Amnesty International set out to determine which technology companies met “their human rights responsibilities in the way they use encryption to protect users’ online security.” The research resulted in ranking messaging apps of 11 tech companies based on the use of encryption to protect users’ privacy.
According to the detailed list of Message Privacy Rankings (pdf), Facebook did the best, scoring 73 out of 100 for WhatsApp and Facebook Messenger. Both Apple for iMessage and FaceTime and Telegram for the Telegram Messenger scored 67. Google came in with a score of 53 for Allo, Duo and Hangouts.
The rest were ranked below 50. The absolute worst in the privacy rankings were Tencent for QQ and WeChat, BlackBerry and Snapchat, followed by Microsoft for Skype. Amnesty International noted, “Despite Microsoft’s strong policy commitment to human rights, it is still using a weak form of encryption on Skype, scoring 40 and leaving it four places from the bottom. None of these companies provide end-to-end encryption of their users’ communications.”
Please note that Amnesty International did not do an overall assessment of security, did not rank companies based on overall human rights performance, and did not assess the companies' approach to privacy across all products and services.
Instead, the companies were ranked across five criteria:
- How well each company recognized “online threats to their users’ privacy and freedom of expression”
- If the company applied end-to-end encryption by default
- If the company made users “aware of threats to their rights and the level of encryption in place”
- If the company disclosed government requests for user data
- If the company published technical details of encryption systems used
Several of the messenger apps did have end-to-end encryption: WhatsApp, iMessage, FaceTime, Line, Viber and Duo. Allo, Kakao Talk and Telegram also offer end-to-end encryption, but it is not turned on by default.
Most of the companies claim to be committed to privacy, but the report states, “In five cases—most starkly Microsoft—there was a gap between the company’s stated commitment to privacy and recognition of the threats to human rights and the level of encryption applied to their IM service. Also, the majority of those assessed do not have a stated commitment to freedom of expression.
While most of the companies have taken a public stand against encryption backdoors, some scored lower than others based on the fact that no transparency report is published. Eight of 11 companies responded to Amnesty’s request for information; Google, BlackBerry and Tencent chose not to reply.
“The future of privacy and free speech online depends to a very large extent on whether tech companies provide services that protect our communications or serve them up on a plate for prying eyes,” said Sherif Elsayed-Ali, head of Amnesty International's Technology and Human Rights Team.
Amnesty believes encryption is a human rights issue. The report concluded:
There is no excuse for not putting in place end-to-end encryption on instant messaging services. Companies that are still entirely replying on a weaker form of encryption, such as BlackBerry, Microsoft, Snapchat and Tencent, are putting the personal communications of millions of people using their services at greater risk. As such, they are failing to meet their responsibility to respect the human rights to privacy and freedom of expression.