Topics

Communicating and Storing Data Securely

Communications and Sharing Data

To make the best decisions for your organization about how to communicate, it is essential to understand the different types of protection that our communications can have, and why such protection is important. One of the most important for most communication is keeping the contents of your messages secret - which in the modern era is largely taken care of by encryption. Without proper encryption, private communications can be seen by any number of adversaries. Insecure communications can expose sensitive information and messages, reveal passwords or other private data, and possibly put your staff and organization at risk depending upon the nature of your communications and content that you share.

Secure Communications and Political Parties

Image of political protestors in Belarus

Political parties rely on secure communications every day to maintain the confidentiality of strategic conversations. Without such security practices, sensitive messages can be intercepted and used by foreign or domestic opponents to impact your electoral success or target party activities. One prominent and well-documented example of this occurred in the lead-up to and aftermath of the 2010 elections in Belarus. As detailed in this Amnesty International report, phone recordings and other unencrypted communications were intercepted by the government and used in court against prominent opposition politicians and party members, many of whom spent years in prison. In the years since, user-friendly, secure messaging apps that were not as readily available in 2010 have become an important tool in protecting sensitive political communications, including in and around recent elections in Belarus in 2020.

What is encryption and why is it important?

Encryption is a mathematical process used to scramble a message or a file so that only a person or entity with the key can “decrypt” it and read it.  Without any encryption in place, our messages are left open to being read by potential adversaries, including your telecom or internet service provider (ISP), unfriendly governments, or hackers on the web. The Electronic Frontier Foundation’s Surveillance Self Defense Guide provides a practical explanation (with graphics) of what encryption means:

Unencrypted Messaging

Image of no encryption being used for a message in transit

As you can see in the image above, a smartphone sends a green, unencrypted text message (“hello”) to another smartphone on the far right. Along the way, a cellphone tower (or in the case of something sent over the internet, your ISP) passes the message along to company servers. From there it hops through the network to another cellphone tower, which can see the unencrypted “hello” message, and is finally then routed to the destination. It is important to note that without any encryption, everyone involved in relaying the message, and anyone who can sneak a peak as it goes by, can read its content. This might not matter much if all you are saying is “hello”, but it could be a big deal if you are communicating something more private or sensitive that you do not want your telecom, ISP, an unfriendly government, or any other adversary to see. Because of this, it is essential to avoid using unencrypted tools to send any sensitive messages (and ideally any messages at all.) Keep in mind that some of the most popular communication methods - such as SMS and phone calls - practically operate without any encryption (like in the image above).

There are two ways to encrypt data as it moves: transport-layer encryption and end-to-end encryption. The type of encryption a service provider supports is important to know as your organization makes choices to adopt more secure communications practices. Such differences are described well by the Surveillance Self Defense guide, which is adapted again here:

Transport-layer encryption, also known as transport layer security (TLS), protects messages as they travel from your device to the messaging app/service’s servers and from there to your recipient’s device. This protects them from the prying eyes of hackers sitting on your network or your Internet or Telecommunications service providers. However, in the middle your messaging/email service provider, the website you are browsing, or the app you are using can see unencrypted copies of your messages. Because your messages can be seen by (and are often stored on) company servers, they may be vulnerable to law enforcement requests or theft if the company’s servers are compromised.

Transport-layer Encryption 

Image of transport layer encryption being used for a message

The image above shows an example of transport-layer encryption. On the left, a smart phone sends a green, unencrypted message: “Hello.” That message is encrypted, and then passed along to a cellphone tower. In the middle, the company servers are able to decrypt the message, read the contents, decide where to send it, re-encrypt it, and send it along to the next cellphone tower towards its destination. At the end, the other smartphone receives the encrypted message, and decrypts it to read “Hello.”

End-to-end encryption protects messages in transit all the way from sender to receiver. It ensures that information is turned into a secret message by its original sender (the first “end”) and decoded only by its final recipient (the second “end”). No one, including the app or service you are using, can “listen in” and eavesdrop on your activity.

End-to-End Encryption

Image of end-to-end encryption being used for a message

The image above shows an example of end-to-end encryption. On the left, a smart phone sends a green, unencrypted message: “Hello.” That message is encrypted, and then passed along to a cellphone tower and then to the app/service’s servers, which cannot read the contents, but will pass the secret message along to its destination. At the end, the other smartphone receives the encrypted message, and decrypts it to read “Hello.” Unlike with transport-layer encryption, your ISP or messaging host is not able to decrypt the message. Only the endpoints (the original devices sending and receiving encrypted messages) have the keys to decrypt and read the message.

