In one of our previous contributions, we stated that the human being needs to communicate (the first axiom of the Palo Alto School) , and the advantage offered by the Internet of interacting with other people even at a distance has been successful. Moreover, numerous popular and scientific contributions described the social evolution (or involution, depending on the point of view), and it is undoubted understandable that it may have legal and juridical repercussions.
|credits Paweł Czerwiński|
In addition to verbal communication, we also use written communication on an almost daily basis; or rather, our lives’ circumstances often require us to turn what we would like to communicate verbally into text messages that we send with specific apps. However, we should also analyse the communication aspect on other levels, namely the protection of natural persons with regard to the processing of personal data - privacy and cybersecurity. It is well-known that the pandemic has changed our communication both in terms of frequency and the solutions used. Each person should always be in full control of their personal data and be fully aware of their processing. Unfortunately, this is not always the case. For our communication, therefore, we use some apps. In recent months, at least three apps have been in the news, the most popular ones as they are most used by users, namely Whatsapp, Signal and Telegram. It is not our intention to devote ourselves to comparing these three apps but to share some thoughts about the tools we use almost daily. We would therefore like to emphasise two aspects:
- security of processing and personal data;
Please refer to Article 32 of the GDPR and the specific technical standards regarding “Security of processing”.
However, this freedom exercise presupposes that the user can use a messaging system without granting any control to one or more subjects. This stage is reached when the user is fully aware of the resources and tools he/she commonly uses. In essence, the data subject should ask himself: ‘Am I fully aware of what happens to my personal data when I use a certain app?’.
Many have not only never asked themselves this question but have probably used the app(s) simply because ‘others do it’ or because some friend has so advised them. Numerous contributions have been written, especially in recent months, basically on the question “Which messaging app is most secure?”.
Several contributions even mention the comparison between Whatsapp, Signal and Telegram. Distinguished and well-known IT professionals have long since clarified that it is not a question of security protocols used by one app rather than another because - unless proven otherwise - the general level of security and encryption of messages is right and, in any case, guaranteed by almost every app (we know that Telegram guarantees encrypted messages only in the so-called ‘secret chats’). In reality, what might differentiate apps from each other is the higher or lower level of security adopted by developers and the possibility of analysing their source code to know what instructions the software executes, in what way, and with what effects.
In this case, the software is said to be ‘open source’, i.e. open and able to be analysed by anyone. At this point, the data subject could choose open-source software that guarantees a high level of security and be happy. Indeed, further clarification is necessary. Developers of a messaging app can opt for a centralised, federated, or a distributed / decentralised system. In the case of a centralised system, the data subject’s personal data are in the developer’s control, even if the developer explicitly states that it does not have access to the user’s messages.
The developer will still have some information (e.g. phone number) from the user to provide the service and allow the user to use the messaging system; perhaps he will also collect some metadata. In this case, the data subject is not entirely free to have full and total control over his personal data. However, we should note that whether the data controller has complied with the legislation does not mean it is a scenario contrary to the data protection rules. In the case of a decentralized system, we consider every user a node, avoiding centralizing data in the subject’s hands that “manages” the platform.
The user, therefore, should be the only one to have access to his data and the content of the messages he exchanges with other subjects and, consequently, to have full and total control of his data and the content of the messages. Our preference for a federated system, with a focus on security aspects, led us to opt for messaging apps such as DeltaChat, which works with our email account to exchange encrypted messages as it “implements the Autocrypt Level 1 standard and can thus E2E-encrypt messages with other Autocrypt-capable apps.” (quoting from the FAQ Does Delta Chat support end-to-end-encryption?). DeltaChat developers’ keen insight lies in the advantage of having an app other than an email client that, in a simplified yet effective and powerful way, achieves the goal of sending and delivering encrypted messages through email exchange. Those who have tried DeltaChat have been surprised by the intuition behind the system.
After all, it is sufficient to read what is published on the reference site to understand how convenient this system is. Moreover, for those who want to deepen, are available on the Internet, several contributions, also quite detailed, that describe the strengths of DeltaChat. Among many, we point out “10 WaysDelta Chat is Better than WhatsApp, Signal, and Telegram”. Many people are afraid of changing messaging apps (e.g. Whatsapp) because there is a risk that they will no longer be reachable. Indeed, it is a false problem because anyone interested in contacting us can do so using any available solution and is not obliged to do so with one app (perhaps because it is more widely used). In fact, by having our digital contact details, those interested can reach us anyway.
Sometimes we tend to prefer apps known to guarantee high levels of security, avoiding email. However, - as we pointed out - with suitable solutions (e.g. PGP, SMIME, DeltaChat, etc.), it is also possible to exchange encrypted email messages without using complex systems such as the (Italian) PEC (for foreign countries Registered Electronic Mail - REM). The discussion level generated in recent months about the three mentioned apps (Whatsapp, Signal and Telegram) demonstrates the focus on instant messaging (IM). Many people probably do not know that several IM applications are based on the Jabber - XMPP protocol (dating back to 1999).
The XMPP protocol’s characteristic is decentralisation and can be compared to the email system, with the difference that a user on the network has only one XMPP address. But how does it work in practice? You need to obtain an IM account (very similar to an email account in the format ‘firstname.lastname@example.org’) from a provider (here is a list of servers).
If, on the other hand, you decide to install a self-hosted mail server, you can opt for Mailcow, which is free of charge, secure, powerful and with a robust integrated XMPP solution. Once you have registered for an IM account and it is active, you can exchange messages with other users using the same IM system. To exchange IM messages, we need to use ad hoc apps (clients) and here is a list, but it is also possible via web clients (the Movim project is worth mentioning). The choice will depend on the operating system (solutions exist for almost all platforms).
What is the advantage of IM?
Firstly, it is a decentralised system. Therefore, the user does not depend on others who managing the system but has full and total control of the account he has access to (even more so in a configuration such as Mailcow described above). It is possible to activate end-to-end encryption (usually according to the OMEMO protocol which is an extension of the XMPP protocol) to exchange text messages, multimedia content (video images), and any file format. Some clients are experimenting with Multimarkdown for text messages.
This solution offers security guarantees (in IT, security is never absolute and 100%), the immediacy of communication (by its very nature, these are instant messages), and full and total control of one’s data by the user. The limitation, if it can be considered as such, is that the subjects with whom you want to use the IM system must all have an ad hoc account. In general, other communication solutions relate to messaging, some of which are blockchain-based, but which - due to their configuration and use - present a learning curve that does not make them immediately usable by an average user.
Solutions related to decentralised social networking platforms are also well known and structured in such a way as to avoid access to published content by one or more parties; thus, they are solutions with adequate power of control over their data by the user.
In conclusion, we should reflect on the resources we commonly use - only because others do it too - and pay more attention to each individual’s (precious) freedom to have full control over the information that concerns them and, consequently, to decide for themselves.
Consider your seed: You were not made to live like brutes But to follow virtue and knowledge Dante Alighieri, Divine Comedy, Inferno, XXVI