Encrypted Messaging and VoIP Apps

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader is available for free

Encrypted Messaging and VoIP Apps

by Michael Gariffo

Docid: 00021087

Publication Date: 2108

Report Type: TUTORIAL


Despite the ubiquity of SMS (more commonly known as text messaging) and
traditional cellular phone calls, there are certain times when these
options fall short. This can be for reasons such as the immediacy
with which a user can connect with their intended party or because
one or more of the communicating parties has security concerns over the
relatively open networks on which SMS messages and phone calls travel. To
alleviate issues with these factors and others, several apps
and platforms have been developed that provide methods of communication that are not
only instant but are also encrypted. This makes it possible for individuals or
regardless of their respective locations, to coordinate and communicate without
concern of being monitored by unauthorized third parties. While these products
have proven a major boon to those that find themselves under repressive
governmental regimes and in hostile war zones, they have also aided in the carrying
out of crimes and terrorist activities thanks to the ability to evade authorities
and intelligence agencies. This report will examine the current state of
encrypted messaging and VoIP apps, their benefits, their potential pitfalls, and
how the governments and corporations of the world are reacting to their use.

Report Contents:

Executive Summary

[return to top
of this report]

Faulkner Reports

Encrypted messaging and Voice over IP (VoIP) apps are a security-focused equivalent of two
methods of communication that have been around for decades. While the messaging aspect of these relatively new apps owes its legacy
to the likes of the 1990’s AOL Instant Messenger (AIM) and online chat rooms, VoIP
harkens back even further to the creation of the first telephone. In both
cases, these apps offer users a form of immediacy that their traditional
counterparts cannot. In the case of messaging clients, this is due to the
instant delivery of messages, read receipts, typing notifications, and other
characteristics that allow both parties to instantly and consistently connect.
These benefits have only increased in recent years with the introduction of
newer protocols such as Rich Communications Services (RCS). On the VoIP side of things, voice connections can be made in
these apps via a process that almost precisely replicates a traditional phone call,
or, more commonly, a walkie talkie. This
latter scenario brings to mind the 1990’s-era trend of "chirping" walkie talkie
flip phones from Nextel and others, made with built-in walkie talkie-style
hardware for instant connections. While this trend had long since fallen out of
favor by the time the first smartphones made their debut, it seems to be making
a come back in app form.

What makes these apps special or
any more desirable for use than a simple text message or Skype chat? While the
instantaneous nature of the connections they offer is desirable, it is the
security features of apps in this category that have truly drawn the majority of
users to their platforms. The need for high-level encryption in daily
conversations may seem out of proportion to someone who lives in a stable,
democratic nation with a legal system that is generally seen as fair and
uncorrupt. But for those
living under repressive regimes where their very ideas and opinions could have
them thrown in jail, this form of ultra-private communication could prove to be
the difference between freedom and detention. Apps of this nature can – and have
– powered communications in regions where free speech and original thought are
heavily discouraged. Instances like Zello’s use as a method to circumvent
Turkish governmental censorship and organize protests in 2013 show that these
applications can have an important and positive impact on the world.1

Unfortunately, as with many powerful tools,
encrypted messaging and VoIP can be used to do terrible things if placed in the
wrong hands. The encryption provided by these
apps is agnostic to any specific regime, religion, law, or
set of morals, making it an excellent tool for those wishing to do
harm or commit crimes. Criminal uses could range from a few high schoolers selling marijuana to the organization
of a major terrorist attack. Zello, the same app mentioned above to power positive
change in a repressive regime, was also employed by Rakhmat Akilov during his
truck attack on an innocent crowd in Stockholm.2 The app allegedly
allowed Akilov to stay in contact with the terrorist organization ISIS without
any governmental intelligence agency being able to penetrate his communications.3

