<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 23, 2014 at 4:15 PM, Trevor Perrin <span dir="ltr"><<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
"Apple iMessage, Wickr and BBM Protected can all be described as<br>
opportunistic encryption messaging systems that have been very<br>
successful deployment-wise." - Joe Bonneau, [2<br></blockquote><div><br></div><div>To that list we can apparently add Kik and its 150 million users. Interestingly, they don't seem to make any claims publicly about their security, but in their advice to law enforcement they say "The text of Kik conversations is ONLY stored on the phones of the Kik users involved in the conversation. Kik doesn’t see or store chat message text in our systems, and we don’t ever have access to this information." [1] It's not P2P, so this seems to imply that E2E encryption is happening. This is highly unusual of course-most apps make bold security claims publicly and undermine them in the fine print but the opposite appears to be going on here.</div><div><br></div><div>[1] <a href="http://kik.com/wp-content/uploads/2014/01/Kiks-Guide-for-Law-Enforcement_July-17-2014.pdf">http://kik.com/wp-content/uploads/2014/01/Kiks-Guide-for-Law-Enforcement_July-17-2014.pdf</a></div><div> </div><div>Some other thoughts: </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
1) Size of target population: Email has a huge userbase, and email<br>
addresses are widely shared, so spammers are able to harvest huge<br>
target lists.<br></blockquote><div><br></div><div>If you scale by people interested in/susceptible to spam, these populations may remain low. I think they lean young and tech-savvy. Also there is very little commercial use of these channels which makes spam stick out more.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
2) Cost per communication: Sending a single email is very cheap,<br>
compared to (say) postal mail<br></blockquote><div><br></div><div>This may be non-zero for messaging apps because all benefit currently from only being accessible via proprietary apps. I'm not sure which have been reverse engineered successfully-I believe WhatsApp and SnapChat have been at least partially reverse engineered but I'm not sure for the above. Surely a motivated spammer could create a compatible app to send spam for free, but that's a non-zero barrier to entry.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
4) Ability to attribute and penalize the sending user: Free email<br>
accounts and easy signup make it hard to impose a cost on abusive<br>
users.<br></blockquote><div><br></div><div>Certainly these are all centralized systems with the ability to ban sending users. The key question is, how hard is it to create accounts? It would be interesting to survey what info each requires-which verify phone numbers, etc. Phone numbers are definitely a non-free resource. iMessage and BBM Protected may also utilize some sort of unique device identifiers which are even less free.</div></div><br></div></div>