Maybe you aren't a political dissident engaging in top secret conversations over text messages. But if you care about privacy, you should probably be using Signal—or really, another encrypted service—to send your messages. Encryption can be a hot-button issue, with governments demanding backdoors into private data stores and executives at companies like Facebook expressing wildly different opinions about how secure your communications should be. Plus, at a time when we're relying more and more on digital services to talk with each other, it's important to know who has access to your conversations.
This week on Gadget Lab, WIRED digital director Brian Barrett joins us to talk about the ins and outs of encryption, and why you'd want to use a secure messaging service in the first place.
Read Brian’s tips for using Signal here.
Brian recommends the show Detroiters. Lauren recommends the show Selling Sunset and the video where WIRED’s Nick Thompson, Pia Ceres, and Adrienne So talk about the digital divide in education. Mike recommends using Signal’s built-in tool for blurring people’s faces whenever you want to share a sensitive photo.
Brian Barrett can be found on Twitter @brbarrett. Lauren Goode is @LaurenGoode. Michael Calore is @snackfight. Bling the main hotline at @GadgetLab. The show is produced by Boone Ashworth (@booneashworth). Our executive producer is Alex Kapelman (@alexkapelman). Our theme music is by Solar Keys.
If you have feedback about the show, or just want to enter to win a $50 gift card, take our brief listener survey here.
You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here's how:
If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts and search for Gadget Lab. If you use Android, you can find us in the Google Play Music app just by tapping here. We’re on Spotify too. And in case you really need it, here's the RSS feed.
Lauren Goode: Mike.
Michael Calore: Lauren.
LG: Mike, what's your favorite text messaging app?
MC: Oh, it's Allo, I spend all of my time in Allo.
LG: Remind me again, what Allo is.
MC: I'm just kidding. It's the one that comes on Android phone. Nobody uses it. I use Signal primarily.
LG: OK. And that's encrypted, right?
MC: It is. It's very encrypted.
LG: Is that why you're using it?
MC: Yes, it is the primary reason why I use it.
LG: And that's exactly what we're going to talk about today.
[Gadget Lab intro theme music]
LG: Hi, everyone. Welcome to Gadget Lab, I'm Lauren Goode. I'm a senior writer at WIRED, and I'm joined remotely by my cohost WIRED senior editor, Michael Calore.
MC: Allo, Allo.
LG: Is that, are you saying Allo again? All right. We're also joined this week by WIRED's digital director, Brian Barrett. Brian, thanks for coming back on the show.
Brian Barrett: Allo everybody, thanks for having me.
LG: Oh my goodness, you guys. OK, let's talk about texts or specifically encrypted messaging. Brian here wrote a guide this week on WIRED.com, and it was a guide to using the app Signal. Which many of you have probably heard of. And we're going to get into why we think Signal is an app that you should consider using for your digital communications. And then later in the show, we'll talk about some of the debates and the controversy around encryption. But first let's talk about how and when you should be using apps like these.
Brian. Signal. Give us the quick high level for people who don't know. What is Signal and why should people consider using it?
BB: So Signal is an encrypted messaging app, like Mike said, but it's not just encrypted it's end-to-end encrypted. Which means that when it goes from your phone to the person's phone that you're sending it to or their desktop, no one can intercept it in between. It's encrypted all the way through, which gives you that extra layer of protection and security. It's been around for several years now. And I think the reason that it is a favorite among people who take this stuff really seriously are twofold. One, it is a nonprofit organization that puts this out. So, they are not sort of trying to weasel their way toward making money off of you. And two, it's open source. So, cryptographers have had every opportunity to dig through the code there, look for flaws. Any of that get found, get fixed really quickly, they're really responsive. And its increasingly been adding features that are ... normal people like to use.
Stickers and a reaction emoji, its sort of piled on these extra features lately to make it a much more well-rounded app than it was for several years, when it was sort of the doyen of the cryptographic community.
LG: And there's a bit of a background to the Signal Foundation that we should probably mention as well, right?
BB: Sure. So, well, which part are you going for Lauren?
LG: Well, I'm not wrong that it was started by Brian Acton, right?
