Privacy and confidentiality are amongst the most sensitive subjects of modern times. Every day you get news about some security violation or breach due to application flaws. Nothing is safe - even seemingly all-round private and secure messengers.
Messages are being leaked daily and accounts hijacked due to improper database maintenance like storing user passwords in plaintext almost in plain sight. It is disturbing and not particularly endearing.
This kind of environment caused the growing demand in secure private messengers like Signal Chat App and the likes, which treat users and their data with respect.
In this article, we will talk about secure messengers, why they matter, and also discuss the ways they generate revenue.
Secure private messenger is a messaging application that emphasizes the privacy and confidentiality of users using encryption and service transparency.
While every modern messenger system is using different security practices (most prominently SSL/HTTPS) - the difference between secure and classic messengers is what we don’t know in the scope of implementation and approach to user data.
Secure messengers evolved into a distinct category due to the growing awareness that communication over the internet is accessible by third parties, and reasonable concerns that the messages can be used against the users.
People are using messaging to share personal information, photos, and other files. Why should this information be accessible to anyone else?
Messengers are also used to report on sensitive political and social issues, especially in countries where governments monitors the internet. Another contributing issue is the lack of regulation over what is going on in private-owned platforms like Facebook or Google. It is a well-known fact that big tech is using user data, including personal messages, to adjust advertisement targeting.
The core principle behind secure messaging is end-to-end encryption.
For example, how does Signal work?
Signal App is using its own encryption method entitled Whisper Protocol. It is also used in WhatsApp, which makes it more secure than Facebook Messenger.
This type of encryption uses a multi-layered approach that makes it nearly impossible to brute force your way into the data. This feature makes the Signal app secure.
Here’s how end-to-end encryption works:
- Two users start a conversation. This event creates two sets of keys.
- The private key that remains on the user’s device.
- The public key that is stored on the service provider’s server.
- When user A writes to user B - the public key is retrieved and used to encrypt the message so that it would be available only through the private key. The message is then sent to the user via server and decrypted with the private key.
As you can see - it is simple.
The data stored on the server is no use in its encrypted form - it is just some letters and numbers beyond comprehension. No one can read it without the private key. It is so complex, brute force methods of deciphering are no good for it - it's too hard to match a key with long strings of various randomly generated characters (there are way too many possible combinations).
Unless the intruder can find a way of retrieving the private key from the user’s device (it is possible, sim swap and losing a phone helps) - the intercepted data is as good as the cat’s full body typing documents.
Now let’s look at some of the major secure messaging apps and their business revenue models.
First, let's nail down the basics.
The value proposition of the encrypted messaging app is built upon four basic principles:
- End-to-end Encryption (aka E2EE);
- Message deletion;
- Limited use of Metadata
- Transparency of service and product.
Let’s look at them one by one.
- Encryption is the most prominent selling point of the encrypted messaging app. It is used to guarantee user privacy and data security by scrambling messages and making them unreadable without the encryption keys.
- Message deletion is another critical piece of the puzzle. While message deletion is one of the basic features of every messenger, secure or not, there is a caveat. It is usually just a prop. Users can delete messages on their device, but not from the other user’s conversation or server log. These messages may remain on the service provider’s servers. Facebook is doing it all the time; Google does it, Yahoo probably remembers what you did in your past life. So, actually giving users the power to erase their messages completely is an excellent step towards building a trustworthy relationship with the user. For example, Signal has a timeout option that automatically deletes messages after a certain period upon the message being read.
- Metadata is one of the most problematic elements of user privacy. It is used to identify users and their credentials. Most messaging apps store message metadata by default. It includes such data as time, sender, receiver, contact list, device ID, and so on. This information can be used by hackers to identify the user and apply social engineering skills to retrieve the decryption key. The most prominent example of storing metadata on servers is WhatsApp. While it applies E2EE to messages, it also saves some aspects of message metadata, which is reason to be concerned. On the other hand, Signal stores only the last connection data for log-in and nothing else. The rule of thumb is - the less metadata secure messenger uses, the more secure your data is.
- Transparency for secure messengers is twofold. First, you have terms of service which directly state the intention of providing a safe and confidential communication platform. But talk is cheap, and if you talk the talk, you need to walk the walk. That’s where the second aspect of transparency kicks in. The real sign of clarity is when your secure messaging app has open source code, so that anyone can look inside and check whether it is safe enough with no backdoors, that is the real indication that there is nothing to hide. On the other hand, it is also the right way of improving the quality of an application by the crowd effort as any expert can contribute to the polish of the product.
These are the foundation blocks of the product upon which the monetization model is built. Now let’s look at how different secure messaging platforms operate and generate revenue.
In this section, we will look at business revenue models of several favorite secure messaging apps:
WhatsApp - the most popular secure messaging app. Curiously enough, WhatsApp uses signal app encryption protocol. WhatsApp is unique in a way because it enjoys the luxury of being a part of a Facebook corporation and benefits from its massive infrastructure. This aspect is also an explanation of their business model.
Originally, WhatsApp had a subscription fee, but it was scrapped upon being purchased by Facebook, and now the app is free to download. Given the fact that Facebook has a big advertising platform, and the fact that WhatsApp stores user metadata - it is fair to say that it is figured into the ad targeting mechanisms and subsequently applied on Facebook. In addition to that, WhatsApp is currently testing in-app advertisements and monetization that will also use the aforementioned targeting mechanisms.