As with the concept of encryption of private devices, the encryption of
private communications has quickly become a hot-button issue in the press and a
point of contention between national security agencies, makers of encrypted
communications apps, and the operators of the smartphone operating systems and
app stores through which those apps are distributed. The obvious problem is
that, while these apps most definitely have legitimate, legal uses, they have
also undeniably been shown to be a useful tool in the terrorist arsenal. What,
then, should be done about their proliferation by the aforementioned parties?
Government intelligence and law enforcement agencies would almost certainly
like to see these forms of encrypted communication eliminated entirely, giving
them free access to a much broader scope of private communications in order to
better monitor potential criminal activity. Meanwhile, the app makers obviously
believe that personal freedom exceeds the possible harm that their apps can cause. Stuck in the middle of this debate
are Apple, Google,
Microsoft, and other OS and app store operators. On the one hand, they must take
into account the possible harm that allowing these apps to be distributed can do. On
the other, they must closely examine whether the protestations of certain
intelligence entities truly come from a place of wanting to protect their
citizenry or if such requests for the elimination of back-channel
communications are simply a way to better control an already oppressed populace.


[return to top
of this report]

Encrypted messaging and VoIP apps allow users to instantly connect via
text-based messaging or voice chat. While this is nothing special, what
differentiates these apps from their traditional counterparts is the ability to make these connections via
encrypted channels. The specific methods and strength of the
encryption being used varies from app to app, but all apps share a few of the
same basic aspects of encryption as a concept. As with nearly all uses for
encryption relating to the open Web, the encryption employed by these apps uses
a system where the text-based message or voice connection is encrypted on the
user’s device prior to being sent over the open network. This data is then
unencrypted by the recipient’s device using some form of encryption key and
allowing the recipient to read the message or hear their conversation partner.
Although complex, this process happens almost instantly, making it nearly
impossible for a human ear or eye to differentiate between the speeds of an
encrypted or unencrypted communications app.

Although the vast majority of messages and voice conversations
pass between users without interception even if they are not encrypted,
it is for the relatively few instances when a third party might attempt to
monitor these
communications that apps of this type were designed. On an unencrypted
chat conversation or voice channel, the data being transferred between the two
parties could, in most cases, be intercepted and read or listened to without
either party’s knowledge. This could be accomplished via hacked Wi-Fi hardware,
malware on either system/smartphone, and various other methods. Although the
specifics of how this can be accomplished will not be fully explored here, the
necessary tools are relatively commonplace and readily available to malicious
parties as well as government intelligence agencies. In order to protect against
either participant in a conversation falling victim to such an infiltration,
encrypted chat apps make the data being transferred unreadable by anyone but its
intended recipient. To summarize this process as simply as possible, the
text-based message or voice chat sounds are scrambled or garbled beyond
recognition for the duration of their transmission via the open Web. Only the
intended recipient has the key necessary to return it to its original form. Third parties
that are able to intercept the data will be left with useless strings of
code or audio files that cannot be decoded or understood.

While encryption of this type is employed in nearly every type of data
transmission that occurs over the open Web, its use in mobile apps has given rise
to an extreme amount of controversy because of the variety of purposes to which this
level of communication privacy can be put. Unlike encrypting an online
transaction or the transmission of banking data, the encryption of instant text messages and voice chat can be
put to nefarious uses. These include, as mentioned above, everything up to and
including the planning of major terrorist attacks. While criminals do their best
to keep their actions private from law enforcement
authorities, most communications systems have some
built-in method through which police or intelligence agencies can gain access
or monitor activities if the need should arise. The filing of court orders for this
purpose has become such a common practice that major Internet companies and
telecom providers now release regular transparency reports to the public in
order to inform them of the number of requests received and how many they
have complied with. These court orders can result in the collection of call
data, location data, and even actual wiretaps, wherein the government can listen to
a user’s full conversation as it is happening. However, in the case of
encrypted apps, a court order would do a law
enforcement agency little or no good since the data being transmitted
is typically encrypted in a way that makes it impossible for even the company
that created the app to decrypt it on a whim. The use of unique encryption keys
and algorithms mean that the intended recipient is
often, quite literally, the only person in the world that can access the data in
question. Yes, it is always possible for a third party, acting legally or
otherwise, to crack the encryption in order to regain access to the messages
being sent. However, this is an extremely time consuming and often fruitless
effort that has stymied law enforcement officials many, many times in the past.

