Product design decisions for secure messengers

The messaging world has moved from desktop to mobile, to secure mobile messengers for consumer, and to less secure messengers that work on multiple platforms for business.

The future requires a model that combines security for multi-device communication on all platforms — desktop, mobile, tablet, smart devices and wearables. Phone number-based identity is not a good foundation for this future.

All messengers on the market have made two fundamental decisions. First, do they use end-to-end encryption (E2EE) that is on by default or not, and second, are they primarily mobile focused and rely on a phone number, or do they offer a good multi-device experience that is decoupled from the phone number.

From the chart above it’s clear that apps like WhatsApp and Signal are in the secure, mobile-first corner. They use a phone number as the account identifier, and require access to the phone address book to operate.

Mostly team collaboration tools like Skype for Business, Microsoft Teams, Slack, but also Facebook Messenger, are in the “not secure by default, but works equally on desktop and phone” corner. They don’t offer end-to-end encryption (with the exception of FB Messenger that has it as an option only on mobile and only for 1:1 chats) and keep the content of the conversations on their servers.

Wire’s goal is to combine end-to-end security that’s becoming the norm in the consumer space, with the workplace must-have features like multi-device support and a great group collaboration experience. This means we’ve had to do things differently.

Wire needs certain data to operate its service

To provide secure chat, calls, and file sharing, and to offer a great user experience, Wire has some data about its users on the server. This data includes things like profile name, username, and profile picture, but also things like user’s list of connections and conversations.

Wire’s privacy whitepaper details all of this so anyone can make an educated decision whether our product meets their personal privacy requirements. The whitepaper however doesn’t always explain why Wire needs this data. How does our approach improve the product and the user experience?

Wire’s mission has always been to protect people’s digital privacy and offer a great user experience to make switching away from privacy-invasive alternatives easy. This has driven some of the product design decisions, and has resulted in a different setup compared to competitors that rely only on a phone number as the account identifier.

If you don’t want to share your phone number […] use an end-to-end encrypted messenger, we’re not talking like Facebook Messenger here, we’re not talking like Google Allo, something like there’s another called Wire app.
Edward Snowden, Pod Save The People podcast

No need for a phone number

One of the biggest differences compared to other secure messengers like WhatsApp or Signal, is that Wire does not require a phone number to sign up. Anyone can register with an email on desktop or tablet and then decide if they want to use the same account on their phone or not.

There’s also no requirement to share the phone’s address book as Wire does not rely on phone numbers to build connections between users. See also: Staying anonymous on Wire.

Based on feedback this was the right decision — people consider their phone number as highly personal information and many don’t feel comfortable sharing it, especially in the work environment. Phone numbers also change as people switch jobs, move countries, or change their mobile operators.

Not relying on a phone number and address book meant that we needed an alternative way to maintain connections and sync the conversation list between devices.

After weighing the options, we settled on having the list of connections and conversations on our servers. This has several benefits:

  • Full multi-device support. Wire does not rely on your phone as the main device. You can just as easily register on desktop or with your tablet and log in later on the phone.
  • Synced chats. Sign in on a 2nd device and your friends and list of chats are already there. Chat history is not available on new devices, but from that moment onwards everything is nicely in sync.
  • Group conversation experience. Group members can add and remove other participants, delete unintended messages from everyone’s devices, and access the group from up to 8 devices.
  • Better spam control. The concept of connections means that you have control over who can send you messages or call you. There’s no room for large scale spam, phishing links, or malware “campaigns”.
  • Improved security. When you start using Wire on a 2nd device, Wire knowing your email address allows us to show you both an alert in the app, but also to email you about the login. This ensures you’ll know if someone has compromised your account and to take appropriate actions.

WhatsApp, like Wire, stores group conversations and their titles on their servers to improve the user experience in case you lose your phone, or need to reinstall the app. Since WhatsApp relies on the phone’s address book to know who you communicate with they don’t require to keep additional data on their servers.

Going forward

There are number of steps we’re planning to take to improve the current product choices and to further reduce the already limited amount of metadata required while preserving a great user experience.

One of the major initiatives towards that goal is open sourcing the server code with the aim to offer a self-hosted, federated version of Wire. The organization or individual running the server will be in full control of the metadata.

The best source for all Wire privacy and security related details is wire.com/privacy.