Viber Encrypts Communication for 700 Million Users…But There’s A Problem

viber2-1024x769Hot on the heels of Facebook-owned (funny, just like most of the populous) global communications juggernaut, WhatsApp, announcing that they “flipped the switch” on integrating excellent Signal-protocol-based, open-source, end-to-end encryption on all chats and group chats, Israeli-based company–and popular Skype alternative–Viber has announced that as of the update to Viber 6.0, over 700 million Viber users now have their texts and photos sent via the service end-to-end encrypted (it’s not clear if the encryption extends to voice and video calls, too).

SIDE NOTE: I’m shocked that this story isn’t getting shared more. Technically it’s not 700 million users, Viber has over 1 billion users. The WhatsApp encryption bullshit was all the rage in my social circles. Must be because Viber isn’t part of everyone’s Facebook teat that they keep sucking on.

Now, no need for this post to be terribly long. If you’re a frequent reader at the Dark Android Project (or you listen to my tech podcast, Sovryn Tech) you probably know what I’m going to say here. Obviously, this encryption by Viber does nothing to solve the metadata collection problem (which is the same exact problem with Facebook’s WhatsApp), but that’s not really the primary concern here for me.

SIDE NOTE: One advantage to using Viber instead of WhatsApp is that Viber is not a part of Facebook’s metadata-collecting ecosystem that revolves around your Facebook account. While Viber doesn’t protect your metadata, it does keep it from being in one giant database at Zuckerberg’s house that he readily hands over to advertisers and governments.

The main concern is that the Viber app–whether on desktop, tablet, or smartphone–is not open-source at all, and their encryption protocol is “homegrown” (though they claim that it’s based on an open-source protocol of some kind). So the app’s source code is locked down, which raises questions to any kind of security it could have, and “homegrown” (or “rolled their own”) encryption means they made their own encryption, instead of using something tried-and-true like Axlotl (also now known as the Signal protocol by Open Whisper Systems). To WhatsApp’s credit, at least they went with Axlotl, but even WhatsApp isn’t open-source. This is all a huge mistake on Viber’s part. While the argument can be made that “some encryption is better than no encryption”, encryption is in many ways a zero-sum game: Either the encryption implementation is done right, or it’s worthless. And “rolling your own” encryption, and not being an open-source app, are both highly potential recipes for disaster. I’m not opposed to new encryption protocols being created, but you really have no idea how they perform “under pressure”, and if you’re an activist, that’s not acceptable.

SIDE NOTE: You may be wondering where Telegram fits in to all of this. While Telegram also made the error of “rolling your own” encryption (MTProto), unlike Viber it is completely open-source. Granted, it doesn’t offer voice calling like WhatsApp and Viber does, but it bests both of them in the fact that it is open-source. Telegram certainly has many other problems, but if I had to choose between those three, I’d go with the app that is run by a fellow anarchist–and that’s Telegram. However, we don’t have to choose between those three, we can choose to use the Signal app, or even PGP emails (which is very simple to setup thanks to OpenKeychain and K9 Mail).

Bottom line, if you’re interested in having your calls and texts encrypted, you want to be using the Signal mobile app (and its sister desktop app).

But Viber does have one very interesting advantage over Facebook-owned WhatsApp and some other encrypted messaging solutions: The company or parent company isn’t located in the US. Viber is an Israeli company. This means that no matter what laws the US Congress passes about encryption, Viber is in no way obligated to follow said regulations. This shows the whole “system” for the sham that it is. It doesn’t matter what any legislators in any country has to say, encryption can just be “imported” from other countries and used willy-nilly. Really, aside from shutting down the internet, you’re not going to be able to stop people from getting their hands on apps with solid encryption that ignores any law. That’s just how math works, folks.

SIDE NOTE: Telegram is also not US-based, so they don’t need to listen to US legislators, either. But again, it’s not the best option. Another company that encrypts all of its communications that isn’t US-based is the LINE Messenger. They’re out of Japan, and they have a much more social media feel. While I like much of what LINE does (and I use it on an hourly basis, username: sovryn), it does fall prey to much of the same flaws I’ve described for Viber, WhatsApp, Telegram, and the rest.

While Viber encrypting things is pretty much worthless in my eyes, it does forward the “agenda” of people getting used to the idea of encryption, whether they knew anything about encryption before or not. And this is good. It also highlights a very empowering message: We now live in a world that truly ignores all concepts of boundaries and nationalities. Nation-made, violently-backed laws are skirted in the same amount of finger movements on your smartphone as are used in flicking a switch. And the attempts alone by legislators to try and ban or work against encryption is testament alone of just how powerful encrypted communications alone can be for you the individual…because obviously it scares the shit out of them.

So use it. Embrace it. Enjoy it. Peacefully scare the shit out of people who think they can tell you what to do. End-run the whole goddamned system by “encrypting all the things”. But just make sure you do it right…and Viber isn’t doing it right. Hit up Signal or PGP.

SIDE NOTE: While the “some encryption is better than no encryption” argument is really valid here, I will say that the argument of “I use these platforms like Viber and LINE to get away from Skype and Faceboook” is perfectly valid. Getting away from the monoliths is a fine thing to do, even if the solutions aren’t perfect.

And say it with me: LAWS ARE WORTHLESS. Did you expect an anarchist like me to say anything less?

Carpe lucem!