What type of encryption do we need?

When deciding whether your organization needs transport-layer encryption or end-to-end encryption for your communications, the big questions you should ask involve trust. For instance, do you trust the app or service you are using? Do you trust its technical infrastructure? Are you concerned about the possibility that an unfriendly government could force the company to hand over your messages – and if so, do you trust the company's policies to protect against law enforcement requests?

If you answer “no” to any of these questions, then you need end-to-end encryption. If you answer “yes” to them, then a service that supports only transport-layer encryption may suffice - but it is generally better to go with services that support end-to-end encryption when possible.

When messaging with groups, keep in mind that the security of your messages is only as good as the security of everyone receiving the messages. So in addition to carefully choosing secure apps, it is important that everyone in the group is following other best practices regarding account security and device security. All it takes is one bad actor or one infected device to leak the contents of an entire group chat or call.

What end-to-end encrypted messaging tools should we use (as of 2021)?

If you need to use end-to-end encryption, or just want to adopt the best practice regardless of your organization’s threat context, here are some trusted examples of services that, as of 2021, offer end-to-end encrypted messaging and calls. This section of the Handbook will be regularly updated online, but please note that things change quickly in the world of secure messaging, so these recommendations may not be up-to-date at the time you are reading this section. Also keep in mind that your communications are only as secure as your device itself. So in addition to adopting secure messaging practices, it is essential to implement the best practices described in the device security section of this Handbook.

Text messaging (individual or group)
  • Signal
  • WhatsApp (only with specific setting configurations detailed below)
Audio and Video calls:
  • Signal (up to 8 people)
  • WhatsApp (up to 8 people)
  • Duo (up to 32 people)
File sharing:
  • Signal
  • Keybase / Keybase Teams
  • OnionShare + an end-to-end encrypted messaging app like Signal

What is metadata and should we be concerned about it?

Who you and your staff talk to and when and where you talk to them can often be just as sensitive as what you talk about. It is important to remember that end-to-end encryption only protects the contents (the “what”) of your communications. This is where metadata comes into play. EFF’s Surveillance Self Defense Guide provides an overview of metadata and why it matters to organizations (including an illustration of what metadata looks like):

Metadata is often described as everything except the content of your communications. You can think of metadata as the digital equivalent of an envelope. Just like an envelope contains information about the sender, receiver, and destination of a message, so does metadata. Metadata is information about the digital communications you send and receive. Some examples of metadata include:

  • who you are communicating with
  • the subject line of your emails
  • the length of your conversations
  • the time at which a conversation took place
  • your location when communicating

Even a tiny sample of metadata can provide an intimate lens into your organization’s activities. Let us take a look at how revealing metadata can actually be to the hackers, government agencies, and companies that collect it:

  • They know you called a journalist and spoke with them for an hour before that journalist published a story with an anonymous quote. But they do not know what you talked about.
  • They know one of your party candidates frequently messaged a local business infamous for unsavory activity. But the topic of the messages remains a secret.
  • They know you got an email from a COVID testing service, then called your doctor, then visited the World Health Organization’s website in the same hour. But they do not know what was in the email or what you talked about on the phone.
  • They know you received an email from a large donor with the subject line “Return on Our Investment After the Election”. But the content of the email is invisible to them.

Metadata is not protected by the encryption provided by most message services. So if you are sending a message on WhatsApp, for example, keep in mind that while the contents of your message are end-to-end encrypted, it is still possible for others to know who you are messaging, how frequently, and (with phone calls) for how long. As a result, you should keep in mind what risks exist (if any) if certain adversaries are able to find out who your organization talks to, when you talked to them, and (in the case of email) the general subject lines of your organization’s communications.

One of the reasons that Signal is so highly recommended is that, in addition to providing end-to-end encryption, it has introduced features and made commitments to reduce the amount of metadata that it records and stores. For instance, Signal’s Sealed Sender feature encrypts the metadata about who is talking to whom, so that Signal only knows the recipient of a message but not the sender. By default this feature only works when communicating with existing contacts or profiles (people) with whom you have already communicated or whom you have stored in your contacts list. However you can enable this “Sealed Sender” setting to “Allow from anyone” if it is important for you to eliminate such metadata across all Signal conversations, even those with people unknown to you.

Do I need end-to-end encrypted email?

