a few days and see how many bugs you can catch.
As if that isn't enough, compared to Telegram, Wire does not meet my needs for ease, usability, and reliability. I'll admit here that some bias exists because of my more extensive use of Telegram. I encourage you to download, use both, and make your own decision about which app you want to use all day every day. And let's not kid ourselves, you will probably end up using both because of friends who use only one or the other.
BUT HOW SECURE ARE THESE APPS?
The mistake I hear some people making when evaluating an encrypted messaging app is to call them "secure" or "not secure" as if any of them are 100% secure or 0% secure. It is not black and white. No app is perfect and with the apps I've mentioned above, you can at least be sure that your communication is being being encrypted.
Is Wire perfect and always has been? No. Wire has been found to have vulnerabilities. https://techcrunch.com/2017/02/10/messaging-app-wire-now-has-an-external-audit-of-its-e2e-crypto/
Wire fixed those particular vulnerabilities. Is everyone 100% sure they don't still have others? No. How could we know? Before the vulnerabilities above were found, many thought Wire was secure. Some probably called it "100% secure". I'm not an encryption expert but I've been writing software since age 12 in 1980. I've used many programming languages in the ensuing 37 years of programming, so I can tell you with certainty that software with the comlexity level of an encrypted messaging app will never be bug free until artificial intelligence is a bit further along. That's another topic.
Telegram has come under much fire for using nonstandard and modified protocols. There are quite a few threads out there showing back and forth accusations and defense from Telegram devs but no one has ever shown a hack of Telegram that I can find. I think it's mostly propaganda from competitors, haters, and people who just prefer one of the other apps and want more people to use their favorite app. Is Telegram 100% secure? Of course not. Is it more secure than using your phone's SMS or email or Facebook messenger? By far!
USABILITY AND EASE MATTER
Is Telegram less buggy than Wire? Oh yes. Use both for a couple days and you will see what I mean. If Wire can't even keep the bugs out of their app, how can we be confident it is "fully secure?" If I'm going to use an encrypted messaging app all day every day, useability is a concern, especially when the answer to "how secure is it?" is muddy at best and probably, they are all relatively close to each other in terms of security. It's like looking at the various Tesla model S P60D and P85D cars and declaring one to be "slow" and another to be "fast". No. It's relative. Sure the P85D is faster than the P60D but most people would say they are both "fast as hell." They differ with each other in degrees but compared to a Toyota Prius they are all fast as hell.
FEATURE BENEFITS OF WIRE OVER TELEGRAM
(a) Calls - audio (Telegram has), video, group audio.
(b) Can sign up with either email or phone number. I love this feature and wish Telegram had it. It's the primary reason I chose to give Wire a chance.
SOME COOL TELEGRAM FEATURES
(b) Big file transfer.
(c) Programmable bots.
(d) Send messages that self-destruct after a specified amount of time, which is especially great if law enforcement get access to your device.
(e) You can set a lock to keep others from opening the app.
TELEGRAM'S RESPONSE TO CRITICISMS
For those of you relying on criticisms of Telegram that are years old, please update your information via the links below. Unlike Wire, Telegram has been around for many years now and they have evolved.
Here are some responses from Telegram to some common criticisms:
"But they use SHA-1 and it is broken!"
"But IGE is broken!"
Protection against known attacks
That's it. Again, I encourage you to use both apps and see which one works best for you. Either way, you are increasing your own safety and the safety of those around you. Thanks for managing your "ADHD" long enough to read this entire article! :-)