Editor’s note: This article is the first in a series focusing on the best encrypted apps and services available. Content has been provided by an anonymous security and privacy professional. Readers are encouraged to confirm this information on their own.

Who is this for?

Anyone who needs to communicate electronically. Sending an email or an SMS may feel like the electronic equivalent of sending a letter, but it’s actually more like a postcard. Seriously. It was recently reported in the Wall Street Journal that Gmail gives plaintext emails to third party developers. That is to say, humans not even within Google can and do read Gmail users’ emails, with no technological or even legal barrier, whatsoever. So if you use email and SMS for anything you wouldn’t put on a postcard (and I think that that’s pretty much all of us), you need encryption.

What is encrypted communication?

“Encrypted communication” should refer to end-to-end communication, meaning that your message is encrypted when you hit “send” and decrypted when the recipient opens it, and the decryption key is never stored with the message. If you use a normal communication service, one or both of these things won’t be true; in 2018, the service almost certainly uses HTTPS (please install HTTPS Everywhere, if you haven’t already – it defaults to the HTTPS versions of sites, where available) to encrypt traffic between your computer and their server (you may also see the protocol listed as SSL and/or TLS), but once the email is on their server, that layer of encryption is removed and anyone with access to the server has access to the emails stored on it. This is how your emails are scanned to better advertise to you (or read by human workers, as in the WSJ story above), and one way governments spy on their citizens (if they don’t intercept messages as they’re being sent, they can just request them from the provider, along with the decryption key). Encrypted communication apps/services are also sometimes called “zero knowledge” or “zero access” providers, to reflect their inability to read the messages stored on their servers.

For email, at least, the technology is nothing new, but packaging it with the email service has only proliferated recently; until a few years ago, you almost certainly used a browser extension linked to your email account or a plugin for your email client… and the extension was only released in 2012, with the official stable release being earlier this year.

Encrypted email typically comes in two forms. One is for in-network emails, and is a very “invisible” or seamless user experience where emails can be sent and opened normally. And one is for out-of-network emails, which requires a password both parties have agreed on and the recipient decrypts and responds to via a web interface. Encrypted instant messaging either has no out-of-network function or uses a non-encrypted format.

The method commonly used in-network for email is known as “public key” or “asymmetric” encryption. This means that there are different keys for encrypting and decrypting messages, solving the problem of the sender and recipient agreeing on and keeping track of a password. This may also be referred to as “RSA,” the original algorithm and the initials of its inventors, or “PGP,” “Pretty Good Privacy” and a widely adopted implementation of the algorithm (“OpenPGP,” an encryption standard, to be specific). For password-protected messages, AES is likely to be used. Both of these ciphers are cryptographically secure: Current methods of encryption are superior to methods of cryptanalysis; if your communications are “attacked,” the attack is practically certain to be on the web/app interface*, the operating system, and/or the users. For chat/instant messaging, AES and a method of secure key exchange are the current standard.