00:00:00
So Jack Dorsey put this out, and yes, I wish I was making this up, spent the weekend building
00:00:05
BitChat. Hey everybody, I've been getting a lot of messages about Jack Dorsey's new messenger and
00:00:11
whether or not you should use it. Now, bold disclaimer, this is an impressions video, I'm
00:00:15
just going to give you the breakdown of what it is, as well as kind of some basics on the security
00:00:19
protocols and stuff like that. Now the main highlight feature is that this supposedly doesn't
00:00:24
require internet, meaning it's peer-to-peer, which means that you're directly communicating
00:00:27
with other people. Now this works over Bluetooth, and the best way to describe it is like a mesh
00:00:31
network, and actually this is how Apple does its AirTag technology. Pretty much the reason why you
00:00:37
can find your AirTags isn't because they have a GPS chip inside of them, it's because there are so many
00:00:41
iPhones everywhere that if you're AirTagged within iPhone range, that iPhone can essentially function
00:00:48
as part of the network and let you know where that AirTag is located. This can be generally repurposed
00:00:53
into something like a messenger, where if many people inside, let's say a big warehouse, let's say
00:00:58
you work inside a factory, if everybody has a phone and they have this app installed, theoretically they
00:01:03
can all communicate with one another. He says it enables ephemeral encrypted communication between
00:01:07
nearby devices, and it seems like a big part of this is just better resiliency, right? Around the world
00:01:13
you'll see these random power outages, especially in places that are affected by any kind of humanitarian
00:01:18
issues. Technology like this is really important in empowering people to communicate without even
00:01:23
having internet access. Now before continuing, I want to really outline that this concept isn't new.
00:01:29
We've actually reviewed a messenger already on this channel called Briar, which is actually pretty much
00:01:35
the same concept, no offense Jack. It's censorship resistant, peer-to-peer messaging, it bypasses centralized
00:01:40
servers, and it has the option to still go through servers, but you can do that over Tor. It's been
00:01:47
third-party tested, it's been audited, it's open source, it's got a lot of good stuff. Let's see
00:01:51
what's different and kind of the security behind what's going on here. So first, just starting with
00:01:54
some press coverage, TechCrunch put out this article pretty much saying his secure BitChat app has not
00:02:00
been tested for security. Jack Dorsey put this out over a weekend. I want to make it clear too that Jack
00:02:05
Dorsey isn't a security expert. He's not somebody who has developed encryption protocols. This isn't like
00:02:11
his main bread and butter. So I think there is going to be a little bit of a friction point of him
00:02:16
developing that kind of reputation. Now, this is not going to help the reputation. First off, since
00:02:22
launching, he's already issued a warning that says this software has not received external security
00:02:26
review and may contain vulnerabilities and does not necessarily meet its stated security goals.
00:02:31
Do not use it for production use and do not rely on its security whatsoever until it's been reviewed,
00:02:36
which is really good. And I'm glad he's putting a disclaimer, but I think it speaks to the state in which it's in.
00:02:41
And you can actually find this yourself if you go to the GitHub repo for BitChat. Now, since this
00:02:46
went live, a researcher has already found some vulnerabilities in it. And there's a man in the
00:02:51
middle attack that you can pull off. And then the cryptographic toolbox we should be using and they
00:02:55
clear up what should be happening here. These are completely avoidable problems. We have battle
00:02:59
tested protocols, which is the signal protocol, which is the gold standard noise protocol framework,
00:03:04
OTR, and then existing decentralized solutions like Briar, which I've already mentioned.
00:03:08
And one pretty nice improvement since Jack originally launched this is including the noise protocol
00:03:12
framework, which is a much more established encryption protocol, not quite as secure as
00:03:17
something like signal as far as I can tell, but still at least better than trying to do your own
00:03:21
thing. I also think it's funny that the researcher just has a section titled reporting the issue,
00:03:26
which just has a screenshot of asking what's a good way to report security flaws. And then Jack just
00:03:31
closes it. I just think that interaction is hilarious. This is the spirit of open source.
00:03:37
I think it's worth taking a minute here to address why this is important. So messengers are one of the
00:03:43
most sensitive things that you can possibly do on any of your devices. This is where you're having
00:03:48
the most intimate discussions with people. This is where you might be sharing passwords with loved ones.
00:03:53
Not only do we have this expectation of privacy in those contexts, but what makes this potentially even
00:03:58
more damaging is when we have someone come forward and say, hey, I have this really resilient,
00:04:02
really secure messaging app, go use it. And it starts giving people perhaps a false sense of security,
00:04:08
which really amplifies the what I want versus what I'm getting ratio. And that's what we really need to
00:04:15
be careful of with these projects. And to put this launch in context, Signal has been around for over 10
00:04:20
years. It's been considered the gold standard by pretty much every major security expert out there in
00:04:25
terms of its encryption protocol itself. It has years of security audits, peer review, it's been
00:04:30
analyzed by researchers and BitChat was just released a couple weekends ago with really none of that kind of
00:04:36
rigorous oversight. Many people don't consider that the notes they take are actually extremely sensitive.
