Privacy-centric Communications

Posted on August 06, 2014 in Privacy • 7 min read

Paranoia, some smart people like to say, is not retroactive. What I mean by this is not that you should start being paranoid now, because you never know when you’ll need it. Rather I mean that, at whatever point in time you actually need to start being paranoid, you’ll certainly wish you had started being paranoid at an earlier point in time.

So, to that end, it’s time to talk about a few secure communications technologies you can start employing TODAY to keep immoral corporate and government actors at bay. I’m pointing out these particular platforms not necessarily because I think they are the absolute best, but because I think that they are the most approachable. Some of the best methods for secure and private communications are still exceptionally rough around the edges and not at all ready to be used by a typical user, but I’ve found these to be fairly easy to get up and running.

vLine: a user friendly WebRTC facilitator

The state of web-based video calling is horrid. Atrocious. Has been for some time. On the one hand, you’ve got centralized services like Skype and Google Hangouts that come with their company’s repugnant record on privacy. Then you have the ridiculous “meeting” solutions like citrix or join.me and so on.

On the other hand, you have SIP, a protocol often used for video calls. SIP is great, or rather would be if anybody but a relatively small cadre of digital literati were capable of using it. If you have skill and need a secure video calling line, SIP with ZRTP is pretty much the way to get what you want, but I wouldn’t count on using it to successfully reach your grandma.

WebRTC on the other hand is really starting to look like a good technology at this point. Simple, easy to use, browser based video chat. Now comes with encryption technology, depending on how you go about facilitating the connection. Also, WebRTC is peer-to-peer which means the only roll that the server has in facilitating the conversation is connecting to two people.

The WebRTC facilitator that I’m liking the most at present is vLine. Their developers appear to know what they are doing, their descriptions of their goals are on point, and they’re using the most secure extensions that are commonly supported by the WebRTC standard at this time.

One thing to note is that vLine does not yet work on mobile, so you’ll have to be in front of a computer to use it. At present the only even half-decent piece of software that I know of for Android is Lumicall, although it is actually a SIP system and configuration can be a bear.

Tox.im: chat, decentralized

Tox.im has a great idea, one that you’ll see repeated in the next three items: leverage the inherent distributed nature of the fundamental technologies of bittorrent and bitcoin to produce robust, secure messaging platforms. In Tox.im’s case, the bitcoin protocol is not used, however Tox still does a fairly good job of allowing for pseudonymous (not anonymous, by by pseudonym) conversation with encrypted contents. It’s not perfect, but Tox.im is definitely a good start.

If you go to check it out you might see that while Tox.im has video chat capabilities, I have not listed them as a feature, and that is largely because they do not exist across all of the different clients that suppor the messaging protocol, including the mobile ones, so I don’t actually consider it a core feature at this point.

Twister: like Twitter, but without all that

Twister is exactly what Twitter would be if you removed everything about it that wasn’t a good idea. There can no longer be a fail whale, because twister HAS NO SERVERS. Twister leverages parts of bittorrent and bitcoin to create a distributed online messaging system that provides actual legitimate privacy in a way Twitter never could. Plus, since the protocol is already live, there’s no way for Twister to retroactively change their privacy policy or system architecture to make all of your private posts public by default ;-)

Because Twister is built around bitcoin’s blockchain technology, you can’t simply install it and start running. It is going to take a good deal of time for the full blockchain to download and for Twister to be ready to use. Once the full blockchain is loaded, you access Twister like a website hosted locally on your machine. Then you can post microbloggy goodness and follow people and do all the direct-messagey things that you are used to doing on Twitter.

One very important note regarding Twister: as with bitcoin, your private key is your identity. It is very important that you back it up somewhere. Otherwise if you should lose it you will never be able to post as that user again, period end of story.

You can pick up the admittedly very beta-quality twister here, and I highly recommend you do some reading. It’s impressive stuff!