Most email providers, for example Gmail, Microsoft Outlook, and Yahoo Mail, employ transport-layer encryption. If you need to communicate particularly sensitive information, email is not the best option. Instead opt for secure messaging options like Signal. Even end-to-end encrypted email options leave something to be desired from a security perspective, for example, not encrypting subject lines of emails and not protecting metadata. With that said, if you must communicate sensitive content using email and are worried that your email provider could be legally required to provide information about your communications to a government or another adversary, you will want to consider using an end-to-end encrypted email option such as ProtonMail or Tutanota.

Can we really trust WhatsApp?

WhatsApp is a popular choice for secure messaging, and can be a good option given its ubiquity. Some people are concerned that it is owned and controlled by Facebook, which has been working to integrate it with its other systems. People are also concerned about the amount of metadata (i.e. information about with whom you communicate and when) that WhatsApp collects. If you choose to use WhatsApp as a secure messaging option, be sure to read the above section on metadata. There are also a few settings that you need to ensure are properly configured. Most critically, be sure to turn off cloud backups, show security notifications, and verify security codes. You can find simple how-to guides for configuring these settings for Android phones here and iPhones here. If your staff *and those with whom you all communicate* do not properly configure these options, then you should not consider WhatsApp to be a good option for sensitive communications that require end-to-end encryption. Signal still remains the best option for such end-to-end encrypted messaging needs given its secure default settings and protection of metadata.

What about texting?

Basic text messages are highly insecure (standard SMS is effectively unencrypted), and should be avoided for anything that is not meant for public knowledge. While Apple’s iPhone-to-iPhone messages (known as iMessages) are end-to-end encrypted, if a non-iPhone is in the conversation the messages are not secured. It is best to be safe and avoid text messages for anything remotely sensitive, private, or confidential.

Why aren’t Telegram, Facebook Messenger, or Viber recommended for secure chats?

Some services, like Facebook Messenger and Telegram, only offer end-to-end encryption if you deliberately turn it on (and only for one-to-one chats), so they are not good options for sensitive or private messaging, especially for an organization. Do not rely on these tools if you need to use end-to-end encryption, because it is quite easy to forget to change away from the default, less secure settings. Viber claims to offer end-to-end encryption, but has not made its code available for review to outside security researchers. Telegram’s code has also not been made available for a public audit. As a result, many experts fear that Viber’s encryption (or Telegram’s “secret chats”) may be substandard and therefore not suitable for communications that require true end-to-end encryption.

Our contacts and colleagues are using other messaging apps - how can we convince them to download a new app to communicate with us?

Sometimes there is a tradeoff between security and convenience, but a little extra effort is worth it for sensitive communications. Set a good example for your contacts. If you have to use other  less secure systems, be very conscious of what you are saying. Avoid discussion of sensitive topics. For some organizations, they may use one system for general chatting and another with leadership for the most confidential discussions. Of course, it is simplest if everything is just automatically encrypted all the time - nothing to remember or think about.

Luckily, end-to-end encrypted apps like Signal are becoming increasingly popular and user-friendly - not to mention that they have been localized in dozens of languages for global use. If your partners or other contacts need help switching communications over to an end-to-end encrypted option like Signal, take some time to talk them through why it is so important to properly protect your communications. When everyone has an understanding of the importance, the few minutes required to download a new app and the couple days it might take to get used to using it will not seem like a big deal.

Are there other settings for end-to-end encrypted apps that we should be aware of?

In the Signal app, verifying security codes (which they refer to as Safety Numbers) is also important. To view a safety number and verify it in Signal, you can open up your chat with a contact, tap their name at the top of your screen, and scroll down to tap “View Safety Number.” If your safety number matches with your contact, you can mark them as “verified” from that same screen. It is especially important to pay attention to these safety numbers and to verify your contacts if you receive a notification in a chat that your safety number with a given contact has changed. If you or other staff need help configuring these settings, Signal itself provides helpful instructions.

If using Signal, which is widely considered to be the best user-friendly option for secure messaging and one-to-one calls, be sure to also set a strong pin. Use at least six digits, and not something easy-to-guess like your birth date. 

For more tips on how to properly configure Signal and WhatsApp, you can check out the tool guides for both developed by EFF in their Surveillance Self-Defense Guide.

