Keeping communication secure is a complex goal. It is already tricky to execute for technical or mature organizations. This makes it usually very challenging for non-technical and smaller structures.

However, there are smaller or non-technical organizations that have significant, sensitive data to protect, such as professional healthcare associations, small NGOs, etc.

PGP is a household name for many organizations (due to the early cryptowars), making it seem like a logical choice for communication security. But is it truly the best option?

A handy and non-technical definition of what the security part of “keeping communication secure” could mean is the following:

  • Ensure communication is authentic, meaning it’s not manipulated and is being sent from the person you expect it to be
  • Ensure communication is end-to-end1 encrypted, meaning it’s being encrypted at the first possible hop (the senders device) and decrypted at the last possible hop (the receivers device)

Despite the easy definition, this is challenging to do in practice.

PGP was invented in the early 1990s with GPG following a few years later. Approaches to cryptographic engineering and identify / key management in general have changed a lot. The biggest change that happened after these tools were invented was the smartphone platform, though.

The easiest way to attack end-to-end encryption is to attack the endpoints2. When you have a computer with an unencrypted disk, weak access control, are in the habit of seldom updating software (such as browsers), love to install pirated software, or are simply unlucky, chances are your endpoint is compromised. Due to less legacy in terms of technical design, modern smartphones are vastly superior in terms of endpoint security.

Modern messaging apps are ubiquitous. There is essentially nothing to teach. PGP/GPG (even when used with tooling around it) requires teaching complex concepts and can fail unexpectedly and silently (e.g., when a sender forgets to encrypt something and sends confidential information unprotected).

Signal on the other hand works mostly just like a modern messenger. Under the hood however, it’s quite a different beast.

Originally conceived by security expert and hacker Moxie Marlinspike, it is now run as a non-profit NGO. It’s not owned by the billionaire owners of the planet’s most toxic social media brand (WhatsApp), shady Russian businessmen who oversee massive disinformation, crime and propaganda networks (Telegram) or run as a business at all (Threema).

Instead it features the best cryptographic engineering that is currently being available for secure instant messaging. The same technology was licensed by WhatsApp to power (in slightly less powerful configuration) its 1:1 communication. Unlike Telegram, for example, there is neither opt-in nor opt-out for encryption. Every communication is always secure.

Unlike Meta/Facebook, Signal is not in the business of knowing as much as there is to know about their users. In fact they choose to know nothing. Unlike Telegram they comply willingly with lawful law enforcement requests but the only data they have about their users is the last time a phone number was registered for using Signal. That’s all they know.

Signal can be used without a phone or at least without publishing a phone number.Messages can be set to auto-delete, which is essentially a configuration flag that helps everybody in a communication channel automate the cleanup of ephemeral content.

In summary: end-to-end authentication and encryption for non-technical organizations is a worthwhile yet difficult goal to achieve. The easiest way today is by using Signal on somewhat modern devices. While PGP/GPG were influential and important trailblazers for securing digital communication, Signal is the superior technology in terms of security, accessibility and ease of use.

  1. The majority of message protocols on the Internet (e.g. the website you are reading this blog on) is authenticated and encrypted but not end-to-end. For technical reasons different types of technical infrastructure need to decrypt (and re-encrypt) traffic. ↩︎

  2. This is incidentally why the security of smartphone platforms has increased the way it has. And the context of the debate about nation states attacking such endpoints using exploits to circumvent this protection (“Staatstrojaner” in Germany). ↩︎