When to Switch Services
A few weeks ago, ProtonMail was forced to turn over the IP address and device information of a user to the Swiss government. A couple months ago, Wickr sold to Amazon. A few months before that, Signal integrated with cryptocurrency MobileCoin. Long before that, Wire moved to the US. So many services out there, none of them perfect, and all of them constantly evolving. How do you know which one to use? Better yet, how do you know when you should abandon one and move on to another after they make a major change?
Every time any critical piece of news comes out regarding a privacy tool, there’s always at least one person saying it’s time to jump ship and go to their competitor. So this week, I want to weigh in on when you really should switch services and replace one for another.
If the Service is Definitely Compromised
Let’s go ahead and get the obvious one out of the way: if a service is definitely compromised, you should jump ship. This begs the obvious question “what is definitely compromised?” Some people say that Signal is now compromised because of their MobileCoin integration. Others say Wire is compromised because of their relocation to the US. I’m not talking about that. I’m talking about “is it unarguable?” For example, Anom is definitely compromised. There is no argument there. If there is 100% credible, unarguable proof that a service has been cracked, sold, or otherwise compromised, you should drop it. Simple as that.
If the Service is Arguably Compromised
Unfortunately, if you’re unsure of whether you should switch or not, that’s likely because it’s unclear if the service is truly compromised or to what extent. In my experience, 90% of the time this is just disinformation and sensationalism spread by YouTubers looking to make ad revenue and perpetuated by haters of the service in question who are either purist/extremists (“anything that isn’t self-hosted is a honeypot”) or loyal to a competitor (“this is why everyone should drop Signal for Session”). However, there is that 10%. In my experience, the 10% of legitimate concerns boil down to two categories: theoretical and unconfirmed.
Let’s look at the Signal/MobileCoin incident. While the incident was extremely poorly handled, it doesn’t indicate any kind of actual compromise in the integrity of Signal’s encryption or their data handling procedures. However, I think cybersecurity expert Bruce Schneier summed it up best in his own blog post regarding the incident:
It’s that adding a cryptocurrency to an end-to-end encrypted app....invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI.
In this case, the potential for regulatory meddling and government investigation opens up new avenues of abuse by governments that previously weren't feasible: for example, demands to log user data as in the name of “national security” or “fighting fraud” or some other facade. It offers new tools for the government to exploit that previously didn’t exist. Prior to Signal integrating with MobileCoin, demands to “Know Your Customer” wouldn’t have made any sense because Signal did not handle any financial data. Now those demands suddenly seem more likely. (Signal claims they still don’t handle any user financial data and that it’s all handled by MobileCoin and their own exchanges, but it’s not hard to imagine the government forcing Signal to also log user financial transaction data that can be correlated with MobileCoin's or their exchange's data to unmask the parties involved.)
More often than not, this is the reasoning behind why a service is suddenly “compromised” when it changes hands, teams up with other services, introduces new features, or relocates. When Wire moved to the US, this was the concern. When Wickr was purchased by Amazon, the concern is not that messages suddenly became readable, but that Amazon now had access to all the metadata. In some cases, there is precedent to some of these concerns (like how Facebook owns WhatsApp and admits to making extensive use of user metadata). In other cases there aren’t, but that doesn’t mean that some of these theoretical abuses aren’t possible and aren’t worth noting. A “theoretical” compromise is not necessarily a current compromise of the service or project itself, but rather the increased potential for a project to be come compromised that didn’t exist prior to the change introduced. It's important to be able to tell the difference between a legitimate theoretical abuse – like Schneier's concerns with regulation – and someone who just hates MobileCoin cause it's not Monero or whatever.
When I originally began writing this blog, I wanted to do a quick explanation of critical thinking, but I quickly realized that deserved an entire in-depth blog post itself. So if you haven’t read that yet, please take a few minutes to do so here. I will now assume you’ve read this post as it will be critical to this next section.
