Encrypt correctly! Choose a messenger for secure and private correspondence. Messengers were prohibited from talking about FSB requests
The Russian government is introducing new rules for the use of instant messengers. Now only the person to whom the phone number associated with the service is registered will be able to use the account. This was stated in the message of the Cabinet of Ministers, published on the official Internet portal of legal information.
The new order will come into force in 180 days. The head of Roskomnadzor, Alexander Zharov, in a comment to Izvestia, said that this is necessary to create a safe communication environment for citizens.
“The possibility of anonymous communication in instant messengers complicates the activities of law enforcement agencies when investigating crimes,” Zharov emphasized.
According to him, now messenger administrators will check whether the user’s phone number is actually registered to the person who is communicating. The mobile operator is given 20 minutes to respond. If the user's data matches the information in the company's database, identification will be considered successful. Otherwise, the service must refuse to provide the service.
In addition, cellular companies will be required to assign users a unique identification code, which the messenger will automatically generate. The MTS press service told the publication that operators will have to make technical improvements, since the equipment currently does not meet the stated requirements. But in theory, a response to a request from a messenger within 20 minutes is feasible.
Why is it important
- On January 1, 2018, a law came into force in Russia obliging instant messengers to identify users by subscriber number. At the same time, after the law came into force, the media wrote that it was not being implemented, since there were no by-laws prescribing the rules for identifying users.
- For violation of the law prohibiting anonymity in messengers for legal entities, fines of up to 1 million rubles are provided.
It’s paradoxical, but true: with all the variety of messengers, you usually don’t have to choose them - people simply use the same thing as their friends and acquaintances. But what if secrecy really matters? In this article, we will go through the list of modern instant messengers and see what protection guarantees each of them has.
Recently there was a poll on “Hacker”, and the most popular answer (Telegram) was seriously alarming. How far has it gone when even the average Hacker reader has already lost touch with reality after being attacked by a marketing headcrab (pictured)?
We've compiled a list of instant messengers to see how each of them fares with security. The selection included both popular and promising programs in terms of security. We warn you that we will delve into the technical side as much as is necessary for the average user, and no further.
In many ways, we followed the path of the authors of a series of articles by the Electronic Frontier Foundation called Secure Messaging Scorecard, but we chose other criteria - in our opinion, more important.
Criteria
FOSS
Is the messenger source code distributed under one of the free licenses? If so, is it open source mining? How closely do developers interact with the community? Do they accept pull requests? All this is important to consider when choosing.
Degree of centralization
One of three options is possible here:
Possibility of anonymous registration and use
For some services, a phone may only be needed to protect against spam during registration; therefore, it is very easy to use number rental services for SMS.
In other cases, the messenger is tightly tied to the phone. This is bad because if two-factor authentication is not enabled, then when you gain access to this number you can log into your account and leak all the data. But even if two-factor is enabled, it is still possible to delete all data from your account. And of course, this is, consider, registration using a passport (we use the realities of the Russian Federation, others were not brought in).
But it is not all that bad. There are instant messengers that allow you to register using your mailbox or social network account. There are also those where you can create an account in the messenger itself without being tied to anything.
Availability of End-to-End Encryption (E2EE)
Some instant messengers have this feature by default, in others you can enable it, but there are also those where there is simply no end-to-end encryption.
E2EE chat synchronization
Again, this function is not yet available as often as we would like. Its presence greatly simplifies life.
Notice to verify E2EE fingerprints
When starting E2EE chats, some messengers offer to check the fingerprints of the interlocutors, others do not openly offer this. But not all instant messengers have a fingerprint verification function.
Prohibition of taking a screenshot of a secret chat
Not the most useful function, because to bypass the ban it is enough, for example, to have a second phone on hand.
Group E2EE chats
E2EE group chats are usually not a necessary feature, but they are very convenient. The rule “more than two - speak out loud” should be left for children.
Notification about the need to verify E2EE fingerprints in group chats
When adding a new interlocutor, with whom the fingerprints have not been verified, to a secret group chat, not all instant messengers offer to check his fingerprints. Because of this omission, the meaning of secret chats is lost.
Protecting the Social Graph
Some instant messengers collect information about the user's contacts and other data, such as who the user called, how long he talked. There is a thread on this topic.
WWW
We have selected only some of the criteria that can play a role when choosing a messenger. There are others, but they are not always related to security. A group of scientists from European universities did a good job of putting everything into perspective in their work Obstacles to the Adoption of Secure Communication Tools (PDF). It is also always useful to review the results of an independent audit, if available. For example, in the case of Signal, such an audit was carried out (PDF).