Signal is the trailblazer of secure messaging applications. Signal is another hard case, but for a different reason. The thing is - there is no real answer to "how does Signal make money?" - because it doesn't generate revenue. Signal's developer, Whisper Systems, doesn't operate as a business and stays afloat on government grants instead. While this stance is noble, and deserves respect - there is no business angle to speak of.
Although, you might argue that this kind of project is very beneficial for reputation and can open up many different partnering opportunities.
With Wire things get interesting.
Wire's pitch is basically "Slack and Skype but with End-to-end encryption and no fuss." The application is built around a subscription revenue model with different features.
Let's look at how Wire makes money:
- There is a streamlined free personal app that offers an excellent showcase of the platform's possibilities.
- Then there is the Pro version (6€ monthly) with more features for a reasonable price; it can be used for groups to discuss projects and maintain confidential communication all the way through.
- Wire Pro is a further expansion of the Enterprise version that adds third-party integration and on-premise deployment to the mix.
- Finally, there is a crisis communication edition, designated Red, with the extreme levels of security designed for emergency events like malware attacks and breaches.
Wickr is another secure messaging app whose business revenue model rides on the Enterprise customers.
It is specifically designed to deal with company-wide confidential communication. The majority of Wickr's features are tailor-made for handling sensitive information.
For example, in addition to the traditional timer, you get a shredder feature that deletes all traces of the message or file.
How does Wickr make money?
The revenue model revolves around a multi-level tier of subscription with an expansion of features that culminates in the ultimate enterprise package.
Threema is probably the most interesting of the bunch. It is very similar to WhatsApp in terms of positioning - secure, strictly confidential messenger.
Their main selling point is the so-called "no strings attached" policy, as the application requires no telephone number tie. This feature makes it even more anonymous than the other apps on the list.
Like Wickr and Wire, Threema uses a multi-tier subscription revenue model with different types designed for different communication approaches - it is easy to understand how they manage to generate a steady stream of revenue.
Here's how Threema makes money:
- There is a standard Work model designed for team communication.
- Then there is a top-down Broadcast model. It is designed for more formal communication like general announcements.
- The most interesting is Threema Gateway, which is not a product but a service. With that, users have their own communication tools and use Threema's server as a secure transmitter for a reasonable fee.
In the context of business operation, communication is a vital element of maintaining an efficient and dynamic working process. It lets you keep everything up to date and on the same page.
And since many things are going on at the same time - tools like messengers are one of the many helpers that make the working day a little more manageable.
So why bother with secure messengers?
Here’s why. The information that goes through the messaging applications require a certain level of confidentiality that most of the messengers can’t provide. It is one thing when a user compromises, and it is an entirely different thing when the service provider itself is compromised. You can’t gamble your confidential information like that.
Some of the information, like employee and customer data, proprietary information, data directly linked to business performance or future projections, may be strictly under a non-disclosure agreement. Without proper encryption, it remains vulnerable to exposure. The chances are slim, but the possibility remains.
And there are people interested in acquiring that sensitive information, people who like to play dirty because getting a competitive advantage is a decent motivation to go beyond the law. And when private conversations leak, especially the business-related ones - the impact is comparable with the Titanic hitting an iceberg.
Encrypted communication prevents this from happening.
So what’s the problem.
I want to give you one example from personal experience. A couple of years ago I worked for an NGO regarding the legal system. The team preferred to work within a Facebook Messenger private chat (right choice, already) and the conversations ranged from unflattering to scathing, especially regarding the grant supervisors whose reporting requirements were strict. Guess what happened next.
You may say "but isn't every messenger supposed to be private by design?" - The answer is yes, but not really, because The Internet doesn't work that way.
The information transmission on the internet is always monitored in one way or another. After all, it is being transmitted through servers from point A to point B and so on. The communication via messenger application is always happening through a third party - a service provider.
Now let's get back to encryption.
Encryption is an inherent part of modern messenger services.
In one way or other, every platform brags about encrypting user messages. But not every type of encryption means real privacy and confidentiality.
The standard encryption method used in favorite messaging apps like Facebook Messenger and Skype is SSL (Secure Socket Layer). This type of encryption prevents third parties from intercepting messages in transit (this action is called a "man-in-the-middle" attack). It is crucial, but there are also other ways of breaching privacy.
The thing is, at the same time, service providers have access to user information in its full scope - starting from messages and attached files and going as deep as habits and preferences using sentiment analysis.
For example, Facebook is monitoring user conversations on Messengers and figures this data into the advertisement targeting (by the way, it is not very ethical).
Now imagine a situation in which a service provider is compromised.
Things look pretty grim in this scenario, right? It happens all the time. WhatsApp just experienced a massive breach with lots of data exposed. Messages itself were left unscathed, but the contacts have leaked.
In addition to that, service providers are obliged (under specific circumstances) to share user data with law enforcement. Which seems reasonable, but law enforcement can also abuse this right (look at China or Russia). But when you have end-to-end encryption - the information on the service provider's servers are useless to a third party.
Secure messenger market is one of the fastest growing in the software industry. Due to increasing privacy concerns, and a never-ending stream of various data breaches, more and more companies are starting to take their communication practices very seriously, and that makes them turn to secure messengers.
As you can see, getting into the secure messenger game is not quantum physics. You need to have a solid value proposition, open source transparency, and reasonable prices in exchange for services. Everything else is a matter of positioning.