Session

Session: Centralisation vs decentralisation in private messaging

Centralisation vs decentralisation in private messaging

What are they — and why should you care?

End-to-end encrypted (E2EE) private messaging apps are secure, but in today’s world, end-to-end isn’t enough.

Many secure messaging apps have a fatal flaw: centralisation.

Centralisation and centralised networks in private messaging

It’s all about trust, baby

In a nutshell, centralisation means that a system (or a network) is controlled by a central authority. Governments are a real-world example of centralisation. The government acts as a central authority for the country it governs: passing and enforcing laws, managing relations with other countries, and making other decisions that affect the country as a whole. The central government acts as a proxy for the population at large, making decisions on behalf of the country. A centralised system like this is also known as a trusted system: participants need to trust that the central authority will act in the best interests of the network. In the case of a government, the citizens need to trust that the government will make decisions that are in everyone’s best interests.

Centralisation is also common in computer networks. Every computer network is a set of linked nodes: computers or other devices that store and share data. In a computing context, centralisation means that a network of nodes is controlled and governed by a central server. While this may sometimes be a single server, a central server can also refer to a central cluster of servers.

There’s also another layer of centralisation at play here: if the network relies on a central server to function, the entity (company, group, etc.) which controls that server is effectively in absolute control of the network.

Just like a government managing a country, a central server manages the network. It controls the flow of data, decides which devices are allowed to connect and transfer data over the network, and performs other duties to keep the network running. This kind of network is also a trusted system: just as in the case of a government, users of the network must place their trust in the central server to manage the network safely and responsibly.

Many E2EE messaging apps rely on a centralised server to route messages from sender to receiver. Think of the central server as a very, very busy postman. The server receives messages, then passes them to their intended recipient — hundreds or even thousands of times per second. And yet, believe it or not, the main reason many messaging apps structure themselves this way is efficiency.

The pros of centralisation in networking and private messaging

A shortlist — and a short list

Centralised systems have three main benefits: efficiency, ease of maintenance, and consistency.

Returning to our government metaphor, it might seem like governments take a long time to make and act on decisions — but imagine how long it would take if every single person in the country had to have their say on every decision! Having a central authority (or central server) in charge of everything keeps the network running smoothly. Because the central server knows exactly where each message is coming from, and where it’s heading, the server is always able to deliver messages efficiently.

Centralisation can also make it easier for network administrators to keep the network running smoothly. If administrators need to apply critical software updates or security patches, those patches only need to be applied to the central server, and hey presto — all done. Upgrading the hardware in the central server can also upgrade the performance and capabilities of the whole network.

Finally, centralisation makes it easier to keep data synchronised across the network. Because all your messages are synced with a central server, that server can help to ensure that chat histories are consistent across devices, and that messages are delivered reliably.

The cons of centralisation

Putting the con in concentrated data

Centralisation’s greatest strengths are also its greatest weaknesses. Remember how centralised systems are also known as trusted systems? Well, there’s the problem.

When you participate in a trusted system, you have to trust that the central authority which controls that system will act in your best interests. In a democracy, you can cast a vote to have your say over how the system — the country — will be governed. But in the case of a centralised E2EE messaging app, you have no say over who is in control — or the actions of the central server itself.

This trust requirement has some serious privacy and security implications for private messaging. End-to-end encryption means that no-one but you and the person you’re messaging can read your messages. But because the central server is responsible for routing messages from sender to receiver, the server needs to know their digital identities or addresses. The central server also could have access to all the other metadata associated with an E2EE conversation: IP addresses, times, dates, locations and more. The central authority controlling this server could keep logs of all this metadata. As a user of a centralised E2EE messenger, you have to trust that the central authority won’t do that.

But that’s not a problem, right? Companies never act against the best interests of their users… right?

Even if the company in charge doesn’t want to violate your privacy, the simple fact that it’s possible to do so creates more issues. Governments or other third parties could compel the central authority to log conversations and hand over metadata against their will. And if a malicious third party is able to get access to the central server — through hacking, social engineering or otherwise — they’ll also have access to all that metadata. If you’re serious about privacy, you have to assume that if metadata can be collected, it will be collected — and potentially misused.

There are other issues, too. If something happens to the central server, the whole network goes down, along with the services it provides. If the central server falls victim to a natural disaster or a power outage, you can kiss the entire service goodbye. And if there’s a critical bug or flaw in the server’s software, it could affect the entire network. This disastrous scenario has been seen over and over again — recent examples include the February 2017 AWS server outage that took down Trello, Quora and IFTT, and the September 2019 server failures that took Facebook and Instagram offline for several hours.

