KakaoTalk and Default Settings: Why End-to-End Encryption Isn’t Always Prioritized for Messaging Apps

kakaotalk-blog-header

In October 2014, South Koreans were given a harsh reality check about their instant messaging privacy, when prosecutors launched an investigation into online messages – private or public – that were deemed insulting or defaming to now former President Park Geun-hye. This came as a response to Park expressing concern over how “such conduct hurts the stature of South Korea and its people.” Included in the investigation were messages sent through the country’s leading messaging app KakaoTalk, used by approximately 90 percent of Korean smartphone owners. Daum Kakao (now simply Kakao), the corporation behind KakaoTalk, chose to hand over the chat records to the prosecution, stirring up uneasy emotions all across the nation. With people realizing their private conversations were not exactly private any longer, 1.5 million Koreans reportedly began using Telegram, another chatting app which offered a more secure, end-to-end encrypted (E2EE) chatting option, unlike KakaoTalk at the time.

Now, almost four years later, KakaoTalk remains the peninsular nation’s dominant choice of messenger app. Much of the initial criticism died down after Kakao rolled out a Secret Chat feature, seemingly inspired by Telegram, as a reaction to the privacy scandal. The Secret Chat mode provides users with the option of securing messages with E2EE. This encryption technology ensures only the intended sender and recipient can read the exchanged message in plain text, keeping private correspondences private without any possibility of third party intrusion.

The storm over the privacy issues has calmed down, but it can be noted that KakaoTalk at its core still lacks privacy. KakaoTalk’s default chat mode is still not end-to-end encrypted. What most users might not realize is that Secret Chat is merely an option, not the default. This means full privacy is only achievable through manual replacement of all regular chats with Secret Chats. The feature is not even available on KakaoTalk’s popular desktop version.

Although many messaging apps like WhatsApp, Line, iMessage, and Signal have prioritized security by including end-to-end encryption as a default, encryption implementation isn’t necessarily uniform. For example, iMessage which is preinstalled on every iPhone isn’t using an encryption protocol that adheres to best practices. Even the alternative that many Koreans flocked to before the implementation of the Secret Chats option, Telegram, stores messages on its unencrypted servers as a default.

Popular apps like Snapchat in fact don’t have an encryption option at all: messages are deleted once the message has been read by the recipient, but they are stored for 30 days on servers if unopened.

So why isn’t E2EE prioritized?

While there can be a myriad of reasons both financial or political why certain companies remain stubborn in their resistance to default encryption, there are two huge reasons we can’t ignore. First off, we don’t hold companies accountable. For example, when the KakaoTalk controversy of 2014 broke out, the public did not blame Daum Kakao for handing over their information to the prosecution, but rather directed the dismay at the government for the breach of social and ethical contract. In the midst of feelings of betrayal and marginalization, the public forgot about the company’s responsibility in security.

Second, there’s the feeling of inertia when having to switch to a brand new platform where only a few people you know are on board. Even if people are aware that their private messages are vulnerable to sniffing, it might seem worth the risk in order to keep the current channel of communication — classic peer pressure. Thankfully major players are taking steps to bring E2EE to familiar platforms like Skype which will soon utilize the Signal Protocol that encrypts Facebook Messenger and Whatsapp conversations.

For now, it seems like industry standards will be the main driver for beefing up security in messenger apps, in the face of people’s reluctance to switch over to more secure apps, and government concerns over encryption-enabled communications within crime circles. In any case, it’s clear that change is necessary. It’s simply a matter of how and when the change will happen and how much it can influence the current standards for application security. But before that change is implemented on the larger scale, if you do happen to be in the market for a secure messaging app, look at the fine details of the app and don’t take E2EE as a default, no matter how many of your contacts may be using it already.