BB: So, Signal was started by a guy named Moxie Marlinspike, who WIRED profiled several years ago. And he's this sort of anarchist cryptographer, he's a really smart, intelligent guy. A couple of years ago, Brian Acton, who is the former founder, or he's always the founder of WhatsApp, but he left WhatsApp after disagreements with Facebook and he sunk $50 million into Signal to help add those features and to make sure it was sustainable for a long period of time. So he didn't create Signal. WhatsApp does use Signal's underlying protocol. So there's a lot of interweaving, but basically yes, it is, in terms of how it is sustainable, Brian Acton is sort of the benefactor, that's going to keep it running for the foreseeable future.
MC: So, people who take privacy seriously already know about Signal and they use it, but why is it something that regular consumers, just people who maybe don't consider privacy to be high up on their list of things to worry about in their communications? Why should they be using it?
BB: Well, partly because you're not giving up anything by using it. It's sort of why lock your door if there's never been any crime in your neighborhood? Well, you could still lock your door. And I think that everyone thinks that they don't have something to be concerned about, until they do. And I think we're not also, we're not thinking only of, nation/state, elite spies here, we're thinking of any kind of ... If for example, if an advertiser, Facebook wants to look in the contents of messages, right? It could do that, potentially, it has the ability to do that. So, looking for a way where it's not just you're playing spy games, but you're just keeping your ... You have security in the knowledge that no one can look at this stuff. That feels like a universal good, more than a niche. Maybe I'll do crime someday and I I need it to keep people from finding out.
LG: So you mentioned WhatsApp, and I think that later in the show, we're going to get into some of the disagreements that exist in the tech industry around encryption. But from a user perspective, what should people consider when they're deciding whether to use Signal or whether to just use WhatsApp, which we know has a huge international user base.
BB: And I think that's an important thing, which is that it's important not to get too caught up in having the absolute most concrete. If you and everyone you know, uses WhatsApp, that's probably fine. That's probably enough for most people, because again, WhatsApp uses Signal encryption. It uses the same sort of encryption that Signal offers underneath it. Where you start to get into trouble is, if you're using WhatsApp and you're texting someone who does not use WhatsApp, then that is no longer encrypted, right? Or if you are using iMessages and the person on the other end is not, then you are no longer encrypted. So it's more important I'd say, to know that the other person at the end of the line is using the same app that offers encryption as you, than being so married to one specific app that you won't flinch.
MC: Brian, you mentioned that the specific encryption mechanism that Signal developed for its own chat app is also used by WhatsApp. And I believe there are other apps that use it to like Facebook Messenger and Google's Allo, which we love to make fun of. They also use a Signal's encryption. What does Apple use for its own messages platform?
BB: So, Apple uses its own proprietary cryptographic scheme, which is controversial, generally. I think people who spend their time studying this stuff are wary of anything that you can't see. And the saying is, "Don't roll your own crypto." Is what everybody says, which Apple has done. Now, that doesn't mean you should be concerned about using Apple messages. You shouldn't worry about that necessarily, but it is the kind of thing where, oh, if you're a ... you don't have as much sort of built-in, everybody's poked and prodded and audited this as you do, if you're using Signal. So, if you are a journalist or a dissident, Mike, I know you're a bit of a dissident. It's good to just have that extra little bit of security.
LG: I'm sorry. I was caught a little off guard there, but calling Mike a dissident, I think it really threw me. I'm wearing a tee shirt today that says, "Fight fascism." So, I'm like-
BB: See?
LG: I got to be on Signal. So even though the apps we're talking about right now offering end-to-end encryption, I'm wondering if there are other peripherals to these services that people should consider. For example, Signal has or had, they may have eliminated it by now, a feature that would alert you every time one of your contacts joined Signal. Which some people complained wasn't very private because it just alerted you to the fact that someone else in your network was using Signal. And so, I wonder if, even if the core technology offers a lot of privacy, if there are other things you need to think about when choosing these forms of digital communication.