Why, then, should such apps be allowed to exist? The answers to this question
are complex and arguable. On the one hand, you have the libertarian perspective
on the matter that values personal privacy and freedom above nearly all other
concerns, even if the retention of those freedoms provide tools to a small
minority of bad actors in society who would inflict
harm on others. However, this is more of a philosophical stance than a
real-world analysis of the argument. A more grounded
consideration is the fact that apps of this type can and have been
used to protect and liberate as many people as they could potentially
harm. Examples such as the 2013 Turkish protests are an excellent guidepost
for what a positive influence they can have. However, even the government
agencies that would normally condemn the use of such apps must admit that their
existence could benefit their own missions when applied to private citizens in
hostile territories. Imagine, for example, a citizen that finds him- or herself
in North Korea. While access to smartphones there is strictly controlled, the
presence of one, complete with an encrypted chat app, could offer a safe
communication channel for that citizen to broadcast the truth to someone outside
a country that would very much like to control every piece of information moving
beyond its borders. Similarly, someone involved in the nearly-endless string of
allegations of Russian interference with US governmental operations and
elections could use such an app to inform partners without the concern they would need to maintain if public
communications channels were being used. As with all tools created by human
beings, encrypted messaging and VoIP apps can be used for good or ill.

[return to top
of this report]

Although the total number of encrypted communications apps that are available
today has already outstripped the possibility of collecting all of them within
this report, there are a handful that are considerably more popular than the
rest. The following examples include those popular apps, as well as
a few that differentiate themselves by marketing their services to a particular
audience or by pioneering a particular aspect of this growing area of the

WhatsApp – Despite being arguably the most well-known of the
apps listed here, WhatsApp would not have qualified for inclusion
in this report during much of its early existence. The app was initially
released in
2009 but did begin introducing encryption into its messaging platform until
some time in 2014.4 The indefinite nature of this date
is due to the fact that the developers behind the app, which had been acquired
by current owner Facebook by then, were extremely cagey about their progress in
introducing encryption to the platform, perhaps fearing some of the backlash
that other platforms have since suffered. It was not until early 2016 that WhatsApp was confirmed to have full end-to-end encryption enabled, thanks to a
partnership with the makers of Signal, another app that will be covered here.5

WhatsApp’s long history shows in its capabilities, with it boasting one of
the widest range of communications options and features. The app supports both
text-based chat and VoIP as well as video calls, picture messaging, and even
file transmission, all of which are fully encrypted. Users also have the option
to share their current location and to access the platform via a desktop or
laptop PC thanks to a Web-based interface. Users only need a mobile phone number
to sign up, making the process of getting started with the app extremely easy.6
Because of its full feature set and ease of use, WhatsApp has, at times, been
the most popular messaging application in the world.7

Telegram – Unlike WhatsApp, Telegram was built from the
outset to incorporate encryption into its messaging protocols. However, it
handles encryption slightly differently, offering two tiers of privacy. The standard,
cloud-based level allows users to chat from multiple devices via the service’s
companion apps and Web-based interface, while the so-called "Secret Chat"
version restricts users to chatting only between the
device that the original message was sent from and the device on
which that message was received. This extra level of security has resulted in
Telegram becoming something of a poster child for the ultra-private messaging
sector, a fact that has earned it both praise from privacy organizations and
scorn from government agencies in Iran, China, Russia, and elsewhere.8

Telegram’s feature set closely mirrors that of WhatsApp, although it does not
include live video chat. It does, however, support the sending of video
messages, stickers, audio messages, and even files up to 2GB in size. Telegram
is also well-known for its early support of chatbots, launching support for
these AI-based chat participants in 2015.9 These virtual assistants
can be set up to perform basic customer service tasks, process transactions, and
more, all using the Telegram chat interface. Due to the highly secure nature of
the Telegram platform, it is also possible that such AIs could be used in the
trafficking of illegal or illicit goods and services, raising an entirely new
area of concern for those already uncomfortable with the concept of an encrypted
chat platform.

