Guide To Secure Group Chats For Activists

ABOUT THIS TRAINING 

Note: This training is not legal advice and does not create an attorney-client relationship. Laws and procedures vary by city, state and country. Consult local activists and attorneys for more precise information relevant to your area.

With teams increasingly working remotely during COVID-19, we are all facing questions regarding the security of our communication with one another: Which communication platform or tool is best to use? Which is the most secure for holding sensitive internal meetings? Which will have adequate features for online training sessions or remote courses without compromising the privacy and security of participants? This Training was originally published by Front Line Defenders and was modified for NooWorld. It presents a simple overview that may help you choose the right tool for your specific needs.

This training is a 15 Minute read.

Note:

• With end-to-end encryption (e2ee), your message gets encrypted before it leaves your device and only gets decrypted when it reaches the intended recipient’s device. Using e2ee is important if you plan to transmit sensitive communication, such as during internal team or partners meetings.
• With encryption to-server, your message gets encrypted before it leaves your device, but is being decrypted on the server, processed, and encrypted again before being sent to recipient(s). Having encryption to-server is OK if you fully trust the server.

WHY ZOOM OR OTHER PLATFORMS/TOOLS ARE NOT LISTED HERE

There are many platforms that can be used for group communication. In this guide we focused on those we think will deliver good user experiences and offer the best privacy and security features. Of course, none of the platforms can offer 100% privacy or security as in all communications, there is a margin of risk. We have not included tools such as Zoom, Skype, Telegram etc. in this guide, as we believe that the margin of risk incurred whilst using them is too wide, and therefore Front Line Defenders does not feel comfortable recommending them.

SURVEILLANCE AND BEHAVIOR

Some companies like Facebook, Google, Apple and others regularly collect, analyse and monetize information about users and their online activities. Most, if not all, of us, are already profiled by these companies to some extent. If the communication is encrypted to-server owners of the platform may store this communication. Even with end-to-end encryption, communication practices such as location, time, whom you connect with, how often, etc. may still be stored. If you are uncomfortable with this data being collected, stored and shared, we recommended refraining from using services by those companies.

The level of protection of your call depends not only on which platform you choose, but also on the physical security of the space you and others on the call are in and the digital protection of the devices you and others use for the call.

CRITERIA FOR SELECTING THE TOOLS OR PLATFORMS

Before selecting any communication platform, app or program it is always strongly recommended that you research it first. Below we list some important questions to consider:

• Is the platform mature enough? How long has it been running for? Is it still being actively developed? Does it have a large community of active developers? How many active users does it have?
• Does the platform provide encryption? Is it end-to-end encrypted or just to-server encrypted?
• In which jurisdiction is the owner of the platform and where are servers located? Does this pose a potential challenge for you or your partners?
• Does the platform allow for self-hosting?
• Is the platform open source? Does it provide source code to anyone to inspect?
• Was the platform independently audited? When was the last audit? What do experts say about the platform?
• What is the history of the development and ownership of the platform? Have there been any security challenges? How have the owners and developers reacted to those challenges?
• How do you connect with others? Do you need to provide phone number, email or nickname? Do you need to install a dedicated app/program? What will this app/program have access to on your device? Is it your address book, location, mic, camera, etc.?
• What is stored on the server? What does the platform's owner have access to?
• Does the platform have features needed for the specific task/s you require?
• Is the platform affordable? This needs to include potential subscription fees, learning and implementing, and possible IT support needed, hosting costs, etc.

MORE INFORMATION RELATED TO EACH TOOL/SERVICE LISTED

All the listed platforms, apps and programs below should work on Windows, MacOS, Linux, Android and iOS unless otherwise noted. Depending on the operating system, some functionality may be limited.

SIGNAL - https://signal.org/

• Owner non-profit organisation: Signal Technology Foundation / USA
• Encryption: end-to-end
• Features: voice / video / text; disappearing messages; voice memo; sending files or photos;
• License: Free and open source (GNU General Public License v3.0)
• Hosted on Signal's server
• Cost: free
• Participants limits: voice 1-to-1 / video 1-to-1 / text unlimited
• Account required: yes, registration with phone number
• Access with: app on the phone or program on computer
• Notes: To communicate with others you need to let them know your phone number. We recommend that you use security settings including Signal PIN, Registration Lock, Screen Lock, and Enable Screen Security in Privacy settings. Signal publishes transparency report

DELTA CHAT - https://delta.chat/

• Owner commercial company: Merlinux GmbH / Germany
• Encryption: end-to-end
• Features: text; voice memo; sending files or photos;
• License: Free and open source (GNU General Public License v3.0)
• Hosting: works with any email server (IMAP access needed)
• Cost: free
• Participant limits: unlimited
• Account requirement: yes, any email account with IMAP support.
• Access with: app on the phone or program on computer
• Notes: To communicate with others you need to let them know your email.