BB: Yeah. And Signal's has been going through a few trade offs. That's one that people tend to glom onto and rightly, and you can turn that side off for yourself. So you can say, "I don't want to see when people I know join Signal," but you can't turn off other people seeing that you are. But, not to over complicate this, it's only people who were in your contacts already. So I think Signal is assuming, well, if they're already in your contacts, then you already have some sort of a relationship with them, whether that assumption is fair is another debate. The other thing that Signal did recently, was they added a PIN to all accounts. And the PIN was to make it easier to go from, if you change your device, if you move from one phone to another, the PIN will help you transfer all your contacts, without having to go through the whole process again. That was controversial for who said, "Look, like I don't want any kind of ... I don't want Signal storing anything regardless of how protected it is."
So, I think there are those trade offs. As Signal becomes more popular and becomes more mainstream, it's going to run into more and more of those trade offs. But for now, there's nothing about it that jumps out to me as saying, especially for the average user, "Oh no, you probably got to worry about that."
MC: I'd like to ask you about the desktop specifically, because the switch to remote work this year has put increased scrutiny on the security of video calls from the desktop. For most people, the main option is Zoom, just because that's where so many companies have gone to, but Zoom has its own history of sort of security mishaps recently. So, what's the state of secure video chat on the desktop?
BB: Secure video chat is really hard, is part of the problem. So, people are working on it, they don't quite have it figured out. I think we want to be careful talking about Zoom. They got a lot of heat and deservedly, I think more because they were misrepresenting the kind of encryption they had. They were calling it end-to-end encryption, it was not. Calls were still encrypted, which is enough for most people. So it's again, I think that the ability to communicate really clearly, what you're getting and who you're ... is as important, as in a lot of cases, as the underlying mechanism.
In terms of who actually does have end-to-end encryption for video chat, FaceTime is ... You can get, I think up to 32 people on an encrypted video chat. Zoom has brought on some really, really talented cryptographers. They bought a company that focuses on encryption and they expect to have a fully end-to-end encrypted solution for a lot of people really soon. So, it's getting there. I think part of the problem too is, that it just wasn't something that was needed at this scale before. No one was really asking for it. Now that they are, I think we'll see it get a lot better soon. But until it really ... If you want a big group call, that's end-to-end encryption, FaceTime is probably your best bet.
MC: I noticed that Signal launched a desktop beta for one-to-one end-to-end encrypted video chats. Have you gotten a chance to try that out?
BB: I have not. I am still ... I'm a company man, and we use Zoom. So, I am still on the Zoom train for all of that. And all my super secret conversations happen deep in my bunker, and so I don't need people seeing that on video chatting.
LG: It turns out Brian, you're the dissident among us.
BB: Yeah.
LG: Or maybe if you were, he would already be using the Signal beta. All right. This has been a great conversation so far. We're going to take a quick break, and when we come back, we're going to drill down into the heart of the encryption debate.
[Break]
LG: Welcome back. So, if was ever a time to think twice about privacy when it comes to digital communications, that time might be now. Because during the pandemic, a lot of us have become more reliant on video chat apps and text messaging apps to stay in touch. But as with a lot of crises we go through, there's a chance that in our rush to find solutions, we ignore privacy or privacy gets eroded. Encryption seems like a straightforward answer, but it's far from it. It's actually a subject of big debate, whether it's top Facebook executives having different opinions on it, or Apple clashing with the US government over revealing user communications.
Brian, what level of responsibility do companies have when it comes to encryption? And we're talking I think, specifically about here in the US, but when there's context outside of the US, please feel free. But is it fair for the government to regulate or have these back doors to our private communications?
BB: I think, we sort of unequivocally say, just as WIRED as an institution and me as a person, backdoors are bad. You don't need them, they do more harm than good. And that's been proven over and over again. You run into this situation where every few years, the government mounts a new campaign, we saw it with Apple versus FBI a few years ago, around the San Bernardino shooting. Then you more recently, another Apple FBI face off. And every time this happens, the FBI or whoever it is, makes a big stink about how, "Oh, we can't get in the phones, we need Apple to break the encryption for us." And then, once it looks like the court case is not going to go as planned, they figured out how to break into it anyway. I think what we have is a cat and mouse game, where phones are, in many ways, not as hard to break into as you think, and the FBI and independent contractors are getting better and better at breaking into them. And that feels like the right balance.