Mumble – Mumble is, first and foremost, a VoIP-based audio
chat service. However, unlike the many other apps and platforms that provide
such a function, Mumble markets itself specifically to gamers. The platform is
positioned as a more secure equivalent of services such as TeamSpeak or Discord,
with all communication passing over its servers being fully encrypted. This
encryption is tied to both the user’s account credentials as well as to a
cryptographic technique known as "public key certificates." The company behind
the app claims that this provides "perfect forward secrecy," rendering it nearly
impossible for anyone but the intended participants of a given chat to listen

While Mumble may not be as full featured as most of the other apps on
this list, it is laser-focused on providing capabilities particularly tailored
to its gamer-centric audience. This includes directional
audio, which makes chat participants’ voices sound as if they’re originating
where their in-game character is currently located, as well as on-screen
overlays that can appear on top of the interface of nearly any PC game.

Zello – Zello specializes in providing two-way radio-style
communication services, similar to those offered by the flip phones with dedicated
walkie-talkie buttons that were popular in the early 2000s. However, it advances the technology
considerably, offering features such as the ability to replay sent messages,
incoming message control and notifications, and support for cellular and Wi-Fi
networks. The service also boasts of its flexibility as usable for
everything from a personal chat to coordinating a large team of personnel for a
business project. It is this ability to serve as a coordination platform
that has gotten it in hot water several times, including the most high profile
incident, the 2017 Stockholm terror attack mentioned above.11 That said, there
have been positive outcomes to Zello’s use as well. The best example
of this may be the app’s use to coordinate relief efforts in Texas following the
devastation caused by Hurricane Harvey as well as its subsequent use in the
preparations for Hurricane Irma in Florida.12,13

Of course, Zello provides this functionality with built-in encryption, making
it possible to avoid the wiretapping that could impact traditional cellular
networks, or the even easier to employ eavesdropping which could occur over an
open radio signal. On the negative side, the service could potentially give
malicious parties instant access to a completely secure, unlimited radio
network anywhere on Earth with cell service, allowing them to coordinate any
sort of attack. On the positive side, the same tactic could be
employed by patchwork disaster relief efforts of the type mentioned above, which came
together from disparate sources. Zello’s platform can provide a much-needed communications hub where more traditional
coordination methods might have failed.

Signal – Signal is closely tied to WhatsApp through the
development of its encryption and messaging standards.
However, it exists to this day as a stand-alone service with much of the same
functionality – including text and voice-based messages, audio and video chat,
and more. The Android version of the app is somewhat unique in that it can
be used as a replacement for the operating system’s default SMS app, providing
encryption as part of the same app that unencrypted text messages are sent
through. Unlike most of the other options on this list, Signal’s makers, Open
Whisper Systems, prides itself on keeping the Signal platform open source,
allowing its usage under the GPLv3 License.14

Signal is perhaps the most active member of the list when it comes to being a
vocal opponent of oppressive regimes. When the app was blocked in Egypt in
December 2016 by the national government, Signal began offering a technology
called domain fronting, which could fool government firewalls into allowing its
traffic through by making it appear as if a different service was transmitting
data.15 Although most of the services on this list can be used in a
similar manner, Signal’s specific intent to circumvent
government censorship is rare, even among apps that make it their business to
keep the voices of their users from being silenced. This capability has
flourished recently in the US, with Signal Foundation co-founder Moxi
Marlinspike having noted that the platform saw increased usage in 2020 during
the protests following the death of George Floyd. To further protect users,
Signal introduced a way to blur faces in shared images to prevent US authorities
from tracking protested by monitoring publicly posted photos of protests.16

Security Concerns

[return to top
of this report]