Using Chat Apps in the Real World

To limit the damage in case a phone is lost, stolen, or confiscated, it is best practice to minimize the history of messages that are saved on your phone. One easy way to do this is to turn on “disappearing messages” for your organization’s group chats, and to encourage staff to do so on their personal chats as well.

In Signal and other popular messaging applications, you can set a timer for messages to disappear a certain number of minutes or hours after being read. This setting can be customized based upon the individual chat or group. For most of us, setting a disappearing window to one week gives you plenty of time to look things up while not preserving messages that you will never need – but which could potentially be used against you in the future. Remember, what you do not have cannot be stolen.

To turn on disappearing messages in Signal, open up a chat, tap the name of the person/group you are chatting with, tap disappearing messages, choose a timer and tap ok. A similar setting exists in WhatsApp.

In more serious situations where there is a need to immediately delete a message, perhaps because someone’s phone has been stolen or you have sent a message to the wrong person, note that Signal allows you to delete a message to a group or an individual from everyone’s phone within three hours of sending it just by deleting it from your chat. Telegram remains popular in many countries despite its encryption limitations for a similar feature that allows users to delete messages across devices without restrictions.

With that said, if your organization is concerned about the safety of staff as a result of communications that might be seen on their phones, then using disappearing messages with short timers is likely the simplest and most sustainable option.

What about larger group video calls? Are there end-to-end encrypted options?

With the increase in remote work, it is important to have a secure option for your organization’s large group video calls. Unfortunately, no great options currently exist that check all the boxes: user-friendly, support large numbers of attendees and collaboration features, and enable end-to-end encryption by default.

If your meetings do not require collaboration features like screen sharing or breakout rooms, there are a couple of options. For groups up to eight people, Signal is highly recommended. Group video calls on Signal can be joined either from a smartphone or the Signal desktop app on a computer. Keep in mind, however, that only your contacts who already use Signal can be added to a Signal group.

Google Duo provides end-to-end encrypted video calls for up to 32 participants, so it can be a good option for slightly larger meetings that do not require screen sharing or breakout rooms. You can use Duo via a smartphone app or from the web browser on your computer. Participants are not required to download the Duo app to join a group call on their computer, however they will be required to be signed in to a Google account. This not only provides a barrier to use, but also means that Duo collects a lot of metadata about who is talking to whom. So if this is a concern to you, Duo might not be the best option. If you do use Duo, be sure to share any group links securely and to have everyone delete your group after each call. 

If you need end-to-end encryption for larger group calls or workshops that require features such as screen sharing and breakout rooms, there are a few options. But keep in mind these options require a bit more care in setting up to ensure that end-to-end encryption is enabled and that security is maintained.

One platform that recently added an end-to-end encrypted option is Jitsi Meet. Jitsi Meet is a web-based audio and video conferencing solution that can work for large audiences (up to 75 people) and requires no app download or special software. Jitsi released an experimental end-to-end encryption option in 2020, and as of the publication of this Handbook, Jitsi is actively working on improving it. To set up a meeting on Jitsi Meet, you can go to meet.jit.si, type in a meeting code and share that link (via a secure channel such as Signal) with your desired participants. In order to use end-to-end encryption, take a look at these instructions outlined by Jitsi. Note that all individual users will need to enable end-to-end encryption themselves in order for it to work. When using Jitsi, also be sure to create random meeting room names and to use strong passcodes to protect your calls.

If this option does not work for your organization, you can consider using a popular commercial option like WebEx or Zoom with end-to-end encryption enabled. WebEx has long allowed for end-to-end encryption, however this option is not turned on by default and requires participants to download WebEx to join your meeting. To get the end-to-end encrypted option for your WebEx account you must open a WebEx support case and follow these instructions to ensure end-to-end encryption is configured. Only the host of the meeting needs to enable end-to-end encryption. If they do so, the entire meeting will be end-to-end encrypted. If using WebEx for secure group meetings and workshops, be sure to also enable strong passcodes on your calls.

After months of negative press, Zoom developed an end-to-end encryption option for its calls. However, that option is not turned on by default, requires that the call host associate their account with a phone number, and only works if all participants join via the Zoom desktop or mobile app instead of dialing in. Because it is easy to accidentally misconfigure these settings, we do not recommend relying on Zoom as an end-to-end encrypted option. However, if end-to-end encryption is required and Zoom is your only option, you can follow Zoom’s instructions to configure it. Just be sure to check any call before it starts to ensure it is indeed end-to-end encrypted by clicking the green lock in the upper left hand corner of the Zoom screen and seeing “end-to-end” listed next to the Encryption setting. You should also set a strong passcode for any Zoom meeting.