ELEMENT - https://element.io

• Owner commercial company: New Vector Ltd. / USA
• Encryption: end-to-end
• Features: voice / video / text (see notes below); public rooms; sending files or photos; integrates with Jitsi Meet and other communication platforms; screen sharing;
• License: Free and open source (Apache License 2.0)
• Hosting: Self hosted and 3rd party hosted (on matrix.org server)
• Cost: free or paid
• Participant limits: voice 1-to-1 / video 1-to-1 / text unlimited
• Account requirement: yes, registration required - no need to add email or phone number
• Access with: app on the phone or program on computer
• Notes: Voice/video calls are only available from the phone; There is no group voice/video calls available; It is always important to check if end-to-end encryption is activated. This is indicated by a black shield on chat lead icon. You can manually activate it in the chat settings. Element was previously known as Riot. It is build on Matrix.org protocol. 

WIRE - https://wire.com/

• Owner commercial company: Wire Swiss GmbH / Switzerland
• Encryption: end-to-end
• Features: voice / video / text; disappearing messages; voice memo; sending files or photos;
• License: Free and open source (client: GNU General Public License v3.0, server: GNU Affero General Public License v3.0)
• Hosted: on Wire's server
• Cost: free for personal use, monthly per account fee otherwise
• Participant limits: Voice up to 10 / Video up to 4 / Text up to 500 participants
• Account requirement: yes, email or phone number registration. Any participant can create communication group.
• Access with: app on the phone, program or browser on computer.

JITSI MEET - https://jitsi.org/jitsi-meet/

• Owner commercial company: 8x8 / USA
• Encryption: to-server
• Features: voice / video / text; screen-sharing, depending on the server configuration: meetings recording; live-streaming (on YouTube);
• License: Free and open source (server: Apache License 2.0)
• Hosting: Self hosted and 3rd party hosted. See list of publicly accessible trusted servers we recommend in flowchart above.
• Cost: free
• Participant limits: dependent on the server configuration, often 75 participants
• Account requirement: not required. Any participant can start a call by simply opening a link.
• Access with: app on the phone, browser or program on computer
• Notes: Because Jitsi Meet is using encryption to-server, it is important to use a trusted server. We listed above some of the servers we consider trustful. You can host Jitsi Meet on your own server. Jitsi Meet is working on introducing end-to-end encryption soon. On some servers you may see "Phone in" option, note that those are done by regular non-encrypted calls. You can additionally use the password protect feature for joining a call. 

BIGBLUEBUTTON - https://bigbluebutton.org/

• Owner commercial company: BigBlueButton Inc. / USA
• Encryption: to-server
• Features: voice / video / text; presentation sharing / screen-sharing / whiteboard / shared notes / breakout rooms / call recording
• License: Free and open source (server: GNU Lesser General Public License v3.0)
• Hosting: Self hosted
• Cost: free
• Participant limits: depends on server configuration, typically 150 maximum
• Account requirement: yes - for moderator with email registration, no - for participants; only moderator can create a meeting/training room.
• Access with: browser on the phone and computer
• Notes: BBB is a software that can be installed on a server. It was specially designed for online training sessions and is packed with lots of great features specially for this (see tutorials for participants and moderators)

WHERBY - https://whereby.com/

• Owner commercial company: Video Communication Service AS / Videonor / Norway
• Encryption: end-to-end (for max 4 participants) / to-server (for more participants)
• Features: voice / video / text / screen sharing / call recording
• License: proprietary
• Hosted: on Whereby's server
• Cost: free (for max 4 participants) / monthly subscription (for more participants)
• Participant limits: 50 (dependent on subscription)
• Account requirement: yes, for moderator; only moderator can setup and start a meeting
• Access with: app on the phone or program on computer