I think it's also important to stress that companies like Apple work with law enforcement all the time, and they will give access to iCloud backups all the time. Probably more than most people realize or are comfortable with. But there's no way that anyone has found to compromise the encryption of one iPhone and compromise that scheme, without putting every iPhone at risk. And so, you're threatening a billion plus people, making them less secure for the sake of one instance. And that just doesn't seem like good calculus.
LG: Very quickly explain that distinction that you're making here between, let's say Apple, not wanting to share end-to-end encrypted communications, but handing over iCloud backups, like they're still handing over information, right?
BB: Right. And the distinction is, so iCloud backups are not end-to-end encrypted. So Apple can access those servers and pull that information out of the server and hand it over. The controversies have come mostly around breaking into a phone. So guessing the PIN, like basically you can't or a face ID or a compromised face ID. Apple, can't do that. Apple has no way of getting into your phone because they locked themselves out. It is your phone, it is your encryption. In order to make a way to get into that phone, they would have to undermine the cryptograph, the way that iPhones work cryptographically. And that would have to be in a software update, that just goes out to all the iPhones, right? You can't do it on an iPhone by iPhone basis. So, you are looking at a change to iOS or to the underlying cryptographic schemes, that would ... you basically introduce a new vulnerability, right?
And you could say, "Well, only the FBI will have access to this vulnerability." Like a key escrow, right? They'll be the only ones who have the secret key. But we've seen the CIA had many of their hacking secrets stolen several years ago, in the vault seven leaks. The NSA lost Eternal Blue, which is the biggest piece of malware in the last several years. These agencies have not shown that they can protect really sensitive information well enough to say, "Oh, just give us the key and we'll hold onto it." Well, if someone else gets that key, they can suddenly break into every iPhone in the world.
MC: So, in the case of user data that the corporations do have access to, how does a government go about collecting that? Like if law enforcement wants to know who you've been talking to, what you've been taking pictures of, what you've been talking about, what happens? How do they approach the company?
BB: And this happens a lot more than you might think. And so, a lot of companies have dedicated portals even, where law enforcement can go and submit their request. Apple alone, I think reported in the first half of 2019, they had almost 10,000 requests from law enforcement. And so, what happens is they will go to Apple, they'll say, "Hey, we have this warrant. We want to search for whatever information you have about this, that, or the other." Apple and other companies don't give direct access to their servers, they will just get the data and relay it to law enforcement. And I think it's similar to, and constitutional lawyers will get mad at me probably, but it's similar to when aren't they? It's similar if you go to a house and you replace a business and you ask for someone's employment records. You're just asking for the records that they have on hand.
And the distinction is, Apple doesn't need to undermine any of their underlying encryption in order to get that information because it's on their servers that they own. And this is true of tech companies, left, right and center. One thing that we've seen in some high profile legal cases recently, I'm trying to ... I guess Paul Manafort's case jumps out. Is the cloud backups are things that people don't think about enough when they're using encrypted messaging. WhatsApp can has a setting where you save backups from your WhatsApp messages to the cloud. And so, you may think you are in this super secret encrypted messaging conversation, but then all of a sudden in a Paul Manafort indictment a few years ago, WhatsApp's transcripts we're up and down, detailing some pretty bad activities. And I think that's when we talk about responsibility, circling back to end-to-end encryption, it's important for companies and apps to tell people exactly how what they are using works and how it doesn't and how to navigate those things.
LG: Brian, I'm glad you brought it back to Facebook because WhatsApp as we know, is a Facebook owned property. And there've been some debates inside of Facebook from what we know, about the company's approach to encryption. So lay that out for us.
BB: So Facebook's in an interesting spot, in that they've got WhatsApp, which has really strong encryption. It had it before Facebook bought it. And of course, by default was a huge deal when they turned it on. They have encrypted messages for Facebook Messenger, if you go to secret conversations, but not if you do a regular conversation. Then Instagram didn't have anything encrypted for a long time, and I think they were going to edit or have. And now they want to say that they're going to do encrypted messaging across all of their platforms, at some point in the distant future. So it's all a jumble and it's all a mess. And I think that in general, Facebook's trying to add encryption I think in part, because they want to say, "You know what? Like if there's bad stuff going on, on this platform, we don't want to deal with it. We don't want to know about it." There's a little bit of that.
