How and Why to Use a More Secure Chat Client
Surveillance is ubiquitous. Our online lives are a panopticon, where we never know for sure that anyone is watching, but we know they always might be. With public messages, on boards and social media, being concerned by this would be laughable, since announcing these things to the world is the entire point, but in one-on-one messaging or closed group chat, things are very different. The average person believes there to be a certain amount of privacy there; nobody else can see your DMs, right?
Of course, the government can and does. The Dishfire program is known to collect 200 million sms messages per day(1), and phone companies have voluntarily given the NSA large amounts of call and location metadata from 2002 to 2005, when they decided that they would, ” preferred to be compelled to do so by a court order.”(2) IM clients are, of course, not any more private in these cases. “”Sustained Skype collection began in Feb 2011,” and has continued unabated since then, with text, voice calls, and videochat(3), encrypted or not.(4) Of course skype is not as popular as it once was, and the ruler of the day for personal IMs (Aside from Facebook, which has consistently been one of the largest sources of NSA data) is Discord.
While no actual leak has yet emerged documenting that the NSA (or any other particular intelligence service) includes Discord in its dragnet surveillance system, this may simply be because the application is relatively new, compared to other services (Launched in May 2015, compared to Skype’s 2003 or Facebook Messenger’s original debut as, “Facebook Chat,” in 2008) and thus post-dates many of the large information leaks having to do with mass surveillance (For example, Snowden’s leak in 2013). Given their lack of encryption,(6) I don’t see any particular reason to assume that they are the one major platform that the US government is ignoring.
Of course, perhaps the average person does not care about the NSA seeing their nudes(7), but they should. Many, many articles have been written about why people ought to be worried by this trend, So I’ll just summarize “this one, by Wired.” Essentially, you don’t know all the laws on the books. No one does. Professors of law don’t even agree on how many laws there are in the twenty-seven thousand pages of the US Code, which incorporate by reference many of the ten thousand Administrative Regulations. So you never know when you’re breaking the law, and in a world where an intelligence office sees everything you say, and can take years after the fact to decide if it broke a law, enforcement becomes a matter of deciding who you want to punish, then figuring out which law they broke. Even the conceptual threat of this has a chilling effect on politically dissident speech, with worrying consequences.(8)(9)
Of course, some chat services are better than others. Signal and Telegram both advertise as secure messaging services, and Signal even boasts end-to-end encryption, a powerful tool against surveillance. Unfortunately, both of these services require strong links to an identity (phone number), which makes it easier to, if not discover what is being said, then at least know who is talking to whom, information called, “Metadata,” which has been enough to kill.(10) The real champions of anti-surveillance chat ais a tool that have been tried and tested for ages. XMPP has been around since 1999, but is still a versatile chat protocol that lots of newer services are actually just skins running over. It’s distributed, meaning anyone can set up and own their own xmpp server, on their own hardware, without relying on anyone else. It’s (and many of the clients designed for it are) open-source, and many clients feature strong end-to-end encryption (You can see a list of these clients here: https://omemo.top/ ). The easiest of these to install are Conversations Legacy ( A free app for Android, found in the Google Play Store ) and Gajim (For Windows or Linux, found here: https://gajim.org/). You will need an account on someone’s server to use it (just like using email requires an account on some email server); you can set up your own server (and I recommend that any of you interested in doing so look into it), but that’s a bit outside the bounds of this short article, so instead I recommend either signing up for a free account from chat.gibberfish.org (a nonprofit group in Amsterdam, which does store some metadata, but regularly issues canary statements that can reassure user’s they aren’t being subpoenaed for it) or, if you prefer something more irreverent, cock.li (a service run entirely by ne very dedicated privacy-focused individual, where you can anonymously get an xmpp address/email address combination such as firstname.lastname@example.org). Account sign up and even server setup are really no more difficult than they are for email (cock.li comes with an email address attached).
Irc is another classic that does well in these respects, with many more technical websites running their own irc channels and servers for their user base to chat in. Most irc clients are not encrypted by default, but the vast majority have solid, end-to-end encryption available for DMs via a protocol called otr. Freenode (https://freenode.net/) is a popular free irc server, which allows user to create their own channels, and even has a web client available so that you won’t need to install an application. Another popular service for irc is ( https://www.rizon.net/ ) which also offers web chat. Of course, to configure your security settings to your own liking, you should probably install your own client. Hexchat ( https://hexchat.github.io/ ) is a great irc client to use on desktop, though it does not have otr encryption by default, there are several plugins available to do just that. Sadly, I’m not aware of a particularly good or secure irc client for mobile, but there are thousands of clients out there that I have not examined.
Sadly, none of this matters if you can’t convince the people you chat with to join, which has continuously been the problem for xmpp and irc, free protocols with no corporate marketing team. The multi-protocol chat client Pidgin ( https://pidgin.im/ ) is very useful here for anybody on a desktop, as it’s one program that, with its many plugins, can be used to communicate simultaneously over xmpp with omemo or irc with otr for your friends who are on the level, and also many, many other chat systems for your less secure friends and family (I personally use pidgin on my desktop for xmpp on both of the above servers, Discord, Skype, irc, and even sms organized as different tabs of one window). Of course, you won’t get the protection of encrypted xmpp when chatting with your friends who aren’t using it yet, but it will make the transition a lot simpler for you.
If you would like to compare these and other chat protocols, the lovely people of Lainchan have created this spreadsheet: https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHalWVztqZo7uxlCeKPQ-8uoFOU/edit#gid=0