How private are your favourite messaging apps?
We’ve ranked 11 companies that run the world’s most popular messaging apps – including Skype, Snapchat and Facebook Messenger – on how well they’re using encryption to protect your online privacy.
In particular, we’ve looked at whether they apply end-to-end encryption – a way of making your photos, videos and chats unintelligible to anyone but you and the people you’re talking to. This is how they fared.
Please note that this is an assessment of each company’s key policies and practices in relation to encryption. We have not assessed other privacy aspects of the apps or their overall security. If you’re a journalist or activist, or if you believe you might be personally targeted for electronic surveillance, you need a comprehensive digital security plan. Please consult a digital security expert and do not rely on any one app to protect your information.
Facebook, whose instant messaging apps Messenger and WhatsApp together have 2 billion users, is doing the most to use encryption to respond to human rights threats, and is most transparent about the action it’s taking. WhatsApp is the only app where users are explicitly warned when end-to-end encryption is not applied to a particular chat, but Messenger does not apply end-to-end encryption as a default, and does not warn users that regular conversations use a weaker form of encryption.
Score 73 / 100
Apple’siMessage and Facetime apps scored 67 out of 100, providing full end-to-end encryption by default. Apple has also taken a public stance against “encryption backdoors”, and discloses government requests for government data. However the company should do more to notify users within the apps themselves about when their information is protected through end-to-end encryption and when it is not (for example when you send a message to a non-iPhone user).
Score 67 / 100
Telegram Messenger is a messaging app with 100 million monthly active users. It brands itself as a secure messaging app and takes a strong stance on protecting users’ privacy and freedom of expression. It’s therefore surprising that the company does not put in end-to-end encryption as a default, and users receive no warning when they are using weaker encryption.
Score 67 / 100
Google’s messaging apps are Allo, Duo and Hangouts. There is end-to-end encryption on Duo but it’s only optional on Allo, and Hangouts doesn’t have it at all. Google does disclose government requests for data and has taken a public stance against “encryption backdoors” which would unlock devices or apps and allow governments to access personal data.
Score 53 / 100
The Line mobile messaging service has more than 200 million active daily users, with the majority in Japan, Indonesia, Thailand and Taiwan. The app scored full marks for providing end-to-end encryption by default in all communication on their messaging apps, but does not do enough to inform users about threats to human rights, and does not publish a transparency report.
Score 47/ 100
The Viber messaging app has 700 million registered users and almost 250 million active daily users. The company scored full marks for providing end-to-end encryption by default in all communication. But it does not publish a transparency report, or disclose full details of how it is implementing encryption.
Score 47 / 100
The South Korean company owns KakaoTalk, an app with a reported 49 million active monthly users. In October 2014, the company came under significant pressure following reports it had given the South Korean government information about its users. The company subsequently took steps to strengthen its level of encryption, but it is not applying end-to-end encryption as a default
Score 40 / 100
Microsoft has owned Skype since 2011, and the voice and video calling service now has 300 million active users. Skype has been a major target of government surveillance worldwide. Despite Microsoft’s strong policy commitment to human rights, it is still using a weak form of encryption on Skype.
Score 40 / 100
The US-based service is used by more than 100 million people every day. Although it has a strong policy commitment towards privacy, in practice it does not do enough to protect its users’ privacy. It does not deploy end-to-end encryption and needs to do more to inform users about how the company is tackling threats to their rights – particularly as Snapchat’s ‘disappearing’ messages may give users a false sense of privacy.
Score 26 / 100
Blackberry Messenger is reported to have 100 million users, and only offers end-to-end encryption as a paid subscription service. It has made no public commitment to freedom of expression, and does not publish a transparency report.
Score 20 / 100
Tencent owns the two most popular messaging apps in China, WeChat and QQ, and is bottom of our message privacy scorecard, scoring zero out of 100. Not only did it fail to adequately meet any of the criteria, but it was the only company which has not stated publicly that it will not grant government requests to access encrypted messages by building a “backdoor”.
Score 0 / 100
What it means
Our communications are under constant threat from cybercriminals, malicious hackers, and unjustified spying by state authorities. Young people, activists and journalists who share personal details over messaging apps are especially at risk.
Many of us trust these apps with intimate details of our personal life. Companies that fail to take basic steps to protect our communications are failing that trust.
What we’re calling for
Amnesty International is calling on companies to apply end-to-end encryption as a default. It is also calling on technology companies to clearly inform users of the level of encryption applied to their messaging services.