Instant messaging is similar to email in terms of surveillance. Almost all mainstream messaging systems pass through a central server (managed by the company who made the instant messaging platform or software). The vulnerable location for legal (with a warrant or other government sanctioned surveillance) interception of instant messages is at the provider’s server location.
If instant messages are not encrypted, then they can be intercepted anywhere. A good example of this is SMS text messages from cellular phones. Anyone with the right equipment can intercept them locally (in the area that you are located by reading the wireless communications). Internet based communications, such as Apple’s iMessage, BlackBerry’s BBM, and the myriad of companies (AIM, MSN, Yahoo, etc) all have different types of encryption supported, and all have limitations in how the applications (apps or programs) function.
First lets consider the sender and the recipient. Both of these will be using a computer or a mobile device (we’ll call those “endpoints”). If an endpoint is compromised, either infected with malware of running a program that copies any incoming and outgoing text typed on the keyboard, then your messages are not secure. If someone is looking over your shoulder as you type messages, then they are not secure. If the password you use on your computer or device is very easy to guess (such as “12345” or your birthday), then your information is not secure. Your first line of defence is protecting what you have control over – namely your computers and devices.
Next we have to consider the type service that you’re using and types of encryption:
- There are a few services that claim that your messages will be destroyed after a few seconds or minutes. Consider that these messages can still be intercepted regardless of how quickly they are destroyed on an end point. Next, even if the endpoint can’t save the messages in their native format, they can easily take a screen capture in order to save a copy of the message.
- Some services claim that their messages are encrypted in transit. Consider that in transit means from one point to another, so the message may be encrypted from your computer or device to the organization’s server, stored there in clear text (unencrypted), then encrypted from that point to the recipient’s computer or device. This reduces the likelihood that some random computer (or person) on the internet will intercept your messages, though does nothing to protect from interception and surveillance at or near the server that the service uses.
- Other services claim end to end encryption. This means that messages are encrypted from one endpoint to another. While this may sound good, the type of encryption used is very important to consider. If the encryption keys are the same on all devices (as was reputed to be the case with earlier models of BlackBerry devices), then anyone who knows the encryption keys could read your messages (provided that they could intercept them).
- Public key cryptography is a great concept for securing messages, though it is not always implemented well. Public key cryptography implies that each person will have a public and a private key pair. They tell everyone their public key, and keep their private key private. When you send someone an encrypted message, you’re going to use their public key in order to encrypt it, and only that person is supposed to be able to decrypt it. The flaw in this system is that you have to trust in the protections on the private key. If a computer or device keeps backups of private keys, they need to be secured. If the same set of keys can be copied to multiple devices (such as if you want to be able to read your encrypted messages on both a computer and a tablet), then a malicious person who gets a copy of your private key could easily read your messages. The best method of implementing public key is one where the private key can not be copied (such as when it’s stored on a trusted platform), though in that case the disadvantage is that you can’t use multiple computers or devices.
Finally, even if we trust that encryption technology has been implemented properly, we have to also trust in the algorithm that is used for encryption. The types of keys used, the size of the keys used, and how the keys are protected (using a password or phrase) are very important.
In summary, there are ways to secure instant messages, though unless you are a technologist, cryptographer, and can review the code of the program or application that you intend to use, you have to trust some entity (company, person, etc.) to be competent, ethical, and not to divulge your information.