Bitmessage: Email, but private

The best way to think of Bitmessage is like a completely bulletproof e-mail system that uses a fake name. You can tell people your fake name, or share it on the internet, but you can also have an unlimited number of fake names. There are of course a few caveats. No attachments, unless you’re willing to jump through many hoops, and the user interface is still pretty simplistic. But it’s something rather than nothing, and as far as a distributed, fully encrypted, decentralized alternative to email, you aren’t going to find a lot on the internet right now that is better than Bitmessage.

Much like with Twister, it’s worth noting that identities are derived from private keys. Should you lose your private key, you will never be able to retreive messages for an adress, or send from that address ever again. Additionally, messages on the Bitmessage network have a lifespan of around three days. If you don’t connect to the network during that time, you can very easily miss messages. It’s worth pointing out though that if you do not receive the message, the message will never show as received to the sender, so if they are paying attention they will know the message hasn’t been read.

OTR + Jabber/XMPP: established encrypted chat.

XMPP is, by this point, one of the few real enduring standards of the internet. Facebook messaging speaks XMPP (although very poorly). Google chat speaks XMPP. And there are a plethora of freely joinable XMPP servers, all of which support (of course) XMPP. And here’s the real kicker: if you’re signed up on any one of these servers (except Facebook) you can talk to any person on any of the other servers. This concept, known as “federation”, is something you don’t see as much as you should, mostly because some companies think it’s easier to extract money from people if you keep them in walled silos.

Of course, XMPP by itself is somewhat lacking in the security department. While many XMPP servers secure the connection between the user and the server, the server is still able to read the message (a no-no for security specialists) and often the connection between servers is not encrypted, meaning that attackers on the network can read messages that pass between different servers as they move by on the network.

The solution to that problem is a plugin called OTR, and it’s supported by many XMPP clients. And the kicker is, the server doesn’t matter, because the encryption is all done client-side. In general, Pidgin is the most established and beloved of messaging clients that support XMPP, and it is in fact the reference implementation for the OTR system, which you can find here after you install Pidgin.

Assuming you have an XMPP account (you can use a Google chat account or sign up on one of the servers that you find here), OTR setup is very easy. Activate the plugin in Pidgin’s plugin list, generate a key, and start encrypting your messages with other people that have it installed. That simple.

If you’re looking for an OTR capable messaging client on Android, check out ChatSecure, Xabber, or Conversations

Red Matrix: a much better design for a social network.

Red Matrix is a project that I’ve been watching for a long long time. Chiefly the brainbaby of long-time software developer Mike Macgirvin (who’s been working in web software development for a long time with a number of different firms), Red tries to fix a lot of problems that have existed for too long in our social networking infrastructure.

Red was started by Mike after one of his earlier projects (Friendica, a master distributed social networking system that can be deployed by anybody on a server and interface with many other social networks) started running into some dead ends with regards to security and privacy, as well as user control. Because most social networking systems are designed towards insecure, privacy-compromising objectives from the start, federating with those social networks cannot be accomplished without compromising privacy. In short, if you want a secure, private social network, you have to turn your back on Facebook, Twitter, Statusnet, Diaspora, and a whole host of other platforms.

Red is something completely different from any other social network you’ve ever seen. To begin, it has complete granular privacy controls that are private by default. You will be shocked. You will be astounded. Additionally, because Red is distributed (you can sign up at any open Red Matrix node, or set up your own) and federates with itself, the particular network node that you choose doesn’t have much bearing with who you can socialize with. But the real game changer is decentralized identity. Your identity itself propogates out to servers you aren’t even on. And should you want to change servers, it’s no problem. You can migrate to a different server just by instructing your identity’s new home to talk to the old one, or by importing a file at the new site. Set up your own node, and want to move to it? Same thing.

Red Matrix is of course still in development, but that doesn’t mean it isn’t usable. If you’re really interested in a private, secure social network that’ll give you a comprable experience to something like Facebook, Myspace or Friendster (but without all of the ads and surveilliance), you aren’t going to find something better on the internet of today.

Feel free to drop me a line if you want some help!

Jason R.