Alvise Pérez needed 300,000 to 360,000 euros for his 9J campaign, as he admitted to Álvaro Romillo, aka Luis CryptoSpain. He ended up getting at least $100,000 in cash from this cryptocurrency businessman after promising him influence in the European Parliament and beneficial legislation for his “business” in Spain. This relationship, revealed by elDiario.es through messages and calls between the two, began to circulate with a WhatsApp message. “I wanted to ask you a question. Can you speak today? » said Alvise to the crypto entrepreneur. “Are you using Threema, Signal or Session? » he asks immediately afterwards.
The three apps offered by the ultra agitator are encrypted instant messaging services. They are characterized by providing the maximum privacy and security in communications that can be obtained with an ordinary mobile phone. The best known of these is Signal, where the conversation between Alvise and Romillo ends up taking place and through which the delivery of the 100,000 euros is coordinated.
Alvise used Signal to declare that he needed “funds that do not need to be audited by the Court of Auditors” on an “urgent” basis. The current MEP proposed the possibility of doing this with Sentinel, a company from Romillo which has 5,000 fortified safes in a bunker in the center of Madrid. Sentinel allows money exchanges under the promise of total confidentiality: behind the back of the Treasury and avoiding the anti-fraud measures to which financial institutions are required.
“Thank you 100,000,” Alvise wrote in another Signal post after collecting the money. Prosecutors are currently investigating whether these funds were used to pay his campaign expenses and could constitute an illegal financing offense, punishable by up to six years in prison.
Signal’s special privacy features make it an app often used by anyone who wants to hide their activities from authorities. This does not mean that Signal, Threema or Session are designed for criminal use. The same protections that attract criminals make this app popular among opponents of authoritarian regimes that violate human rights, activists, journalists and their sources, corruption whistleblowers, or people concerned about corruption. mass surveillance. But what are these characteristics?
On WhatsApp, the walls hear
WhatsApp offers the most robust communication content protection in the industry: end-to-end encryption developed by Signal itself. It is a technology that protects messages from any attack so that only the sender and recipient can read them.
When a message is end-to-end encrypted, it becomes a code that only the recipient, using a special key, can decipher. This means that even if it is intercepted by security forces or cybercriminals, they will not be able to access its contents if they do not have the key. Even the company that provides the courier service cannot do this. Threema and Session also use their own end-to-end encryption protocols.
But communications privacy goes beyond the content of messages. In the digital environment, every message leaves a trail of information that includes who writes to whom, how often, at what times, where the user who sends the message is and where the user who receives it is, or what device each user uses. This is so-called metadata, which can be very relevant to a third party interested in the activities of the interlocutors. How they are managed is a key policy in messaging apps, as they are not covered by end-to-end encryption.
Alvise Pérez asks Álvaro Romillo if he uses Signal, Threema or Session, applications that are more private and secure than WhatsApp.
This is where Signal, Threema or Session make the difference with WhatsApp. The three applications offered by Alvise in Romillo prevent the generation of digital metadata files. You cannot query a metadata file that has never been created. They also prevent any individual metadata from leaving the user’s device attached to a message. It is not possible to intercept metadata that has never circulated on the Internet. These types of measures are called privacy by design.
In WhatsApp the situation is different. Conversation metadata is included in files that are transferred directly to Meta, the owner of the application, as stated in its privacy policy. This journey through the network makes them vulnerable to interception by a third party. Additionally, when stored in databases owned by the social media company, they may be subject to court order, cyberattacks or espionage operations.
However, WhatsApp has an even greater vulnerability in what it calls “backups” of chats. The platform generates them to allow, for example, recovering conversations that took place on old phones. Backups include the full contents of all chats and shared files, are stored in the cloud and unlike messages, are not encrypted by default. This practice exposes WhatsApp conversations and makes the user lose control over them, since the decision to store backup copies belongs to each interlocutor, who can do so without the authorization of the rest of the participants in their discussions and without setting a password. encrypt them.
Signal, Threema and Session do not generate cloud backups or store any type of chat or file sharing history. These only stay on the user’s phone. Like the rest of its protection package, these security measures are confirmed thanks to the fact that all three are open source. This means that you do not have to believe that they work as the organizations that run them claim, but that anyone can access their computer code and verify it for themselves. WhatsApp does not have its code open to the public.
Threema, a payment application designed for business environments
Although it is the application most recommended by digital rights organizations (it is banned in China, Iran or Russia), Signal makes some concessions to facilitate its accessibility for the average user. The main one is registration using the phone number, which allows you to find out which contacts stored in the phonebook use the application. Although Signal does not store contact lists on its servers, linking the account to a phone number allows you to trace the identity of the person you are talking to.
Threema and Session go further and do not require a phone number to register. They use a unique and anonymous identifier. If each member’s code is not known, it is impossible to locate other users and establish communication.
In Threema’s case, this policy is based on the fact that its service is designed for corporate and government environments as an internal communications tool. It is paid and is based in Switzerland. As explained on its website, companies like Mercedes-Benz, the airline Fly Emirates or public entities like the Central Bank of Germany, the Swiss army or many German, Austrian and Swiss hospitals and municipalities use its services. The Insurance Compensation Consortium, a public company dependent on the Spanish Ministry of the Economy, is on its list of 8,000 organizations.
Signal is estimated to have around 70 million users worldwide, while Threema has around 10 million. The session, however, did not reach a million. It’s a niche app “designed and built for people who want absolute privacy and freedom from any form of surveillance,” explain its creators, Oxen, an Australian organization that also developed the cryptocurrency of the same name.
Session, intimacy to the point of “paranoia”
Session incorporates another layer of privacy and anonymity because it uses the same decentralized technology as the Oxen cryptocurrency to send its messages. These nodes are operated by people who stake or invest in this crypto to earn rewards, which encourages the stable and secure operation of the network. You don’t even need to create an account to use it. It has all the security measures… but that is precisely its biggest problem.
“The application is 100% private, it does not collect metadata, you do not need to create a user or phone number, the servers are decentralized. Plus, it’s open source. In terms of privacy, it’s the best,” explains Rafael López, expert at the cybersecurity company Perception Point: “But on the other hand, it is 0% usable for the user average, even for the advanced user. »
All of Session’s protections make it very complicated to use it and find other people doing it. “This is for something that must be very precise and very punctual, because to speak to someone, you have to share a chop [un código alfanumérico generado mediante algoritmo muy utilizado en ciberseguridad o criptomonedas] which ultimately is a very long number, and the other person needs to know what a number is chop»López continues. “It’s a bit of a nightmare, it’s not usable at the moment,” says the specialist: “It’s a level of absolute paranoia.”