Centralised E2EE messengers are also highly vulnerable to censorship. Although the app encrypts all messages, making them unreadable by the central authority — this means the authority can’t ban or block messages about specific topics — central authorities can still ban users,  groups, or even regions from using the app. This problem is worsened if the app uses an identifier tied to your real-world identity, like a phone number or email address.

Centralisation might be efficient, but it sucks for privacy and security. You’ve probably figured out by now that we have a solution waiting in the wings.

So what’s the alternative?

Decentralisation

A decent solution to an indecent problem.

Decentralisation is exactly what it sounds like: the polar opposite of centralisation. Control is distributed between participants in the system, rather than being held by a central authority. The government of a democratic country is a centralised authority, but the people put that government into power through a decentralised process: voting.

In decentralised computing, instead of a network being governed by a central server — and controlled by a central authority — control is held by a distributed network of nodes (servers). These nodes make democratic decisions about the network, with all (or some, depending on the protocol) nodes “having a say”. This collective works together to handle tasks like data traffic routing and maintaining network security.

Where centralised systems are referred to as trusted systems, decentralised systems are known as trustless systems. This might sound like a bad thing — trust is good, right? — but in a security and privacy context, trust is dangerous! In a trusted (centralised) network, you have no choice but to trust the central server — and the central authority which controls it. A trustless (decentralised) network is set up in such a way that you never need to trust a central authority to make the right decisions.

So how does decentralisation benefit E2EE messaging apps? Well, it addresses virtually all the pain points of centralised messaging apps.

The most secure decentralised end-to-end encrypted messaging apps send messages by routing them through a random selection of nodes on the network. The set of nodes being used changes with every new message. If a malicious node was trying to collect data about users’ messaging activity, it could only do so for messages relayed directly through it — a tiny fraction of the total message traffic on the network. Onion routing protocols add additional layers of security by encrypting a message multiple times, once for each server it passes through on its way to the destination. If onion routing is in use, malicious servers can’t even track messages passing directly through them, as they are only aware of the node before and after them in the chain.

A decentralised, end-to-end encrypted messaging app is trustless because you do not need to place your trust in anyone when using it. You know that your conversations are anonymous and secure — no trust necessary.

Decentralisation makes it impossible for third parties to compel the network’s creator to provide information about users, because in a fully decentralised system, the entity which created the network does not have the capability to collect that information. Decentralisation also significantly limits the data a malicious third party could collect if they attempted to hack into the network. An attacker would need to gain access to the vast majority of nodes on the network to collect any specific user’s conversation data — much more challenging than just hacking into a central server.

Because decentralised networks don’t rely on a central server, the network is unaffected if unforeseen circumstances cause nodes to go offline. The network will simply route messages through other, unaffected nodes. This makes decentralised networks far more resistant to natural disasters and power outages.

Decentralised networks are also far more censorship-resistant than centralised networks. A messaging app based on a centralised network is vulnerable to censorship: the central authority can ban users at will. On a decentralised network, users can’t be banned or otherwise targeted because there’s no controlling authority which could target them — and if the decentralised network is using onion routing, users are completely anonymous, adding another layer of censorship resistance to the network.

Decentralisation: The future of truly private messaging

Decentralise your digital life

So, when all’s said and done, how do centralised and decentralised messaging apps stack up?

Centralised encrypted messaging apps are trusted systems. Users have to trust that the central authority won’t act in bad faith by collecting conversation data for themselves or for third parties. Centralised systems are vulnerable to software or hardware bugs and other failures. If a disaster takes down the central server, the whole network goes down. Central servers make it simpler for malicious third parties to hack into the network. And as if that wasn’t enough, centralised systems are vulnerable to censorship. If the central authority decides to ban you — or if a third party pressures them to do so — there’s nothing anyone can do to stop it.

Decentralised encrypted messaging apps are trustless systems. You don’t need to place your trust — or your privacy — in the hands of a controlling entity when you use a decentralised messaging app. There is no central authority to collect, sell or give away your conversation metadata, and if the messaging app is using onion routing, the decentralised servers can’t collect any data either. Decentralised systems can tolerate losing servers to software bugs, hardware failures or natural disasters. Finally, decentralised networks are censorship-resistant by design. There’s no central authority making decisions about who can use the network — so there’s no chance of users, groups or countries being blocked, banned or censored.

You can never trust centralised networks to be private, secure, or safe from censorship. Decentralised networks remove trust from the equation completely.