There’s an old meme that says “on the internet, nobody knows you’re a dog.” As fun as this meme is, there’s some truth to it. While our online anonymity has been largely stripped by governments and surveillance capitalism, for the average person it’s still alive and well. You have no way of knowing if the person you’re talking to is a world-renowned cybersecurity expert or if they’re a 12-year-old making things up. So when someone posts on Reddit and says “I have found cryptographic weaknesses in Matrix,” it can often be hard to know if they’re telling the truth, especially if the comment goes ignored or is hotly contested in the comments section. This is often compounded by the technical jargon of an explanation. Even the most low-level writing I’ve seen explaining various bugs and vulnerabilities typically has a few sections that leave me unsure if what I just read was actually English and just trusting the author that it made sense to someone. This can often lead to us walking around with questions about not only the validity of something, but also the severity of it. Not all threats are created equal. For example, the now-infamous Pegasus malware is a very serious and severe threat, but the nature of it means that it is often reserved for government targets like journalists, activists, and sometimes terrorists. It’s virtually impossible that the rando you pissed off on X-Box Live is going to hack your phone with Pegasus. Generally speaking, you should not be concerned about the risks of getting targeted with Pegasus. So then where does that leave us? Are iPhone unsafe because of Pegasus? Is Android any safer or harder to crack? Is Matrix’ encryption acceptable, or compromised? You can find no shortage of articles arguing both ways. This is when I think we must fall back on our critical thinking skills. Who is making this claim? What evidence are they offering? Can you confirm the person’s identity or claims? What are the risks if what they’re saying is true? What’s your threat model? Can you afford those risks? Is it worthwhile to switch just to be sure?
I think more often than not, a compromise you can’t confirm comes down to the reputation, feasibility, and risk. Signal is widely reputed by experts to be secure, even if those same experts have complaints with the company itself. A single person claiming to have cracked it, to me, doesn’t move the proverbial needle enough to outweigh the reputation of Signal. Likewise, I’ve seen posts that say “hey, do you think r/AskReddit questions are actually scammers attempting to learn information for their scams?” The feasibility isn’t there: too much work to verify people, match up information, record it all individually, etc. There’s easier, more feasible ways to steal user data for scams. Last but not least: risk. Is the Matrix protocol cracked? Maybe. But I’ve got some of my friends using it who would otherwise not be using any kind of encryption, and all we really talk about is sharing memes and music videos. The risk level is low, and even if Matrix is cracked we’re not using it to send passwords or credit card numbers. (I know that one is kind of a variation of “nothing to hide,” but I think of it more as “lesser of two evils.”)
Note: Threat Modeling and Compromise
It's worth remembering that your threat model also determines the extent to which a theoretical or unconfirmed compromise matters. Let’s take Wire for example: Wire moved to the US to have more funding opportunities. The US is a five-eyes country, which means that Wire is likely now more vulnerable to court orders and other US data collection policies. If your goal is simply to protect your SMS messages from your cell carrier and avoid giving out your phone number, Wire is still a solid choice. They log very little metadata and their encryption is still considered secure. But if you’re a whistleblower, Wire may not be the best choice for you anymore because they are beholden to one of the most powerful and invasive governments on Earth. You may wish to look into other choices like Threema or self-hosting an XMPP server. As always, you are free (and I encourage you) to go above and beyond, but it’s important to know what your threat model demands so you don’t neglect important areas or negatively impact yourself by trying to do more than you need to. I mentioned that some of my friends use Matrix earlier. If Matrix is cracked, none of our conversations are sensitive enough to be at risk. It's not worth the threat model of trying to move them all to something unarguably secure, like a self-hosted XMPP server. Your situation may require that, though.
Sometimes it’s easy to know when to switch services, like when you find out you’ve been doing it wrong this whole time and there’s a better way to do it. Sometimes, it’s less obvious. But hopefully between this breakdown and the critical thinking blog I linked earlier, this post has helped you know when to make that decision. And of course, as I said before, I always encourage you to go as far as you can in your privacy journey. There’s no shame in saying “I want to switch cause I think this service/product does better and I want that better protection.” Just make sure that you’re not negatively impacting your life – emotionally, mentally, or relationally – and that you’re not doing it because of the latest sensationalist headlines.