Encryption graphic
Is Tor Browser safe and is Signal app secure? TBIT/Pixabay

In the wake of reports that text messages between two FBI officials revealed negative opinions of then-candidate Donald Trump, former National Security Agency contractor and whistleblower Edward Snowden offered a piece of advice for those trying to keep communications private: “Use Tor. Use Signal.”

The recommendation from the former government employee was directed specifically at FBI agents and other government officials— "Protip: Don't use your FBI-issued phone for things you don't want the FBI to know,” he wrote —but also apply to individuals who are looking for some assurances of privacy.

Is Tor Browser Safe?

The first tool recommended by Snowden to keep online activity private is the Tor Browser. Tor, short for The Onion Router, is a web browser built on technology backed by the United States government and is designed to conceal the activity of users.

Originally developed with the intention of fostering democracy in authoritarian states, the Tor browser now serves as a way to avoid government surveillance even for citizens inside the borders of the U.S.

To understand how Tor works, it’s important to first understand how a standard internet browser works. When a user visits a website, their computer communicates with a server to request and retrieve the information from that site. In that process, the user’s computer also shares information about itself, including IP address, location and other information that may be revealing of the device user.

When using Tor, the connection is not direct. Instead of the device communicating with the website or service’s server, it connects to “nodes” or other computers on the Tor network. The browser sends the request through a number of nodes before it reaches the server. It device’s information is still there, but it is wrapped in layers of packet data from each node, making it nearly impossible to identify the origin of the request.

This differs from a virtual private network (VPN), which allows the user to connect directly to a secure, third-party server that handles all interactions between the user and a website or service. A VPN can hide a user’s activity from their internet service provider, but simply shifts who sees the information from the ISP to the VPN provider. It’s effectively just a trade off in who to trust.

Tor offers a more robust solution, effectively creating a sequence of VPN-like tunnels between multiple, randomized machines rather than a single connection point.

It isn’t perfect, though. Like any piece of software, it is vulnerable to attacks and malware. Because the browser is also best known for its ability to access the dark web—a seedy underground version of the internet where illegal dealings can be done—downloading can also invite some scrutiny from agencies like the FBI and NSA.

There have been instances where the Tor Browser has been hacked and there is still the possibility of government agencies using exploits to track and infer activity of an individual to identify them even behind the protection of Tor, but use of the browser greatly reduces that possibility.

Is Signal App Private?

Snowden’s second recommendation for locking down online activity is to adopt Signal, a popular messaging application that offers encrypted communications across numerous platforms including iOS and Android.

Signal, developed by Open Whisper Systems, uses a person’s mobile phone number as their identifier and acts just as any other messaging app—be it iMessage, WhatsApp, Facebook Messenger, etc.—would. It allows users to have one-on-one chats, group messages, video and voice calls and share files including images, videos, audio and other documents.

What is different about Signal than many other communications apps is that it uses end-to-end encryption to protect conversations.

Without encryption, a message is sent in plaintext, meaning it can be read in full as it travels. If there is someone sitting atop a network or between two users’ communications, they can intercept the messages and read the text without any hindrance.

End-to-end encryption adds a layer of protection to the whole process. When a message is sent from one user to another, it appears as a jumbled message—a collection of numbers, letters and characters that don’t appear to correspond to anything—until it is received by the intended recipient.

That recipient has a key associated with them that allows them to view the message as it was typed by the sender. This ensures that even if a message were to be intercepted, there would be no way to know what it says.

The Signal Protocol developed by Open Whisper Systems and used in the Signal app is widely considered to be one of the strongest end-to-end encryption options available. The protocol is also used by WhatsApp, Facebook Messenger and Google Allo.

What makes Signal different than those alternative apps is that it encrypts by default. Most apps have the option to enable end-to-end encryption, but it requires both parties of a conversation to turn on the protection in order for it to operate as intended. Signal starts with that as its baseline.

Signal also does not store metadata that, while it might not contain actual conversations, can still reveal information that can be used to identify users. Metadata can show device information, contact information, recent login times and location information. That information can also be combined with other user metadata to infer information about the users.

With Signal, as little data as possible is stored by the company. It maintains phone numbers, random keys and some profile information, and only stores IP addresses for as long as it takes to send a message. While the company can be compelled to turn over that data to law enforcement, there is far less information stored than could be gathered from most apps.