The security concerns over encrypted messaging services are essentially the same as
those raised against nearly all forms of encryption. To summarize: encryption keeps out prying eyes,
even if those are the eyes of law enforcement and intelligence agencies. While this is a good
thing in the case of repressive regimes, it may not
always be a positive in the case of governments that truly do have the
best interests of their citizens at heart. The best example in the US of this
privacy vs. security debate is still the now-infamous conflict between the
Federal Bureau of Investigations and Apple. In this instance, the iPhone of the
San Bernardino shooter, a person believed to have ties to global terrorist
organizations, was left locked upon the suspect’s death. The FBI asked Apple to unlock the encrypted device in increasingly strong terms,
which Apple refused
to do. The company’s reasoning was that unlocking the device or giving the
FBI the tools to do so itself would lead to a slippery slope that would
eventually undermine the privacy of citizens who might commit relatively minor
offenses, or be entirely innocent.17 Whether or not the FBI could legally coerce Apple to
reverse its decision became a moot point when the agency reportedly found a
third party that managed to crack the encryption on the device in exchange for a
significant sum of money.18 To this day, Apple and all other major
tech manufacturers in the US have, as far as the public record shows, refused to
build the type of back door into their messaging products or software that the FBI was requesting.
That said, Apple has since announced plans to incorporate a system into its
iCloud photo storage which will scan all iPhone users' devices for images of
child sexual abuse.19 While some have applauded the move, others have
voiced concern that this is exactly the type of backdoor that privacy advocates
have always feared would eventually be supported by a major platform owner like
Apple. For its part, Apple claims the technology only scans for images already
known to the National Center for Missing and Exploited Children (NCMEC), and
that chances of a false positive are vanishingly small.

That said, most traditional forms of messaging and voice communications can
be accessed with something as simple as a court order. Such orders are very frequently received by Apple, Google, Microsoft,
and many others in the tech community. Compliance with them is mandatory under
US law and is the source of evidence cited in thousands of cases each year.
However, it is with the addition of encryption that the issue becomes somewhat
more sticky. This is because, depending on the method of encryption and the
strength of the technique used, it can actually be quite impossible for some
companies to provide access to a given user’s account, even if they want to
cooperate. This is the result of security keys that are unknown to the
company itself. Such keys are employed where the highest level of security is
needed or when the company wishes to absolve itself of all responsibility
– as well as the ability – to comply
with court orders. Unless a country wants to ban
encryption entirely, the reality is that it is 100 percent possible that, regardless of the courts’
opinion, some devices and communications platforms will remain inaccessible to
government oversight without the cooperation of the actual account holder.

Government Reactions

[return to top
of this report]

The stance that national governments have taken on the use of encryption
in messaging and communications apps has been highly varied, while the corporate
stance has been largely unified.

In the case of government reactions, the US has largely been hands-off.
Ever since the revelation of the Spectrum spying scandal by controversial leaker
Edward Snowden, the federal government generally tends to maintain a low public profile on such matters. Although the data collection efforts
revealed by Snowden are believed to have ceased operations, Snowden
himself has recommended the use of Signal as his messaging platform of choice.
This level of concern may or may not actually be warranted, depending on the
individual’s trust in the US federal government. However, the US, despite the
ongoing efforts of some high-ranking officials, is inarguably
less aggressive in its efforts to maintain its ability to access citizens’
private messaging data than many other countries.

While the right to personal privacy is generally the norm compared to wide-ranging
governmental control in most of the western world, that right is hardly
universal. Several unsuccessful attempts have been
made by the British government to require the installation of a back door into
encrypted messaging applications, while France and Germany have confirmed that
they require apps to provide them with back door access in the case of an
emergency.20 There are two interesting facts about the stance of
France and Germany on this matter. First, neither country has yet banned any of the
most popular messaging apps listed here, despite their lack of compliance with
this policy. This suggests that, while both nations would like unfettered access
to users’ communications data in times of crisis, they are unwilling to infringe
upon the free distribution of otherwise legal applications in order to achieve
their goal. Second, this policy is contradicted by a draft proposal brought
before the European Union, which includes both France and Germany.21
This proposal attempted to ban the inclusion of any such back door for reasons of user
privacy. However, it and other proposals like it have, so far, not been ratified. That said, it could still
eventually become EU law. Still, with France and Germany almost certainly being
opposed to the law, and the UK’s exit from the EU absolving it of any
need to follow such a law, the governmental stance on encrypted messaging across
Europe is likely to be varied and in flux for years to come.