Telegram
License: formally - GPLv3. However, an important part of the development is closed. If you look at the repositories, you can see that recently there has been some movement only in the web version. Alas, in this form it is rather an illusion of openness
Degree of centralization: centralized
No
Availability of E2EE: implemented, but as an addition. By default, chats are not encrypted
E2EE chat synchronization: No. Secret chat can only be used from one device; it will no longer be accessible from another
No. Users can go into the settings themselves to compare fingerprints
yes, but does not work on all devices
E2EE Group Chats: No
Social graph protection: No
The messenger, created by Pavel Durov's team, is built on MTProto correspondence encryption technology. At the moment, it is partially blocked in Russia, but this blocking is a separate topic for discussion.
The messenger is ambiguous. There's a lot of hype around it, but is it justified? There is no access to the source code, chats are not encrypted by default, there is no social graph protection (all your contacts are stored on Telegram servers), there are no group E2EE chats, E2EE chats are not supported in the desktop version of the program, only in the mobile version, the messenger is centralized, messages are stored on the server (and they, as already noted, are not encrypted), and with all this there is no possibility of anonymous registration.
If you want to use Telegram, then don’t forget to create secret chats to protect your correspondence. In the mobile version, you need to select the New Secret Chat command. Of the desktop versions, only a few support secret chats (for example, one of the two clients for macOS).
In a secret chat, messages are encrypted and are not stored on the messenger servers. You also cannot take a screenshot of a secret chat, but nothing prevents you from taking a photo of such a chat from the screen.
Signal
License: AGPLv3
Degree of centralization: centralized
Possibility of anonymous registration and work: No. There are no other options other than a phone number.
Availability of E2EE: There is
E2EE chat synchronization: There is
E2EE Fingerprint Verification Notice: No. Users are encouraged to scan each other's QR codes or compare fingerprints
Prohibition on screenshots of secret chats: can be turned on or off
E2EE Group Chats: There is
Notification about the need to verify E2EE fingerprints in group chats: No
Social graph protection: There is
The Signal messenger was developed by the American startup Open Whisper Systems, where, besides the two founders, only a few people work. To encrypt messages, a cryptographic protocol created specifically for it is used - Signal Protocol. It is used for end-to-end encryption of calls (voice and video), as well as regular messages. The Signal protocol has since been used by other instant messengers: WhatsApp, Facebook Messenger, Google Allo.
It would seem that in this case, any messenger can become as safe as Signal. But, as practice shows, no. Unlike Signal, where encryption is turned on by default, these messengers have it turned off. To enable it, you need to activate Secret Conversations in Facebook Messenger, and Incognito Mode in Google Allo.
Although Signal is centralized, the code is open and distributed under a free license. Signal has support for E2EE group chats, social graph protection, and supports timed disappearing messages.
However, protection should not be confused with anonymity. Signal is not anonymous: when registering, you need to indicate the phone number to which the messenger is linked. As for disappearing messages, this feature is also found in other messengers, for example in Viber and Telegram (in the secret chat menu you need to select the Set self-destruct timer command).
Russians were prohibited from using instant messengers anonymously. The government has approved new rules, according to which now instant messaging services can only be used by those who link them to a real number and confirm their identity through the operator. During the identification process, the messenger will send a request to the operator to find out if the subscriber is in the database. The operator will have 20 minutes to provide a response. Each user will be assigned a unique code.
For operators, compliance with the new legislation will require additional costs, stresses leading analyst of the Fintech Lab accelerator Sergei Vilyanov: “Operators will have to process millions of requests, and given that today every citizen has more than one SIM card, companies will have to constantly respond to these requests and create a load on your equipment. It turns out that everyone will have to write their full name, surname and patronymic when registering in the messenger. This is, firstly, strange; this is not accepted in instant messengers. Secondly, what happens?
We take the user base - first names, last names, patronymics, probably also date of birth will be required - and hand over this information to foreign companies.
After all, most of the messengers that are popular in Russia today are foreign developments. There is no practical benefit in this."
According to Roskomnadzor, which proposed the bill, anonymous correspondence in instant messengers prevents law enforcement agencies from investigating crimes, and the new rules will supposedly be able to fix this. But Internet Ombudsman Dmitry Marinichev does not believe this. According to him, this will not only not help the work of the police, but will also complicate corporate communication: “This is simply illegal, some kind of huge security hole. Roughly speaking, you have created some kind of platform and simply by searching through and contacting telecom operators you can get the entire sample from databases with phone numbers, first and last names of registered subscribers. This is a surreal situation. In addition, the issue remains open from the point of view of corporate communications. Who will identify the employee who uses corporate communications? Then they won’t be able to install instant messengers at all; we will prohibit businesses from communicating. I do not see, firstly, the meaning, and secondly, the technical and legal enforceability of this law.
Apart from damaging the reputation of the authorities, he will not be able to bring anything.”
