Your Messages Are Not Private. She Found Out The Hard Way.

Forbes reports that Facebook gave Nebraska police a teenager’s private messages and used those messages to prosecute her under their forced-birth laws.

Not public posts. Her DMs. Her "private" messages.

And the fact that they were able to comply at all means those messages were not private. Meta could read, analyze, or use the data in those messages at any time.

I’m not surprised Facebook is the first service used in this manner – remember that Facebook let lots of third party apps harvest massive amounts of data without consent – but this holds true about any communication you do online that is not explicitly encrypted.

It is well past time to up your privacy game on the internet.

Particularly when it comes to messaging.

E-mail

Your e-mail is decentralized, which means that it goes through any number of possible servers before reaching its destination. Your e-mail is also unencrypted, which means anyone can read it en route. The first only becomes a problem when the second is also true, so it’s time to fix that.

Get a GPG key and encrypt and sign all your email. Lifehacker’s guide at https://lifehacker.com/how-to-encrypt-your-email-and-keep-your-conversations-p-1133495744 is still good; just know that Enigmail is no longer needed with Thunderbird – it can handle it all without an extension. The TL;DR: Use Mailvelope if you must use webmail, Thunderbird for desktop email. You can also register your key with a keyserver so that others can find your key there (perhaps using a tool like this little bash script I wrote). My GPG key ID is 0xDD2F731F.

  • keys.openpgp.org
  • keys.mailvelope.com
  • keyserver.ubuntu.com
  • pgp.mit.edu

Instant Messaging

When it comes to instant messaging (including text messaging), there are a couple of major players.

When you’re looking for secure messaging, there’s a couple of major players, two centralized and two decentralized. A centralized messaging system means that all messages end up going through a central server, and if the company or their servers is compromised, down, or blocked, the entire communication network is down. Facebook Messenger is an example of a centralized messaging service. A decentralized service will keep going, because the network is not routed through a single server, and messages can still find their way to their destination, though that means the message passes through more hands. E-mail is a good example of a decentralized service that nearly everyone’s familiar with – but unlike e-mail, encryption is far more common and easier.

The two big options for centralized messaging are Telegram and Signal. Both have their benefits; Signal can also drop-in substitute for your normal texting as well. There are plenty of feature comparisons out there; take a look to see which (if not both) is better for you. I’m on both, and should be searchable fairly easily.

While centralized messaging apps can seem easier to set up, they have the problem of being, well, centralized. Luckily, there are two big instant messaging protocols that are decentralized: XMPP (also called Jabber) and Matrix. You’re actually much more familiar with XMPP than you think you are – both Facebook Messenger and Google Chat/Talk were originally based on XMPP until those companies decided to make them incompatible. Also, both of these protocols do have servers with open registration, and you can self-host a server for either if you’d prefer.

Again, think of this like e-mail. You don’t blink when someone gives you an email address with a different domain name than yours; the same principle applies here. In the same way as with e-mail, you need to have end-to-end encryption enabled, as messages may pass through multiple servers. However, both XMPP and Matrix support this pretty much out-of-the-box.

Matrix’s strengths are in its "bridges" – allowing you to (with the occasional caveat) to connect to all your old messaging protocols in one place. There’s a good guide at https://joinmatrix.org/guide/ and a quickstart using the polished Element web interface at https://frontpagelinux.com/tutorials/beginners-guide-how-to-get-started-with-element-matrix/. There’s apps for every platform with various feature sets. Personally, I use SchildiChat for Android and Nheko for the desktop. Because you’re using end-to-end encryption, you do not have to self-host a server, but it is doable and there are open servers to choose from, which are covered in the guides above. There is also the Beeper project that handles all the back-end stuff for you as well: https://www.beeper.com. You can find me on the Matrix network at @StevenSaus .

XMPP feels more like what you might think of as a "chat app" in a lot of ways, and is significantly a lighter-weight program than Matrix for both the server and the client. As a user, the first big decision you’ll have is to choose a client. There are quite a few, with different features for different platforms. I personally use Conversations (guide here: https://ravidwivedi.in/posts/xmpp-guide/ on my phone, and have used two crossplatform clients on my desktop:

Linux users: Gajim is also available as a Flatpak, and Psi+ is available as an AppImage, and both are in Debian’s repositories as well.

I’m recommending these two because they handle OMEMO encryption for your messages automatically, and Psi+ can even handle GPG encryption as well without any problems.

The second bit is choosing a server.

Because you’re using end-to-end encryption, you don’t have to self-host. If you wish to self-host, there are a lot of different solutions depending on your setup. Snikket (https://snikket.org/) has put together a docker container which will handle nearly all aspects of setup, SSL registration, web interface, and the like. With a VPS and a domain name, you could have it running in minutes.

Other than that, there are plethora of servers you could register with. There’s a curated list at XMPP.org: https://xmpp.org/software/clients/, and much larger list at https://list.jabber.at/. Once you’ve registered, it’s simply a matter of sending a message to someone else – again, just like e-mail. I can be found at [email protected] . [1]

Again, there’s nothing wrong with using multiple of these methods of communication. You do not have to choose one forever and ever, and there’s no reason you should only have to choose one.

The important thing – and the thing that makes any of these different from anything owned by Meta – is that you are the one in control of who gets to see your messages.

[1] Matrix – @StevenSaus ; XMPP – [email protected] . Yes, it was a bit of a pain setting it up so I could have that.