I think there's a privacy concern too, they've genuinely, I think. I think Mark Zuckerberg genuinely wants people to have privacy, but they also, the more it happens in an end-to-end encrypted environment, the less they are sort of responsible for it, I think in their view. But there's another thing where communication is going to be really hard, if you're on WhatsApp and you can message or ... and you can message someone on Instagram or are you going to know that they have end-to-end encryption turned on? Is that going to be an option? Facebook wants to monetize WhatsApp someday, which is really hard to do, when there's end-to-end encryption involved. There's so many moving pieces in terms of what they're trying to build there, that I can't help but think it's going to be pretty bumpy.
LG: And we know that some of the executives who used to run these products at Facebook have since spoken out about how they feel about encryption.
BB: Well, and that's ... Yeah and the Brian Acton, I think he has the perfect example. He left the company, he disagreed strongly with what Zuckerberg was doing, plunked a bunch of money into Signal.
LG: So, from a social perspective and not a technical one, what is your absolute best advice, Brian, for someone when it comes to handling sensitive digital communications? Let's say, someone's heard this podcast, we hope you've enjoyed it and you've learned a lot, but you're still like, "Yeah, I'm not really going to concern myself with what's end-to-end encrypted and what's not, in my backups and everything else, I'm just going to continue using the things I'm using." But you should maybe like take care with what you're sharing online, right? How do you approach that?
BB: That's a great question. I think at the very basic level, know what platform the person you're talking to is on, right? If you are chatting with another iMessage person, don't worry about it because then that's sort of fine, because you've got encryption there and that's good enough for you. If you're talking to someone on an Android, think about taking it to Signal, but then it gets too confusing Lauren, so it's all a jumble. This is why everyone should download Signal and tell other friends to do it and just use that. That's my real advice. Because otherwise, there's the network effect, right? And so we want to get the network effect going for the app that we know works and that everyone can trust. So, I'm throwing out the first part of my advice. And the second part, use Signal, tell your friends to use it too.
MC: I found that it's easier to get people to move our text conversations onto WhatsApp, than it is to get them to move them on a Signal, because more people already have WhatsApp installed.
BB: Or if you're Mike's friend, use WhatsApp.
LG: [Laughs] Well, Mike has tried. So actually, now that I'm looking at our Zoom call, as we tape this, everybody on this Zoom call right now is an Android user, except for me. I'm sure I've text messaged all of you at some point. And I'm pretty sure I've just defaulted to SMS, but Mike has tried valiantly to get me to text him on Signal, but I just use SMS. Sorry, Mike.
MC: That's OK. From now on.
LG: From now on. Brian has sufficiently scared me, in a good way. All right. That was a great conversation. Let's take another quick break and then we'll come back with recommendations.
[Break]
LG: Brian, since you're our guest of honor, what is your recommendation this week?
BB: Man, so I'm going to go with the show Detroiters, which was on Comedy Central for two seasons and you can catch it on demand now. And it's very funny. It stars Tim Robinson and Sam Richardson. And Tim Robinson's the guy who's behind, I Think You Should Leave on Netflix. And he was on Saturday Night Live for a little bit and San Richardson was on Veep for several seasons. Anyway, it is hilarious. A screwball, weird, funny, good and all of those things. If you're looking for something to take your mind off of everything going wrong all the time.
MC: Brian, does this show come out of the improv sketch comedy scene, that you're a big fan of?
BB: I'm so glad you asked. I believe, yes. And I might get this wrong, I believe Tim was from Improv Olympic for a while, out in Chicago. And Sam Richardson has some improv background, but I'm not sure exactly where, I think. But yeah, I think that is a correct assessment. And I'm sorry if I got the details wrong.
LG: Excellent recommendation, Mike, what's your recommendation this week?
MC: Well, I actually have a tip for all the Signal users out there. Did you know that you can blur faces in photographs in Signal?
LG: I did not know that. Tell us more.
