Introduction
Communication makes you vulnerable – and that's not necessarily a bad thing. In fact, it's essential and allows you to form connections and grow as a person. But it also requires a great deal of trust. Some things, you may only want to share with someone who's very close to you, even if that person is actually very far away from you.
When you write down a message, you add an additional layer of vulnerability to your communication. The message continues to exist until it's destructed. This, too, can be something very valuable – love letters from your partner and the like. But love letters from your ex-partner? Well, normally it's not too difficult to dispose of them. But what about the love letters you sent? They're beyond your control now.
It can be even more difficult when the messages were sent over the Internet or any other digital network or medium. There are plenty of instant messaging services (and other apps that have a messaging functionality), and there's email and SMS, among other things. You probably have your own preferences when it comes to these services, and perhaps you would like a single, convenient app that everyone uses.
But how can you stay in control over your digital communication? I think, for a good reason, many people avoid asking themselves this question – it's complicated. Some people may even say ‘I have nothing to hide’ or something along that line. (Love letters, please.) But the truth is, the additional vulnerability that arises from handing over your messages and related data to an untrusted network – not only to someone else – is an actual threat.
Everyone is subject to personally identifiable data. Laws around the world differ, but if you're not residing in the European Union, it it likely that this data is the property of whoever collects it. It's beyond your control. Apart from corporations, there are also criminal actors and governments that systematically try to invade your privacy to sustain themselves (we all remember Edward Snowden's disclosures about government-led mass surveillance, including programmes like XKeyscore).
Encryption
You've probably heard about encryption, maybe even end-to-end encryption (E2EE). Encryption converts plaintext into so-called ciphertext that's unreadable by a human or computer without the proper encryption cipher and cryptographic key to decrypt it. That's nothing new. But service providers (or malicious actors) are technically still able to read the decrypted messages, as long as the encryption wasn't ‘end to end.’ With E2EE, only the sender and intended recipient can read the messages. No-one else. (Well, ideally. There are also things like backdoors so we still need trust, but we have a certain degree of autonomy here.)
Digital Communication Channels
When it comes to digital communication channels, there are plenty: dedicated instant messaging services, other apps that have a messaging functionality (think social media platforms), email, SMS et cetera, and each channel has its own implications for your privacy. Let me go into a bit more detail.
Transport-Encrypted
Many popular channels are, at best, only transport encrypted. Again, this means that at least the service providers or, at worst, anyone with the necessary technical skills, can read the messages sent over these channels, which include email, SMS, and lots of messaging applications and social media platforms. However, it should be noted that email and SMS are special in this context, as both use standardised communication protocols and hence avoid platform lock-in.
Email is probably the most common channel for formal correspondence. Most of us send and receive emails every day, and we often include – or have to include – sensitive information. Nowadays, transport-level encryption (between you and the server) is fairly common (such as STARTTLS) but not guaranteed. E2EE can be added, but it's cumbersome to use and unfortunately not very widely adopted. OpenPGP is a notable data encryption standard in this context, which associates each email address with a public/private key pair. (My public key is linked on my website, feel free to send me an email using E2EE with your comments on this post.)
SMS, short for Short Message Service, isn't Internet-protocol based and typically transmitted over cellular (or mobile) networks. While basic over-the-air encryption methods exist for SMS, they have significant limitations and vulnerabilities. But importantly, SMS does not support E2EE, and the mobile carriers involved in sending the messages have full access to them (and might even share data with third-party services). On top of that, SMS is likely the most costly way to transmit data in general if it's not included in your mobile plan.
Then there are Internet-protocol based instant messaging services like Tencent-owned WeChat and various other platforms with messaging functionality that don't support E2EE. Today, Transport Layer Security (TLS) often adds transport encryption, for example in HTTPS, short for Hypertext Transfer Protocol Secure, or MMTLS (a modified version of TLS 1.3) in the case of WeChat. However, the corporations behind those services can access all messages and usually collect as much data as possible about their users. On Instagram, there are optional chats with E2EE (‘this feature is only available in some areas’), but well, it's still Instagram (owned by Meta). Another notable example is Telegram (owned by Pavel Durov, who also co-founded VKontakte), which encrypts messages using its own layer of MTProto encryption, but it doesn't use E2EE by default. So-called Secret Chats that use E2EE have to be created separately, and this is only supported in one-on-one conversations (not in groups or channels).
Update: In March 2026, Instagram announced that E2EE messaging will no longer be supported after 8 May 2026.
