[messaging] EFF Secure Messaging Scorecard

Robert Obryk robryk at gmail.com
Tue Nov 4 11:50:02 PST 2014


On Tue, Nov 4, 2014 at 5:43 PM, Joseph Bonneau <jbonneau at gmail.com> wrote:
> First version launched today: https://www.eff.org/secure-messaging-scorecard
>
> This was a collaboration between tech advisers (primarily Peter Eckersley
> and myself) and a good team of people with experience in journalism and
> activism and there were necessarily some compromises made. The primary goals
> here were:
>
> (a) simplicity for users (and journalists) to draw some conclusions about
> what's out there right now and we had to make a lot of compromises to keep
> things simple for end-users to understand.
>
> (b) reasonable carrots for some of the traditional messaging apps to add
> security features, get audits, and publish source code.
In order to get an "audit" checkmark one has to cause an audit to be
done and nothing more (one can keep the results secret and ignore
them). If someone tried to maximize their app's rating in the
scorecard with minimum effort, that's a (from their point of view)
reasonable thing to do, but it doesn't improve security at all. I do
not see a way of preventing such gaming while keeping the feature and
not requiring the audit results to be at least somewhat publicly
disclosed.

> Hopefully we will be launching a more detailed version next year with many
> more evaluation criteria but would be curious to hear feedback on this
> version from other folks working in this space.
>
> Cheers,
>
> Joe

Cheers,
Robert


More information about the Messaging mailing list