Which messaging services are really secure?

Secure messaging with end-to-end encryption (E2EE) means that only you and your recipient’s devices can see the messages you send each other. But only some of the most popular online messaging services fully support this.

Any message sent over the web from a site using HTTPS benefits from TLS (Transport Layer Security), which encrypts data (your message in this case) in transit; that is, when it’s being sent between your computer and the server at the other end, and from the server to you.

However, the message is decrypted when it reaches the server, which means that the server and anyone with access to its administrative functions could potentially read your messages. That means staff and contractors working with the service’s administration tools, anyone with sufficient authority in any country where relevant servers are hosted can demand that your messages be handed over, and anyone who illegally accesses the company’s systems could access and download your conversations.

If a service uses end-to-end-encryption, the keys to decrypt the messages are held only by participants in the conversation, so the messages themselves cannot be read by anyone until they get to your device.

This means that the only potential weak link in your security and privacy is the security of the device you’re using to send those end-to-end encrypted messages. Below you can find a quick guide detailing which common messaging services are end-to-end encrypted.

Signal

Messages on Signal are end-to-end encrypted using the Signal protocol. The service requires your phone number to create an account and you have to share this with users you want to chat to. Additional devices have to be linked to the phone app. Group chats, voice, video calls are encrypted. Signal is secure.

Element

Built on the open source Matrix communication standard, conversations between individual Element users are strongly encrypted per device. That means that, if you’re signed into Element using both your PC and your phone, each will use unique encryption keys.

Public group chats are not encrypted, private ones are. You don’t need to use a phone number to connect to Element – accounts. Element is secure.

WhatsApp

WhatsApp is also end-to-end encrypted using the Signal protocol and requires your phone number to create an account. You’ll also need to share it with other users you want to chat to. Additional devices have to be linked to the phone app. Group chats, voice, video calls are encrypted.

If a WhatsApp message is reported, the last five messages you sent to the group or user are passed on to WhatsApp moderators. WhatsApp is secure.

Viber

Since 2016’s Version 6 release, Viber has supported end-to-end encryption for all messages, on all platforms. Both individual and group chats are encrypted, with the exception of public channels and communities, bots and business messages. Voice and video calls are also encrypted. Viber is secure.

Telegram

End-to-end encryption is optional and only enabled when you activate a Secret Chat. Group chats cannot be encrypted.

Facebook Messenger

End-to-end encryption is optional and only enabled in secret convervsations with one or more people, which you have to manually create. These only work on on Android and iOS.

Not all Facebook chats can be encrypted. Those which do not benefit from E2EE include chats associated with Facebook groups, exchanges with businesses, Marketplace sellers, and unspecified “others”.

If a message in an encrypted conversation is reported by one of the participants, the 30 most recent messages can be accessed by Facebook staff for 30 days. Disappearing messages will be prevented from being wiped Facebook’s servers if reported within six hours.

Instagram Direct Messenger

End-to-end encryption can be optionally enabled for chats with one other user on Instagram.

Skype

Skype does not support end-to-end encryption by default, but you can enable Private Conversations with one other user. These encrypt text, voice, and video communications.

Microsoft Teams

Microsoft Teams does not support end-to-end encryption by default, but it’s available as an option to one-on-one voice or video calls.

Discord

Discord does not support end-to-end encryption.

Twitter direct messages

These are not secured by end-to-end encryption. Private messages can be seen by Twitter and, should they look into them, its staff.

Mastodon direct messages

Mastodon direct messages are not secured by end-to-end encryption. Private messages can be seen by the Mastodon instance you’re on and its administrators. They can also be viewed by the administrators of the instance that the person you’re speaking to is on.

Email

Email is not secured by end-to-end encryption by default, but can be if both parties use PGP keys. Some email services, such as ProtonMail, encrypt messages by default if both correspondents are using ProtonMail, and provides alternative encryption options if you’re exchanging emails with someone who uses another service.