Online privacy is on a lot of minds these days. But what’s actually worth worrying about? And how can we help non-technical folks navigate these questions?
Let's start with personal communication. Because...well...it's personal. And every time you text someone, you’re giving the contents of your message—every word—to multiple internet companies, unknown other parties, and potentially the governments of one or more countries.
AI product-design principle #1: Keep the user in the driver’s seat.
Users need a sense of control, and want confidence that your product is working for them rather than calling the shots. Which might seem strange: AI is about automating our lives, taking things out of our hands; keeping the user in the driver’s seat seems to pull in the opposite direction.
This is the first of six posts exploring the AI-centric product-design principles crystallizing as we design and build Tiptap Flex (https://flex.tiptap.dev).
In recent weeks, Apple has taken heavy criticism for its failures around Apple Intelligence. While those missteps might seem like a typical strategic blunder, it could reflect a fundamental challenge with AI products—and a trap companies like Google and Figma have fallen into as well: the AI 80/20.
The thing with email is it's only encrypted (even in transit) sometimes. So it kinda has the same issue as iMessage. If you're a Gmail user using Gmail's web app to email another Gmail user, you get encryption in transit (and it sounds like you might be able to implement E2EE as well). But if you email dave@somerandomemailserver.com, you won't know until you send the message whether it's encrypted.
As for envelopes and wax seals--it's an interesting question. It requires a lot less technical knowledge for someone to open that envelope than to spy on messaging traffic. On the other hand, a lot more people have access to the messaging traffic and can bring scripts to bear on it at scale.
To clarify: I'm not suggesting you trust Telegram more than mobile providers--if SMS were encrypted in transit I'd have a much weaker case against it. But the point is, with Telegram you're placing trust in Telegram. With SMS you're placing trust in your mobile provider, AND your friends' mobile providers, AND an unknown collection of other entities. At a minimum, that's a lot more points of weakness, even if each individual one is equally trustworthy.
iMessage is indeed more secure than Telegram. Dunno vs. WhatsApp, but unlike WhatsApp it has a central message archive (and as of a few weeks ago, you can end-to-end encrypt that, too, I think).
It pained me not to be able to recommend iMessage but because it's not supported on Android, Windows, or Linux, you fall back to SMS (for Android) or nothing at all (for Linux/Windows) and then it's far worse than Telegram.
I didn't talk much about Google Chat in the article, but I think it's a fine example of a non-E2EE messenger in the same bucket as Telegram, from a company that tends to demonstrate a better-than-average respect for user data (with the disclosure that I worked there at one point).
If you're using it and liking it, I personally wouldn't recommend switching. I didn't recommend it because at this point I don't trust Google to continue investing in it given multiple incarnations of Hangouts, prior Chat products, Allo, etc.
> Moreover, despite all of the hate, iMessage actually works great.
That hasn't been my experience. Often it does. And then sometimes it doesn't. My sense is that when it doesn't, it's because of the interdependence on SMS.
Yep. As you say, the vast majority of people have no problem with SMS. I wrote the article in the hopes of convincing at least a few more people to have a problem with it.
As far as I can tell, Google Messages defaults to E2EE when possible when RCS is enabled, but RCS is disabled by default. Which basically means 80% of users don't have it turned on.
Let's start with personal communication. Because...well...it's personal. And every time you text someone, you’re giving the contents of your message—every word—to multiple internet companies, unknown other parties, and potentially the governments of one or more countries.