The fight over EFF’s Secure Messaging Scorecard

The Electronic Frontier Foundation (EFF)’s new Secure Messaging Scorecard is designed to answer one important question: Which apps and tools actually keep your messages secure and safe from prying eyes?

The results have been mixed. In the midst of many positive reactions from technology companies and users, the scorecard stoked a wave of criticism from several prominent figures in the security industry, who deemed the effort inaccurate, misleading, and vague. 

Peter Eckersley, the EFF technology projects director, defended the scorecard to the Daily Dot and said it was just “the first phase of an ongoing campaign for secure and usable cryptography.”

Here are the primary points of contention.

Did the EFF give too much credit to Skype?

skype score

The EFF scorecard gives Skype two check marks for being encrypted in transit and encrypted so the provider can’t read it.

That was a hard sell for many privacy advocates, who immediately pointed to reports from the Edward Snowden, leaks saying the National Security Agency (NSA) had tripled the amount of Skype video calls being collected through Prism.

“There are always going to be difficult cases when you’re evaluating complex software,” EFF’s Eckersley said. “There are clear indications that the NSA intercepted Skype conversations. However, we don’t know if that was a break in the cryptography itself that would allow anyone to intercept, or if it was a compelled man-in-the-middle attack where Skype was made by authorities to give out fake keys to targets.”

As a result, Skype receives a negative in the “Can you verify contacts’ identities?” column. 

It seems clear that the problems with Skype go even deeper than the considerable criticism the scorecard piled on it. For many readers, the two check marks it did receive imply a modicum of security that likely does not exist on Skype today.

CryptoCat gets a perfect score and a lot of criticism

Cryptocat score

CryptoCat, a dead-simple chat program designed to be secure and easy to use, received a perfect score from EFF. This raised the hackles of some members of the security community.

It’s easy to see why CryptoCat’s perfect score is being criticized heavily: The program has a problematic history of broken security, crackable keys, and a variety of attacks.

The EFF defended the score, arguing that the messaging app had been audited by independent experts, thus validating its secure technology:

“Actually, the quality of the audits [CryptoCat] has received have been exemplary,” Eckersley said. “Finding all those problems is the audits doing what audits are supposed to do. They turned up many bugs and they’ve been fixed. That’s what audits are.”

This turns up another issue many critics have with the scorecard: What is an audit? A simple check mark says nothing about the quality of the audit, if it’s public, if it focused on cryptography, or what its results were. In other words, a check communicates nothing about the quality of an audit, just that one took place in the last 12 months.

“We would love to have a standard for top-shelf audits,” Eckersley responded, “but such a standard is impossible to define.”

Eckersley resolutely stood behind CryptoCat’s perfect score while security experts like Jacob Appelbaum, a Tor developer, and Thomas Ptacek, founder of Matasano Security, continue to point out flaws.

Buried PGP recommendation

PGP, likely the most important secure-messaging technology, is hidden in a secondary review section that is difficult to find. PGP is featured and recommended as the security of choice in the EFF’s guide for journalists.

• • •

Despite the arguments over the scorecard’s specifics, the EFF is pleased with the feedback so far.

“We are actually very excited about the responses to this scorecard,” Eckersley said. “We’ve seen tech companies working really hard to improve their security.”

One of the big targets of the scorecard are the tech companies who make the messengers. The EFF wants to incentivize these companies to make their products more secure by publicizing the grades and setting a clearer road map toward better security.

As a result of the scorecard, “at least one household name tech company said we had to pull a team off another project to audit this project. They found a lot of problems and fixed them,” Eckersley said.

Whatever problems exist in this scorecard, it’s only the first step. The EFF says it’s willing to update the card and that the next evaluations will be more informed.

“What we’re trying to do here is solve a problem,” Eckersley concluded. “The problem is: There’s currently no secure, reliable, and usable protocol that the Internet can switch to do secure messaging. We know we’re going to need such a protocol, it’s going to need new engineering work, new usability to work, a lot of research and development effort. We’re trying to incentivize Silicon Valley and these projects to get to work.”

Photo via takacsi75 (CC BY 2.0)

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.