The Open Integrity Initiative (OII) will soon begin developing profiles on five tools. We propose the following asynchronous mobile messaging platforms for this milestone:
We have selected these tools in order to:
In addition to the conditions described above, we considered the the following three means of classification when selecting tools for Milestone One. (It bears clarifying that this set of criteria is entirely separate from — albeit likely to overlap with — the actual metrics used by the OII to evaluate the adoption of digital security best practices among the developers of these and other tools.)
The tables below include possible tools for Milestone Two or later that would expand the messenger family to encompass:
For our initial set of tools, we would like to cover a cross-section of approaches to license freedom and sourcecode transparency. At the moment, we are looking at an openness continuum along the lines of the following:
Transparency level | Milestone One | Possible future tools |
---|---|---|
FOSS; standards-based | Signal, Android Messenger | Gajim, ChatSecure, Tor-messenger, etc. |
open-source; for sale; standards-based crypto | Conversations | N/A |
Closed-source; claims standards-based crypto | Wire | Google Hangouts, WhatsApp |
Closed-source; claims unspecified crypto | Skype | Viber, iMessage |
For Milestone One, we will focus on the security properties of these tools' messaging and attachment features. The OII profiles on these tools will consider more granular metrics — end-to-end encryption, authentication mechanisms, forward secrecy, etc. — but a high level protocol breakdown should be sufficient for the tool-selection criteria itself.
Messaging encryption protocol | Milestone One | Possible future tools |
---|---|---|
Axolotl | Signal, Wire | WhatsApp, SMSSecure, Signal desktop |
OMEMO | Conversations | Gajim |
OTR | N/A | ChatSecure, Tor-messenger |
OpenPGP | N/A | K9/OpenKeychain, Thunderbird |
Unknown | Skype | Viber, iMessage |
non-end-to-end encryption | N/A | Google Hangouts, |
None | Android Messenger | N/A |
It is challenging to find a cross-section within this criterion. There are very few asynchronous mobile messengers that support self-hosting and federation. And, even with an expanded family of messenging tools (including email, desktop tools, and OTR clients), there is a clear divide between platforms with a centralized back-end and those that are both self-hostable and federated.
Self-hosting & federation | Milestone One | Possible future tools |
---|---|---|
Hostable; federated | Conversations | Gajim, ChatSecure, Tor-messenger, etc. |
Hostable; not federated | N/A | N/A |
Centralized back-end | Signal, Wire, Skype, Messenger | Viber, Hangouts, iMessage, WhatsApp, SMSSecure |
Should we decide to expand this family of tools in subsequent Milestones, likely additions to the list might include:
Join us in providing information
about software practices.
Get in touch to join the initiative !