In many ways, Wire is just another encrypted messaging platform. It offers all the services you’d expect: video conferencing, group chats and file sharing with planned deletion dates.

The five-year-old platform boasts more than 500,000 unique monthly users, ranging from governments to the pharmaceutical industry.


But what makes Wire stand out is its approach to security. The Swiss startup, somewhat boldly, claims to have the most secure end-to end encryption in the industry. It’s a claim given some credence by the platform’s backing by Skype co-founder Janus Friis.


Wire CEO Morten Brogger says that the majority of platforms with end-to-end encryption are not as secure as you might think.


"The old way of building cloud or SaaS-based services like that was that everything was built in the servers in the middle and that's where you had all the logic,” he says.


“That's where you do all the processing, that's where all the storage happens, and that's where the security is done.”


This means that the encryption key exists on servers in the cloud, a potential vulnerability. Brogger says that “99.9 out of 100” of messaging platforms have this old model.


With the vendor holding a copy of message encryption keys, an employee of the vendor – in theory – could access private messages.


“That, by architecture, also means there's a backdoor,” says Brogger. “If someone with malicious intentions gets in, they can read everything."

A different type of architecture

So, how does Wire ensure the highest levels of privacy? According to Brogger, it’s all about the architecture.


Wire designed its model so that it is impossible for the vendor to “look over your shoulder”, because it doesn’t have a copy of the encryption keys. Instead, they exist only on the devices of the user.


It does this using a distributed cloud. There is still a lot of logic on the servers on the cloud, as well as some of the processing and storage. However, some of the storing and processing is moved to the device of the user, whether it’s a mobile or desktop.


“By architecture, we do not have a chance to look over the shoulder,” says Brogger. “It means, by architecture, there is no backdoor.


“Our communication is completely private and completely secure, managed by that security.”

Multiple keys are harder to steal

Brogger concedes that everything can be hacked, but Wire has another line of defence – it updates its encryption keys after every message.


Even if someone were to beat Wire’s encryption algorithms, they would only gain access to one message that, without the rest of the conversation, would have no context. To gain access to a full conversation, a hacker would have to break into each message individually.


“We make it so hard to do it with very little risk of benefits going out of this,” he says. “So that's why we feel it's the most secure.


“There's no backdoors, we cannot look over the shoulder, by having encryption keys on the devices we ensure that the privacy is at the utmost highest level it can be and that the security is very high. And with the fact that we update the encryption keys after each message we make it extremely high security."

WhatsApp breaching GDPR

For many, hearing the word GDPR is likely to invoke groans. For others, such as German auto parts maker Continental AG, it invokes fear. In June, the company banned its 240,000 employees from using Facebook, WhatsApp or Snapchat on any of its company mobile phones.


The decision was prompted by privacy concerns: the services access your phonebook and collect that information without the permission of those third parties, something Brogger says is in direct breach of GDPR.


“If an employee there has customer data with your mobile phone number or email address, then that data gets uploaded into the cloud and that actually breaches the GDPR regulation because GDPR says if you are given private data away you have to consent to do it proactively.


“It's no longer an option to opt out, you have to opt in. And WhatsApp actually just takes it and uploads it."

We are fully GDPR compliant, whereas a lot of the free consumer applications that have almost the same level of security are not.

Wire, by contrast, has access to your phonebook but does not upload it to the cloud.

"The way we architectured this, we are fully GDPR compliant, whereas a lot of the free consumer applications that have almost the same level of security are not," says Brogger.


With fines of up to £20m or 4% of global turnover, there could soon be more joining Continental and throwing away the encryption key.


“Fundamentally, if you use a consumer application which is in an advertising-based monetisation model, that compromises privacy by default and that actually compromises the security of the enterprise."

Share

Share this article