BLUE JEANS - https://www.bluejeans.com/

• Owner commercial company: BlueJeans Network (Verizon) / USA
• Encryption: to-server
• Features: voice / video / text / meeting recordings;
• License: proprietary
• Hosted: on Blue Jeans' server
• Cost: monthly fee
• Participant limits: 100 (dependent on subscription) 
• Account requirement: yes - moderator (registration with email), participants - no need
• Access with: app on phone, browser on computer, phone call

GOTOMEETING - https://www.gotomeeting.com/

• Owner commercial company: LogMeIn Inc / USA
• Encryption: to-server
• Features: voice / video / text (limited) / screen sharing / call recording
• License: proprietary
• Hosted: on GoToMeeting's server
• Cost: monthly fee
• Participant limits: 3000 (dependent on subscription)
• Account requirement: yes - moderator/admin (registration with email), participants - no need
• Access with: app on phone, program or browser on computer, phone call

FACETIME / iMESSAGE - https://www.apple.com/ios/facetime

• Owner commercial company: Apple / USA
• Encryption: end-to-end
• Features: voice / video / text / voice memos / files transfer
• License: proprietary
• Hosted: on Apple's servers
• Cost: free
• Participant limits: 32 (not in all regions)
• Account requirement: yes, email and phone number registration. Any participant can create a communication group.
• Access with: app on phone and computer
• Notes: Facetime / iMessage will only work from Apple devices like iPhone, Mac Book or iPad. Apple may keep records of some information about the communication. Apple publishes a transparency report.

GOOGLE MEET - https://meet.google.com/

• Owner commercial company: Google LLC / USA
• Encryption: to-server
• Features: voice / video / text / screen sharing / call scheduling / video sharing / background noise filtering
• License: proprietary
• Hosted on Google's servers
• Cost: free until 30/September / after subscription fee
• Participants limits: 250 (until Sept 2020) 100 after that for basic account
• Account required: yes, moderator needs to have Google account, participants - no need; only moderator can create a meeting room.
• Access with: app from phone, browser from computer
• Notes: Google may record some information from (since it uses to-server encryption) and about the communications. Google publishes a transparency report.

DUO - https://duo.google.com/

• Company: Google LLC / USA
• Encryption: end-to-end
• Features: voice / video
• License: proprietary
• Hosted on Google's servers
• Cost: free
• Participant limits: 12 as of March 2020 - aiming for 32
• Account: yes - phone number
• Access: app
• Notes: Duo only works from the phone (both Android and iOS). It is optimised for low bandwidth. Google may record some information about the communication.

WHATSAPP - https://www.whatsapp.com/

• Owner commercial company: Facebook / USA
• Encryption: end-to-end
• Features: voice / video / text; voice memo / sending files
• License: proprietary
• Hosted on Facebook's servers
• Cost: free
• Participants limits: 8 for voice and video / text 256 / Anybody can create a communication group
• Account required: yes, registration with the phone number
• Access with: app on phone, program on computer
• Notes: To communicate with others you need to let them know your phone number. Facebook may record some information about the communication. Facebook is rolling out the integration of WhatsApp with the Messenger Rooms for calls with more than 8 participants (up to 50 participants). Messenger Rooms does not offer end-to-end encryption which will allow Facebook access to all content of the communication.

MICROSOFT TEAMS - https://teams.microsoft.com

• Owner commercial company: Microsoft / USA
• Encryption: to-server
• Features: voice / video / text both 1-on-1 and group; topic channels; integration with office suite, emails, calendars and scheduling support across timezones; file storage; screen share with mouse control, polls, background change, sending files and multimedia ;
• License: proprietary
• Hosting: hosted on Microsoft's servers
• Cost: free and paid versions
• Participant limits: 20 in video call, 300 in a text chat (see Limits and specifications: https://docs.microsoft.com/en-us/microsoftteams/limits-specifications-teams)
• Account requirement: yes, participants need to register accounts. There is an option to join as a guest if you've been invited by a registered participant, but some functions are limited.
• Access with: app on the phone or program on computer
• Notes: Microsoft may record some information from (since it uses to-server encryption) and about the communications. Microsoft publishes a transparency report.

To receive your badge for this training, make sure to leave a reaction above!

Do you have a training or a good idea for one? We'd love to hear from you. Please contact us at trainings@noo.world.