End-to-end encrypted messaging is effective at protecting the content of your messages from being read as they travel across the Internet to your friends and family. Essentially, each message is scrambled and can only be unscrambled by the sender and recipient of the message. This is a powerful method to ensure that third party actors can’t access your communiques and that service providers can’t read or give up any information that you send or receive.

Many chat apps enable end-to-end encryption by default, including: WhatsApp, Wire, Signal, and LINE. However, finding a single-stop resource to help users understand encryption and select secure apps for their specific needs proved difficult.

“Many existing resources that explain end-to-end encryption are designed to make the technical side of encryption more accessible, provide detailed how-to guides, or are fairly text-heavy,” explains Andrew Hilts, Senior Researcher and Developer at the Citizen Lab. “We identified an area where we could make a valuable contribution: an easy-to-understand, visual resource explaining why everyday people should use end-to-end encryption.”

The development of this project came about by consulting with security trainers who work with at-risk communities. This helped not only identify gaps in existing training materials but also provided insight into how to best communicate this often complicated information.

A history of encryption investigation

The Citizen Lab has an active research area examining the privacy and security of mobile applications, and several reports have analyzed various cryptographic features used in apps. One such study looked at end-to-end encryption in LINE, a popular chat app in many Asian markets. The study showed that the app didn’t implement forward secrecy on its end-to-end encrypted messages (making them vulnerable to attacks if someone collected old encryption keys) and that the program’s cryptographic system didn’t follow best practices.

Jedidiah Crandall, University of New Mexico Professor and consultant on Secure Your Chats, says that following accepted cryptographic practices is an integral aspect of any app design. If engineers who are building a bridge don’t use tested materials and established practices, they are potentially putting anyone who uses the bridge in danger.

“Similarly, when cryptography engineers don’t follow best practices, it makes it impossible for independent cryptography engineers to attest to its security,” he says.

Secure Your Chats is the latest edition of Net Alert. It includes the following resources:

• A comic that presents some reasons why everyday people might benefit from using encrypted messaging apps and introduces the concept of end-to-end encrypted messaging at a general level.
• A guide on how and when end-to-end encryption isn’t necessarily enough to keep your communications secure. This presents concepts such as communications metadata, malware, and hardware forensics.
• Three features to look out for when choosing an encrypted messaging app. This series of primers describes identity verification, forward secrecy, and public best practices as features of encrypted messaging apps to be familiar with.

Reflecting the diversity of the Citizen Lab network and underscoring the goal of making Net Alert widely accessible, Secure Your Chats is available in: English, Traditional Chinese, Simplified Chinese, Arabic, French, and Spanish.

Acknowledgements

Bahr Abdulrazzak, Simon Humbert, Ramy Raoof, Lotus Ruan, and Leandro Ucciferri provided translations.

Ramy Raoof and Lobsang Gyatso Sither participated in security trainer consultations.

Net Alert is a collaborative project of Open Effect, Citizen Lab, and the University of New Mexico, supported by the Open Technology Fund.

But how do you know if your digital accounts are safe? And what are easy steps you can take to improve your security?

Citizen Lab, along with partners Open Effect, the University of New Mexico, and comic book artist and designer Jason Li, have launched Secure Accounts to answer these questions in a fun and accessible way.

Secure Accounts offers a visually rich experience, driven by the illustrations of Jason Li, who was involved at every stage of the project.

“With Secure Accounts, we’re using visuals to catch people’s attention, humor to make the journey a bit more fun and memorable, and, above all, everything must always be accessible so that our work is as inclusive as possible,” says Li.

The project was motivated by Citizen Lab research that has shown that account phishing is a common threat that civil society groups face. Phishing is a tactic to steal personal information, by tricking you into entering passwords into websites that look legitimate but are really fake. Like the rest of us, journalists, activists, and humanitarians store their lives online. Through their online accounts, they communicate, mobilize, and organize political activities. Phishing is a relatively inexpensive way for spies and criminals to break into accounts and collect sensitive information.

“The risks that civil society groups face online reflect the general risks that everyone needs to be aware of. Making our accounts more secure through features like two-factor authentication is a first step we can all take towards being safer online,” explains Masashi Crete-Nishihata, a member of the project team from Citizen Lab.

The project team consulted with security trainers working alongside at-risk communities in Arabic-speaking countries as well as the Tibetan Exile community. These consultations revealed important information about encouraging online security, such as the need to make security practices seem like an everyday activity, performed by normal people — as opposed to specialized techniques performed only by profesionals.

No longer just for specialists

“Security measures are no longer a matter of exceptional steps that certain professions or specific kind of people need; it is becoming a minimum basic need in many contexts to help a little bit in controlling your private content and way of working,” says Ramy Raoof, a Citizen Lab research fellow and security trainer who provided consultations for the Secure Accounts project.

Likewise, protecting yourself online means protecting the ones you care about.

“In this connected century, it is never just about you,” says Lobsang Gyatso Sither, who works with groups within the Tibetan Exile Community to improve their digital security practices.

“For me, if someone is online, then it doesn’t really matter whether they have a technical background or not: staying safe online is not just about you, but about staying safe for your family, your friends, your community, and more.”

How does it work?

Secure Accounts is comprised of five different modules, each designed to function as a standalone resource on a specific aspect of account security, or as a series, with each module building on one another.

The five modules include:

• • Secure Your Accounts: A comic that explains why people should take their account security seriously
  • Account Phishing and Civil Society: A brief explanation of what phishing is and two examples of phishing attacks against civil society groups based on recent Citizen Lab research
  • 2-step verification in 2-minutes: A comic that explains what 2-step verification is and why it’s important
  • Set up 2-step verification now: A collection of links to instructions on how to set up 2-step verification on popular online platforms
  • Who could get access?: A app that users humour to highlight how adopting better security habits will mean hackers need more time and skill to break into your accounts

Reflecting the diversity of our network and goal to make Net Alert accessible, Secure Accounts is available in the following languages: English, Traditional Chinese, Simplified Chinese, Tibetan, Arabic, French, and Spanish.

Acknowledgements

Bahr Abdulrazzak, Simon Humbert, Ramy Raoof, Lotus Ruan, Lobsang Gyatso Sither, and Leandro Ucciferri provided translations.

Ramy Raoof and Lobsang Gyatso Sither participated in our security trainer consultations.

Net Alert is funded by the Open Technology Fund’s Internet Freedom Fund.