MC: So you have to take the photograph in Signal. So you have to like open up the app and then tap on the camera icon. But then, once you take a photo you're taken to a screen that lets you edit it. And there's a button at the top that you tap on it, and it can automatically blur the faces in your photo. And it does it in a way that makes it virtually impossible for somebody to unblur it and see who or what you're taking a picture of. I mean, it's obvious that it's a human, but you can't discern any of the information, the identifying information around their face. So the automatic blur tool will make like a rectangular box over the person's face. It does leave some information around the top and the bottom of the box. So if you're like me and you have wild curly hair and a beard, you will see the edge of my wild curly hair and the edge of my beard poking out from behind the blurry box. But then you can also just touch the screen and sort of squiggle out any other details that you want and make those blurry too.
So if you're, for example, at a child's birthday party and you want to take a picture and you want to post that picture and share it, and somebody says, "I don't want my kid's face in it." You can just blur their face. That will be helpful. Of course, that means that you're always taking pictures in Signal, but why not? I think every app has the ability to take pictures now. So, just make that your default picture taking app and then you can blur everybody's faces.
LG: That's a great tip. I really did not know that existed. Thank you, Mike.
MC: You're welcome.
LG: I have two recommendations this week. And the first one, I'm actually like embarrassed to share. I've been debating whether to share it, but I'll go ahead. Selling Sunset on Netflix. For those of you-
MC: Oh yes, yes, yes, yes.
LG: Who have not seen this reality show, which I will fondly call an unreality show because it was really ... It was first released back in the spring of 2019. And for some reason, it's just, it's getting a lot of attention right now. And someone recommended it to me and I said, "I don't really watch reality shows." And she said, "No, you need to watch it." And I got hooked. And then every person I've recommended it to since has said, "What have you done? Now, I'm totally hooked." But it's a reality series about a bunch of Los Angeles real estate agents, all women, except for their two bosses. And they're selling multimillion dollar homes, like in the Hollywood Hills and then sometimes in the Valley too. And the show just follows them in their personal lives and their personal drama and these crazy, crazy homes that they're selling. And because it is pre pandemic, it is one of those shows that just feels completely unreal. They're at restaurants, they're hugging and kissing and they're having big parties and sharing meals, and everything just feels like ... And of course, they're walking into other people's homes without thinking twice. It just feels like a total throwback to an era that no longer exists. For that reason, it feels very escapist to me.
BB: But Lauren, do you kind of flinch when you see people hug on TV or like-
LG: Yes.
BB: Huddle in closed spaces?
LG: Yes.
BB: It makes me feel weird now.
LG: It feels so weird. Yes, 100 percent. when I watched the HBO show Run, which I recommended it in a much earlier episode, I was cringing about the idea of people being on a crowded train together for an extended period of time and touching the bathroom doors on trains. Yeah. Yeah, I think this is going to be our new reality, but speaking of reality, this is a total guilty pleasure of a reality show, Selling Sunset. Yes, I made that recommendation. But my other recommendation is certainly, it's very real. And earlier this week, our editor-in-chief, Nick Thompson had a live stream conversation with two of our excellent writers, Adrienne So and Pia Ceres, about the digital divide in education. It's a topic that Pia has been writing about for WIRED. Adrienne is one of our senior writers who covers products, but she also often dives into the world of parenting and the intersection of parenting and technology.
And Nick is also a parent himself and revealed during this live stream that if media doesn't work out, he's going to become a youth soccer coach. But, they had a really great, smart, and enjoyable for these times, conversation about parenting and educating in the time of COVID. With everyone being online, and particularly what it means for kids who come from lower income households. So, I would take a listen to that. We streamed it on Periscope. It's on WIRED's main Twitter account, we'll include a link in the show notes, but yeah, check it out.
So that is my ... Those are my two recommendations this week.
MC: Totally solid.
LG: All right, that's our show. Brian, thanks again for joining us. That was great.
BB: Thank you guys for having me.
LG: And thanks to all of you for listening. If you have feedback we would love to hear from you. You can find us all on Twitter, just check the show notes. This show is produced by the excellent Boone Ashworth. Our executive producer is Alex Kapelman and we'll be back next week. Goodbye for now, or should I say, "Allo."
[Laughter]
BB: Nice.
[Gadget Lab outro music]
