The EFF’s secure messaging scorecard. Which app will you use?

Graham Cluley
Graham Cluley
@[email protected]

We live in alarming times.

Revelations by NSA whistleblower Edward Snowden woke many of us to up the risks posed by covert surveillance, and in just the last few days – following the ghastly events in Paris – UK Prime Minister David Cameron has called for secure communication apps to be made unlawful, or at least forced to contain a backdoor which the police and intelligence agencies could exploit.

As someone said to me on Twitter, “terrorists are suspected of using window curtains to hide bomb-making activity – do we outlaw curtains?”

A ban is clearly impossible to enforce. Anyone can go on the internet to download the open source code of encryption and secure messaging tools and use those if they wish. No doubt that is precisely what anyone planning to commit a crime would do if the UK attempted to put into place but legislation.

Sign up to our free newsletter.
Security news, advice, and tips.

And one danger of having a backdoor in communication systems, of course, is not just that law enforcement could abuse their powers, but also that internet criminals and enemy nations could exploit the same security hole.

By introducing a way to snoop on terrorist, paedophiles and organised criminals you’re potentially putting all regular computer users at greater risk.

But my recommendation is to not wait until bone-headed legislation is pushed through by countries who think they can police the internet to such a draconian level. Instead, think long and hard about how you communicate on the internet and how you share information safely and securely.

One element you clearly should consider is secure messaging. How can you communicate with someone else with confidence that your messages are not being intercepted and – indeed – that the secure messaging vendor cannot be leaned upon to cough up details of what you might have been saying at a later date?

Fortunately the Electronic Frontier Foundation (EFF) has come to our rescue once again, publishing what it calls its “Secure Messaging Scorecard” which aims to show which apps and tools actually keep your messages safe.

Here’s how the EFF introduces the scorecard:

In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers. Many companies offer “secure messaging” products—but are these systems actually secure? We decided to find out, in the first phase of a new EFF Campaign for Secure & Usable Crypto.


Of course, the EFF is careful to say that the results shown in the scorecard should not be read as endorsements of particular tools or services, or guarantees of their security, but they are “indications that the projects are on the right track.”

And, for me, the EFF saying a particular tool is on the “right track” for security and privacy is a definite thumbs up, and shouldn’t be ignored.

Right now, the EFF’s scorecard asks itself seven different questions when looking at a service:

  • Encrypted in transit?
  • Encrypted so the provider can’t read it?
  • Can you verify contacts’ identities?
  • Are past comms secure if your keys are stolen?
  • Is the code open to independent review?
  • Is the code open to independent review?
  • Is security designed properly documented?
  • Has there been any recent code audit?

Obviously, the score card is likely to be dynamic as products are found to improve or worsen. But right now, here are the products which are given a green tick in all criteria:

The full score card can be found on the EFF’s website.

If you have a preferred secure messaging app, why not leave a comment below explaining what you like about it?

This article originally appeared on the Optimal Security blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.