2 minute read

The next time you think you’re having a private online chat with a family member, you might want to think about who can read, watch, or log that conversation. The most popular solution in North America is skype, so let’s take a look at it’s privacy policy. From section 8:

Skype may use automated scanning within Instant Messages and SMS

Last year, Microsoft also started a commitment to bi-annual law enforcement requests report after industry pressure. They disclose that the governments of Brazil, Ireland, Canada and New Zealand have received content from within chat logs.

As you know, I only recommend communication happen with open source encryption. Skype’s encryption is closed source, and we know that they have the ability to intercept messages in real-time as demonstrated in an article this week. I’m also just using Skype as an example; Facebook chat has the same issue, and any other American commercial based chat service.

We also know that any conversation taking place from outside of the US to the US is subject to the US PATRIOT Act. This includes Canada.

If you’re wondering why a business would care about their employees using encrypted chats, you should ask yourself how much your competitors would pay a business intelligence service for your employees chat logs that are going over the internet?

So what options are out there?

For Instant Messaging:

I recommend anything that uses off-the-record messaging. It offers the following features:

Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:

No one else can read your instant messages.
You are assured the correspondent is who you think it is.
The messages you send do *not* have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, *during*a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
**Perfect forward secrecy**
If you lose control of your private keys, no previous conversation is compromised.

So what uses off-the-record messaging?

Pidgin works on all major operating systems, and is also open-source. Once you have pidgin installed, you’ll need to install the OTR plugin.

$ sudo apt-get install pidgin-otr # if you’re using a debian/ubuntu based operating system

Some other solutions that only work on a specific operating system:

For MacOSX: Adium (comes with OTR, easier to get working than pidgin if you’re on osx)
Not tested but also claim to use OTR: Miranda for Microsoft Windows and Kopete for KDE (GNU/Linux). If you’re using Internet Relay Chat (IRC), xchat has an otr plugin as well.

You you have the OTR plugin installed successfully, as soon as you have a chat initiated with someone, (there will be a key exchange that is automatic) make sure the padlock icon is closed, if it’s open, your chat is not yet encrypted.

For Voice and Video:

I recommend the open source tool jitsi for voice and video, it supports XMPP and SIP. It supports zRTP, sRTP and GNU zRTP.