Tech companies like Snapchat and Skype’s owner Microsoft are failing to adopt basic privacy protections on their instant messaging services, putting users’ human rights at risk, Amnesty International said today.
The organization’s new ‘Message Privacy Ranking’ assesses the 11 companies with the most popular messaging apps on the way they use encryption to protect users’ privacy and freedom of expression across their messaging apps.
If you think instant messaging services are private, you are in for a big surprise. The reality is that our communications are under constant threat from cybercriminals and spying by state authorities.Sherif Elsayed-Ali, Head of Amnesty International's Technology and Human Rights Team
“If you think instant messaging services are private, you are in for a big surprise. The reality is that our communications are under constant threat from cybercriminals and spying by state authorities. Young people, the most prolific sharers of personal details and photos over apps like Snapchat, are especially at risk,” said Sherif Elsayed-Ali, Head of Amnesty International’s Technology and Human Rights Team.
Amnesty International has highlighted end-to end encryption, a way of scrambling data so that only the sender and recipient can see it, as a minimum requirement for technology companies to ensure that private information in messaging apps stays private. The companies that ranked lowest on the scorecard do not have adequate levels of encryption in place on their messaging apps.
“It is up to tech firms to respond to well-known threats to their users’ privacy and freedom of expression, yet many companies are falling at the first hurdle by failing to provide an adequate level of encryption. Millions of people are using messaging apps that deny them even the most basic privacy protection,” said Sherif Elsayed-Ali.
Amnesty International’s ‘Message Privacy Ranking’ ranks technology companies on a scale of one to 100 based on how well they do five things:
- Recognize online threats to their users’ privacy and freedom of expression
- Apply end-to-end encryption as a default
- Make users aware of threats to their rights, and the level of encryption in place
- Disclose details of government requests to the company for user data, and how they respond
- Publish technical details of their encryption systems
Tencent, Blackberry and Snapchat score less than 30/100
Chinese firm Tencent came bottom, scoring zero out of 100, ranked as the company taking least action on messaging privacy, and the least transparent. It was followed by Blackberry and Snapchat scoring 20 and 26 respectively. Despite Microsoft’s strong policy commitment to human rights, it is still using a weak form of encryption on Skype, scoring 40 and leaving it four places from the bottom. None of these companies provide end-to-end encryption of their users’ communications.
Snapchat, a US-based company used by more than 100 million people every day, also scored badly. Although it has a strong policy commitment towards privacy, in practice it does not do enough to protect its users’ privacy. It does not deploy end-to-end encryption, for example, and is not transparent in informing users about the threats to their human rights or its use of encryption.
Facebook, Apple lead the way
No company provides watertight privacy, but Facebook, whose apps Facebook Messenger and WhatsApp together have 2 billion users, has the highest score with 73 out of 100. Facebook is doing the most out of the 11 companies assessed to use encryption to respond to human rights threats, and is most transparent about the action it’s taking.
However, despite including end-to-end encryption as an option with its new “secret conversation” feature, Facebook Messenger’s default mode uses a weaker form of encryption, which means Facebook has access to all the data. WhatsApp uses end-to-end encryption by default and notably provides clear information to users about encryption within the app.
Apple scored 67 out of 100, providing full end-to-end encryption in all communications on its iMessage and Facetime apps. But Apple needs to do more to make users aware that SMS messages are less secure than iMessages. The company should also adopt a more open encryption protocol that allows for full independent verification.
End-to-end encryption: a basic protection few firms provide
Instant messaging services like WhatsApp, Skype and Viber are used by hundreds of millions of people every day. This includes human rights activists, opposition politicians and journalists living in countries where their work could put them in grave danger.
“The future of privacy and free speech online depends to a very large extent on whether tech companies provide services that protect our communications, or serve them up on a plate for prying eyes.”Sherif Elsayed-Ali, Head of Amnesty International's Technology and Human Rights Team
With large data breaches occurring all too frequently and governments’ mass surveillance operations unabated, the strongest encryption as well as transparency about who has access to message data, is key to protecting them. Yet only three firms, Apple, Line and Viber scored full marks for providing end-to-end encryption by default on all their messaging apps.
“Most technology companies are simply not up to standard when it comes to protecting their users’ privacy. Activists around the world rely on encryption to protect themselves from spying by authorities, and it is unacceptable for technology companies to expose them to danger by failing to adequately respond to the human rights risks,” said Sherif Elsayed-Ali.
“The future of privacy and free speech online depends to a very large extent on whether tech companies provide services that protect our communications, or serve them up on a plate for prying eyes.”
Amnesty International is calling on companies to apply end-to-end encryption to messaging apps as a default. This would help protect the rights of everyday people, as well as peaceful activists and persecuted minorities all over the world by enabling them to exercise their freedom of speech. It is also calling on technology companies to publish full details of the policies and practices they have in place to meet their responsibility to respect the rights to privacy and freedom of expression.
The ranking does not assess the security of the apps and should not be seen as an endorsement of any app for journalists, activists, human rights defenders or others at risk. The ranking did not assess the companies’ overall human rights performance or their approach to privacy across all their services.
Amnesty International sent letters to the 11 companies assessed, requesting information about each company’s current encryption standards, and details of policies and practices the company has in place to ensure it meets its human rights responsibilities in relation to its instant messaging services. Eight of the companies responded; we did not receive any response from Blackberry, Google or Tencent.
The apps that don’t offer end-to-end encryption offer a model of encryption called “Transport encryption” that is less effective at protecting privacy. Both models of encryption are hard to break, but unlike end-to-end encryption, transport encryption does not protect messages when they pass through company servers.