In addition to the tools mentioned above, this flow-chart developed by Frontline Defenders highlights some video call and conferencing options that, depending upon your risk context, might make sense for your organization.

What if we really do not need end-to-end encryption for all our communications?

If end-to-end encryption is not needed for all of your organization’s communications based upon your risk assessment, you can consider using applications protected by transport-layer encryption. Remember, this type of encryption requires that you trust the service provider, such as Google for Gmail, Microsoft for Exchange, or Facebook for Messenger, because they (and anyone they might be compelled to share information with) can see/hear your communications. Once again, the best options will depend upon your threat model (for example, if you do not trust Google or if the U.S. government is your adversary, then Gmail is not a good option), but a few popular and generally trusted options include:

Email
  • Gmail
  • Outlook (via Office 365
    • Do not host your own Microsoft Exchange server for your organization's email. If you are currently doing so, you should migrate to Office 365.
Text messaging (individual or group)
  • Google Hangouts
  • Slack
  • Microsoft Teams
  • Mattermost
  • Line
  • KaKao Talk
  • Telegram
Group conferencing, audio and video calls
  • Jitsi Meet
  • Google Meet
  • Microsoft Teams
  • WebEx
  • GotoMeeting
  • Zoom
File sharing:
  • Google Drive
  • Microsoft Sharepoint
  • Dropbox
  • Slack

A note about file sharing

In addition to securely sharing messages, sharing files safely is likely an important part of your organization’s security plan. Most file sharing options are built-in to messaging applications or services that you might already be using. For instance, sharing files via Signal is a great option if end-to-end encryption is needed. And if transport-layer encryption is enough, using Google Drive or Microsoft Sharepoint might be a good option for your organization. Just be sure to properly configure sharing settings so that only the appropriate people have access to a given document or folder, and ensure that these services are connected to staff’s organizational (not personal) email accounts. If you can, prohibit sharing sensitive files via email attachments or physically with USBs. Using devices like USBs within your organization greatly increases the likelihood of malware or theft and relying on email or other forms of attachments weakens your organization’s defences against phishing attacks.

Organizational alternatives for file sharing

If you are looking for a secure file sharing option for your organization that is not directly embedded in a messaging platform (or perhaps you are running into file size limits when sharing large documents), consider OnionShare. OnionShare is an open source tool that allows you to securely and anonymously share a file of any size. It works by having the sender download the OnionShare app (available on Mac, Windows and Linux computers), uploading the file(s) they wish to share, and generating a unique link. This link, which can only be processed in Tor Browser, can then be shared via any secure messaging channel (Signal, for instance) to the intended recipient. The recipient can then open the link in Tor Browser and download the file(s) to their computer. Keep in mind, the files are only as secure as the method through which you share the link. Tor will be explained in more detail in a later “advanced” section of the Handbook, but for the purposes of file sharing within your organization, keep OnionShare in mind as a safer alternative to sharing large files on USBs around the office if you do not have a trusted Cloud provider option.


If your organization is already investing in a password manager, as described in this Handbook’s section on passwords, and chooses Bitwarden’s premium or teams account, the Bitwarden Send feature is another option for secure file sharing. This feature allows users to create secure links to share encrypted files via any secure messaging channel (such as Signal). File size is limited to 100MB, but Bitwarden Send allows you to set an expiration date on links, password protect access to shared files, and limit the number of times that your link can be opened.

Communicating and Sharing Data Securely

  • Require the use of trusted end-to-end encrypted messaging services for your organization’s sensitive communications (and ideally for all communications.)
    • Take time to explain to staff and external partners why secure communications are so important; this will enhance the success of your plan.
  • Set a policy on how long you will retain messages and when/if the organization will use “disappearing” communications.
  • Ensure proper settings are in place for secure communications apps, including:
    • Ensure all staff are paying attention to security notifications and, if using WhatsApp, not backing up chats.
    • If using an app where end-to-end encryption is not enabled by default (e.g. Zoom or Webex), ensure the required users have turned on the proper settings at the outset of any call or meeting.
  • Use cloud-based email services such as Office 365 or Gmail for your organization.
    • Do not attempt to host your own email server.
    • Do not allow staff to use personal email accounts for work.
  • Frequently remind the organization about security best practices related to group messaging and metadata.
    • Be aware of who is included in group messages,chats, and email threads.