End-To-End Encrypted
When discussing messaging apps using E2EE, it can be useful to focus on three dimensions: (1.) for-profit versus not-for-profit services, (2.) proprietary versus open-source code (which correlates with the former), and (3.) centralised versus decentralised infrastructure. I argue that not-for-profit services with open-source code and decentralised infrastructure are the preferred option for digital communication. This is because (1.) there's no interest in collecting and monetising user data as well as no barrier to entry, (2.) the source code is publicly accessible and anyone with the necessary technical skills can assess it or contribute to it (or even create their own version), and (3.) there are no single points of control and failure (such as technical outages, data breaches et cetera).
For-Profit, Proprietary, Centralised
WhatsApp (owned by Meta), and Facebook Messenger (also owned by Meta), which now appears to use E2EE for personal messages by default, fall into this category of for-profit services with proprietary source code and centralised infrastructure. In both instances, you have to trust Meta with your data, which is essentially its business model. In this context, the network effect that leads people into using these services is particularly problematic, as they inevitably become products themselves. The company also has a long history of lawsuits against it. For example, in May 2023, it was fined a record EUR 1.2 billion by the European Data Protection Board for breaching European Union data privacy laws. In addition, it has been shown that WhatsApp is particularly vulnerable to law-enforcement searches.
For-Profit, Open-Source, Centralised
Some services are for-profit and run on centralised infrastructure, but the code is (at least largely) open source. This includes Threema (the server code is proprietary) and Wire, for example. (If Telegram was using E2EE by default, it could probably also be mentioned under this category, though its server code is proprietary too.) The companies behind both services are headquartered in Switzerland and the servers are located either there or in the European Union, respectively, with relatively strong privacy laws protecting them. Both services aren't widely adopted for private communication. I assume part of the reason for this is the business model that isn't based on monetising user data but rather on selling apps (or licenses) and subscriptions.
Not-For-Profit, Open-Source, Centralised
Signal is an example of a not-for-profit service with open-source code and centralised infrastructure. The messenger, which has been endorsed by Edward Snowden on multiple occasions, is developed by the Signal Foundation (launched with initial funding from WhatsApp co-founder Brian Acton) and its subsidiary Signal Messenger LLC. Messages are encrypted with the Signal Protocol, which is generally considered secure and cryptographically sound (and has also been implemented into WhatsApp and Facebook Messenger, among others). However, the centralised nature of Signal makes it dependent on its large providers, as seen during the Amazon Web Services outage on 20 October 2025. Moreover, Signal requires a phone number from its users, which isn't ideal, and access to Signal was blocked in some countries, including Russia. Thanks to the open-source nature of the service (and to amazing developers), there's an independent, security-hardened, free and open-source fork of the Signal client called Molly (named after Molly Millions), which adds valuable features, such as database encryption and Tor support. The team behind Molly is also working on Flatline, a modified Signal server that won't use phone numbers to register accounts.
Not-For-Profit, Open-Source, Decentralised
Not-for-profit services with open-source code and decentralised infrastructure that use E2EE by default aren't exactly abundant, but I want to include the open communication protocol Matrix here, which is looked after by The Matrix.org Foundation. The protocol supports E2EE and modern clients like Element (developed by the for-profit company Element) enable it by default in private conversations. (The Foundation currently lists nearly 30 Matrix clients it's aware of, with different levels of maturity.) Matrix servers are federated, which means you can choose the ‘homeserver’ you want to use. Matrix also supports interoperability via bridges, which means that it's open to exchanging data and messages with other platforms, including Signal. My experience is that the use of Matrix is relatively common among free and open-source software developers, and Element also lists a number of large multinational corporations and government organisations as its customers. However, I think the onboarding can be quite complex, especially for those who aren't familiar with Matrix, as it does a lot of things differently.
Addition: There's also Delta Chat, which uses secure and interoperable chatmail relays. I won't go into detail here, but I think it definitely deserves a mention.
Conclusion
So, how can you stay in control over your digital communication? First of all, I highlighted that E2EE is a readily available and indispensable technology that significantly reduces vulnerability against malicious actors and mass surveillance in private conversations. Looking at messaging apps using E2EE, I introduced three dimensions: for-profit versus not-for-profit services, proprietary versus open-source code, and centralised versus decentralised infrastructure, and argued that not-for-profit services with open-source code and decentralised infrastructure are the preferred option for digital communication.
While the open communication protocol Matrix comes closest to my ideal, I also suggested that it might not be the most inclusive channel when it comes to usability. An alternative (with its own trade-offs) is Signal, which also has an independent fork called Molly with improved features. The point is that there are ways to protect our digital privacy. We just have to use them.