EFF Designs a Scorecard to Help Measure Secure Messaging

The Electronic Frontier Foundation has developed a rubric designed to assess which social and communication apps and tools are best at keeping our messages secure. In an era of growing concern regarding our digital privacy, the EFF believes everyone is entitled to a practical and secure way to communicate via the Internet and mobile phones. This assessment of security, or scorecard for each app and tool, is the initial step of an ongoing campaign to educate and inspire.

The EFF launched a website with scorecards for communication companies and apps including Skype, Facebook Chat, AIM, iMessage, CryptoCat and TextSecure.

According to the Foundation, the apps that most stood out managed to impress in two categories, security and usability. These categories were then used to determine guidelines for assessments of tools related to email, text messages, and video chats. Big or small, the companies taken into account were those that the EFF believes are either heavily used or innovators with outstanding security practices.

EFF_Secure_Messaging_Scorecard

The categories used for the assessment are as follows:

  1. Is your communication encrypted in the transit?
  2. Is your communication encrypted with a key the provider doesn’t have access to?
  3. Can you independently verify your correspondent’s identity?
  4. Are past communications secure if your keys are stolen?
  5. Is the code open to independent review?
  6. Is the crypto design well documented?
  7. Has there been an independent security audit?

According to The Daily Dot, the EFF’s Secure Messaging Scorecard received a fair share of positive reviews. However, it also generated “criticism from several prominent figures in the security industry, who deemed the effort inaccurate, misleading and vague.”

There were complaints that Skype did not deserve even the recognition it was awarded, especially after its mention by Edward Snowden in his accounts of the NSA’s intrusive behavior and breach of virtual conversations.

Others were quick to judge the nearly perfect score awarded to CryptoCat, a “program [that] has a problematic history of broken security, crackle keys, and a variety of attacks.”

In both cases, Peter Eckersley, technology project director of EFF stepped forward in defense of the evaluations. He refuted the Skype ordeal by proposing the possibility that perhaps the NSA’s collection of Skype calls was not the direct result of a cryptography break in. And CryptoCat’s high score, according to Eckersley was a result of pure merit and performance during its audits.

Despite some early criticism, the EFF has observed plenty of “tech companies working really hard to improve their security,” says Eckersley. The EFF understands there is “currently no secure, reliable and usable protocol that Internet can switch to do secure messaging,” and so it wants to be the first to change that.