While Europe and the US have been highly cautious in banning apps that are
unwilling to provide a back door, other nations have been nowhere near as gentle
in their attempts to control the flow of communications. Countries that have
implemented temporary or permanent bans on at least one
method of encrypted messaging include: China, Saudi Arabia, Egypt, the United Arab
Emirates (UAE), Guyana, India, Iran, Kuwait, Libya, North Korea, Oman, Qatar, Syria, and
Russia. Although other nations have attempted to pass legislation
banning a single app those efforts have, so far, proven largely unsuccessful.
However, one nation, Australia, has passed a law which requires
government-mandated backdoors be included in any encrypted apps.22
Critics of the law have stated that it is the beginning of a slippery slope for
global privacy, and that it endangers other citizens across the globe.23

Unfortunately for privacy advocates, there does not appear to be an end in
sight when it comes to some nations’ wishes to control
encrypted communications. One of the most high-profile examples is
Russia’s attempt to ban the Telegram app after the app’s
developers refused to decrypt communications between users and hand them over to
the Russian FSB (Federal Security Service). However, even
this extremely powerful nation has been largely foiled in its attempts to
actually impact the Telegram user base. The combination of IPv6 technology, which
is entirely immune to Russia’s attempted ban, and a series of savvy moves by the
Telegram developers has resulted in almost no actual use of Telegram being
restricted within Russian borders.24 At most, the Roskomnadzor (the
Federal Service for Supervision of Communications, Information Technology, and
Mass Media in Russia) has managed to make itself a minor inconvenience to
Telegram and its user base, while instead blocking technically legal
services such as YouTube, Amazon, and several others.25

Russia’s fervor for controlling the flow of information and its subsequent,
somewhat blundering attempts to enact that control are a perfect
example of how difficult it is to control the flow and proliferation of
encrypted communications across the Internet. As soon as a repressive regime
comes up with a way it believes will block unwanted chatter, the
tech-savvy public or developer will find a way around that supposedly impenetrable
wall. This is a cat-and-mouse game that is likely to continue for the
foreseeable future, and one that, like all aspects of this topic, could result
in positive benefits for the general public and protective cover for criminal and terrorist elements.


[return to top
of this report]

Encryption as a whole is tied inexorably to personal privacy. Now that nearly
every citizen in the developed world has some online
presence, they should all be highly invested in how encryption is handled by their
respective governments. While this is true of protecting data during online shopping
or banking, it is more important when applied to personal communications. The slope down which government policy travels
as it relates to
communications is among the most slippery in the legal world. As
exemplified by Apple’s stance in the San Bernardino iPhone case, even a single
instance of allowing back door access to encrypted messages could (at least in
Apple’s opinion) result in an eventual abuse of such power for
completely unwarranted reasons. What might begins as banal
compliance with a request that seems, on its surface, to be entirely in the
public interest can quickly skew into enabling a government’s illegitimate
attempts to control the populace.

This is not to say, of course, that no company should ever aid a governmental
or law enforcement agency in their attempts to gather necessary evidence or
information. Indeed, circumstances may exist in which lives may be saved by an
investigator being allowed to see a particular message or listen into a specific
conversation. Apple chose to deny the request of the FBI when its investigation
related to an already-complete massacre. However, a similar instance may one day
arise where such a crime could be prevented. Would it still, even then, be
morally acceptable to protect user privacy above human life?

The next instance like the infamous Apple vs. FBI showdown is likely to once
again pit advocates of encryption that support personal
privacy against opponents of encryption that support unfettered government access. Ultimately, there is no easy answer to whether encrypted messaging and VoIP services are beneficial or harmful to humanity. It is up to the collaborative efforts of
governments, developers, private citizens, and network operators to make sure
this particular tool is used to better the existence of the human lives and not
to harm it.


About the Author

[return to top of this report]

Michael Gariffo is an editor for Faulkner Information Services. He tracks and writes about
enterprise software and the IT services sector, as well as telecommunications
and data networking.

[return to top
of this report]