If the user changes their phone number, identification will need to be repeated. And those who have not passed the verification will not be able to send messages. But how the new rules will work in practice is unclear, said leading analyst of Mobile Research Group Eldar Murtazin: “Today this is a complete utopia, because it is almost impossible to achieve this. In practice, we will be faced with the fact that we will again have a situation like with the Telegram ban. There is a ban, but everyone uses the messenger. It’s just that taxpayers’ money will be wasted, formally there will be a flurry of activity, and operators will be forced to “break” the Internet, which in itself is ridiculous. But it is impossible to ensure that all this works in some digestible form. De facto, all the most popular instant messengers are located outside of Russia. Just as Telegram does not comply with Russian legislation, they will not follow the government’s lead and do anything.”
Since January, Russia has already had a law in force that provides for a fine for the refusal of instant messengers to identify users. For legal entities it ranges from 800 thousand rubles. up to 1 million rubles
Roskomnadzor included the messengers BlackBerry Messenger (BBM), LINE, Imo.im and the audiovisual chat Vchat into the register of prohibited sites, Roskomsvoboda reported. The register includes the portals of these messengers and a number of their IP addresses.
In Russia, access not only to the websites of these messengers will be limited, but also to their applications - they will be removed from application stores or blocked by telecom operators, Roskomnadzor representative Vadim Ampelonsky said.
Blocking a mobile application along with a resource website is not a difficult task, says a person close to one of the operators; as a rule, modern applications access specific resources, blocking which results in blocking applications as well. The regulator has experience in excluding blocked resources from Google and Apple stores. In January, the AppStore and Google Play removed the blocked LinkedIn application from their Russian stores.
The law obliges organizers of the dissemination of information (including messengers) to provide, at the request of Roskomnadzor, their contact information necessary for inclusion in the appropriate register, explains Ampelonsky: “Those who do not respond find themselves blocked - in full accordance with the law.” To be included in the list of information organizers, the regulator asks the company to provide data about itself (not about users), says Ampelonsky, but does not disclose what kind of data this is.
From the moment the request is received, the company has five days to respond, he continues; if no response is received, the department sends a notice of failure to fulfill the duties of the organizer of information dissemination, and the company is given 15 days to correct it. Next comes the blocking. Ampelonsky did not say what other messengers Roskomnadzor used.
Amendments to the law “On Information, Information Technologies and Information Protection” from January 1, 2017 oblige organizers of the dissemination of information on the Internet to store information on the facts of reception, transmission, delivery and (or) processing of voice information, written text, images on the territory of the Russian Federation , sounds, videos or other electronic messages from users and information about these users for a year, and the content itself - up to six months. Services are also required to provide this content at the request of federal executive authorities and provide them with the ability to decode information.
Roskomnadzor was the first to block the short voice messaging application Zello in April. The company also did not provide information for inclusion in the register on time.
Blocked messengers are not among the popular ones in Russia (see chart). It is possible that this indicative inclusion in the register of messengers that are not the most popular in Russia, but well-known in the world, is necessary in order to force the more popular and intractable ones among the Russian audience, primarily Telegram, to cooperate, says the head of Roskomsvoboda, Artem Kozlyuk. Telegram owner Pavel Durov has repeatedly stated that he has not collaborated and does not intend to cooperate with the intelligence services of either Russia or other countries. “But we will know about this only after this messenger is included in one of two registers: organizers of information dissemination with all the attendant responsibilities for collecting user data and providing it to the competent authorities, or in the register of prohibited sites - for blocking. For now, apparently, the regulators are deciding how to put pressure on Pavel,” says Kozlyuk.
Roskomnadzor decided to add BlackBerry, Imo, Line messengers and Vchat video chat to the list of sites banned in Russia. While application sites are available
Photo: Shizuo Kambayashi/AP
Roskomnadzor added the BlackBerry, Imo, Line messengers and Vchat video chat to the register of prohibited sites. Department press secretary Vadim Ampelonsky told RIA Novosti about this.
He explained that Roskomnadzor, together with law enforcement agencies, “is systematically filling out the register of organizers of information dissemination.”
Earlier, the Roskomsvoboda organization drew attention to the inclusion of messenger sites in the register. This list contains some application IP addresses and their websites. As of 15:44 on May 2, the portals of all four messengers were opening.
Roskomsvoboda suggests that the inclusion of instant messengers in the register is due to the fact that their owners refused to provide user data in accordance with the Law “On Personal Data”. RBC sent a request to Roskomnadzor for an explanation of the reason for the blocking.
BlackBerry Messenger was created in August 2005. The application is available not only on BlackBerry phones, but also on smartphones with Android, iOS or Windows operating systems. The messenger's website states that the application has been downloaded more than 100 million times.
In mid-April, which was popular among truckers and activists. The agency explained its decision by saying that the owner of the service, the American Zello Inc., did not provide the Russian authorities with data on time for inclusion in the register of information dissemination organizers (ORI).
The company itself called the department's demands absurd. Zello Russia Operations Director Veronika Zaslavskaya told RBC that about 400 thousand people used this application in Russia.