00:04:43
And there are many privacy implications about where this data goes and who has access to it.
00:04:48
The sponsor of this video is Notesnook, and they're aiming to make notes more private and secure,
00:04:53
especially relative to some other mainstream counterparts. Notesnook is open source. They have
00:04:57
many features you'd expect to find in other very popular productivity tools. It's all end to end encrypted,
00:05:03
meaning they can't even see your data if they wanted to checklists and reminders. And they just
00:05:08
released a V3 rebranding, which looks phenomenal. If you're somebody who wants to keep your current
00:05:13
productivity, but improve the safety of that productivity notes, like is pretty much a no brainer. And again,
00:05:19
it's open source. And also they have a really solid free offering too. So there's no risk in trying it out.
00:05:24
And they make it super easy to switch to from your current tools. Check out notes, look down in the description.
00:05:29
And I really want to thank notes, look for sponsoring our content. We really can't do it without great services like that.
00:05:34
So thank you and go check out Notesnook down in the description.
00:05:38
So I really want to establish here, and this is going to get into what I want to see as well as my
00:05:43
personal opinion on this. I think this is great. I love to see, especially like traditional big tech
00:05:50
bros see the need for more privacy respecting technologies, to see these mesh protocols, to see
00:05:56
resilient ways to communicate with those around you. And even the most extreme circumstances, this has big
00:06:02
potential. What I would love to see though, and here are kind of the changes, I would love to see
00:06:07
proper security audits, proper review processes. Perhaps, hopefully by now there's an easier way to
00:06:14
actually report vulnerabilities. I still don't see a security file in here. Yeah, there's still no
00:06:19
security policy detected. So I'm not really quite sure what's going on there. There is no releases
00:06:25
under this repo, which means there is no APK that you can just easily sideload on Android.
00:06:31
I would really love to hear Jack's personal thoughts on like, why did he build this? Why was this his
00:06:38
weakened activity? Does he plan to continue it? Why didn't he just put his money into Briar or
00:06:44
try to improve Briar, which is something that already exists, is very established, is already used by
00:06:49
journalists and kind of seems to do everything that BitChat does, but without all the current glaring problems.
00:06:55
And so I would love to hear why in the long run, BitChat is going to do something different from Briar
00:07:01
or Signal or any of these other messengers. And I mentioned Signal a lot, but Session, SimpleX,
00:07:07
Threema, all of these messengers have pretty much all the characteristics I already shared with you in
00:07:13
terms of being proper privacy and security messengers. Now it's not all negative. I do like how
00:07:19
BitChat is ephemeral by default. So messages exist only in device memory, which I think is really fantastic.
00:07:25
I do love how there's no registration. There's no accounts, emails or phone numbers required. That is fantastic and
00:07:30
is definitely a step forward for privacy. The other thing I'd love to see and know. So one issue with Briar is it's
00:07:37
Android only. And the reason why it's Android only is your device has to be essentially online. I know it doesn't need
00:07:43
internet, but your device needs to be on and connected to the app the whole time when it's peer to peer. There is no central
00:07:50
server, which means both people have to be online at the same time for the messages to actually be
00:07:55
delivered. And so Briar is Android only because there is no real background sync on iOS. So I'm really
00:08:02
curious to see how this app is going to work with that kind of limitation. And unfortunately, it's already
00:08:08
a full beta, so I can't actually test it myself. But that's something I'd love to see in maybe a more
00:08:13
full in-depth review. So this concept has a lot of merit and I think it's really good that Jack is
00:08:18
developing something that is overall a really good mission, but I think it needs a lot more time to
00:08:23
mature. When I say a lot, I mean like weeks, months, potentially years. I mean, these messengers we
00:08:29
currently have took them years to get where they are today. And that's not to discourage new people
00:08:34
from entering the scene. It's just the reality that they have a really, really solid reputation.
00:08:39
I also want to cover quick alternatives as well on our site, techlore.tech/resources. We have resources
00:08:45
for all the privacy and security tools out there, overall the best ones. And if you go to messengers,
00:08:51
you're going to find things like Briar, Signal, Molly's a fork of Signal that makes it a bit more
00:08:56
feature rich on Android, SimpleX, Session, Matrix, and Threema. These are all fantastic messengers.
00:09:02
And there's actually a best messaging apps video that I put out that you can also watch there.
00:09:07
Overall, my takeaway for this video is keep in mind innovation versus caution. There might be some
00:09:13
really cool ideas out there that could be fantastic ideas for privacy and security, but it doesn't mean
00:09:20
that when they're released, they are the most privacy and security respecting way of doing those ideas.
00:09:26
Stay hungry, find new things, but still be cautious when doing so and maybe don't use it for production,
00:09:31
which is actually the same disclaimer that they currently still have on their GitHub.
00:09:36
I want to thank Notesnook. I want to thank all of you for watching,
00:09:39
and I'll see you next time on Techlore. Let me know your thoughts below. I'd love to hear.
