If you’re a fan of the legendary HBO show The Wire, you’ll remember when Stringer Bell gathered all the big-time players in the Baltimore drug trade together to form a collective faction called the “New Day Co-Op” in season 3. One of the most memorable scenes from this season is when the Co-Op met for the first time and agreed to going in together on a package of dope from New York. When the agreement was made, Stringer walked up on Shamrock, who was taking the minutes of the meeting. Stringer then berated Shamrock for “taking notes on a criminal f*cking conspiracy” and disposed of it.
Stringer’s gripe with Shamrock is a common worry for figures in the underworld. No one wants to leave a paper trail of their maneuvers that can be discovered and exposed later. One of the main ways that people can leave a “paper trail” these days is through text messaging. According to the Supreme Court’s ruling in Riley v. California, law enforcement needs a warrant to search or seize an individual’s cell phone (doing so without a warrant would be a violation of the 4th Amendment). If a warrant is obtained, cell phone carriers may be required to provide investigators with text message history, the dates and times of all texts and phone numbers that sent and/or received incriminating messages.
Due to these circumstances, many are looking for a way to communicate in true anonymity and stay off the radar. If you are an iPhone user, your search is over. In 2016, developers dropped an app called Xessages for such a situation. Like Snapchat, Xessages allows users to send discreet text messages that self-destruct after a selected period of time. Though the app was made with drug dealers in mind, the technology seems like it’d appeal to a number of crowds who simply don’t want their business to be documented.
We caught up with one of the founding developers of Xessages (who would like to stay anonymous) and chopped it up about the app, its implications and privacy in tech in general. Check out what they had to say below.
Don Diva: Explain your background and how you came to create Xessages.
Xessages Developer: I’m a software developer. I’ve been a software developer for about ten years. We noticed that apps like Snapchat have become very popular amongst the younger generations and they offer you this false sense of privacy, but it’s not really privacy.
What basically happens is when you send a Snapchat, your message goes to Snapchat’s servers and then they communicate it to the end user you sent a message to. Well, that removes all the privacy aspects at that point because you sent your messages off to someone else’s server first.
So we thought, how can we make an app where people can message each other and just bypass sending things to different servers? Like, an encrypted chat application in your messages app already. When you build it like that, you bypass having to send it to any one server and it’s just literally person-to-person communication.
DD: If you could explain, when people say something is encrypted, what does it mean?
XD: Encryption basically means taking something and turning it into something that makes absolutely no sense.
It’s like you say, “I’m going to do an interview.” We encrypt that to a bunch of random letters and numbers, so when someone sees the encrypted text, they’ll say what is this? It’s just a bunch of random letters and number that don’t make any sense. You send that encrypted message off and the receiver who has a decryption key, basically, can decrypt those random numbers and letters and rebuild it back to the original statement.
So encryption is basically a way to twist what you said, so it’s unreadable and unable to revert back to the original text unless you’re the end user who has a key. Encryption is driven off of these things called keys. When you send a message, it’s like you’re locking your door and you’re going away, and decryption is like when you unlock a door, come back in. You lock your door, you leave your house; now your house is “encrypted.” So your friend now wants to come to your house; the only way to get there is by decrypting and he has to unlock the door to come in. So we share these private keys. So basically we use private key encryption, so there’s no over the air internet protocols going on. It’s literally private, two-person encryption.
DD: For people who may not have checked it out, explain what Xessages does when you download and use it.
XD: When you download Xessages, it adds an app to your messages app along the application bar. Basically, you click on the app icon in messages for the Xessages app, it launches and it allows you to type and send a message to someone, like an Xessages payload, as we call it, into the messages feed. So the end user who also will have to have Xessages to decrypt the message can tap it. It’ll launch the app there and automatically, and they’ll be able to read the message.
DD: What do you mean by “payload?”
XD: A payload is basically what you’re sending. If you send someone a letter, there’s envelope, and then the letter inside of the envelope. [The letter inside the envelope would] be considered the payload.
DD: So, each message is a payload?
XD: Yeah. We call it messages but actually what you’re sending is not a message; it’s just a data payload of a bunch of random characters that only the app knows how to decrypt into a message.
DD: How does it work? Does the message disappear after some minutes or what happens?
XD: There are two pieces to this. One, after the person sees the message, if they don’t elect to keep the message, it will automatically disappear forever. If they do elect to keep the message, they can’t read the message after the self-destruct time that you select is up.
For example, we’ll set a self-destruct time on the message of, like, one hour. So, if I sent you a message, you have up to one hour to open that message. After that, you can’t ever open it. If you do, it just has nothing there.
If they decided to keep the message, let’s say they see it right away and then they say, oh we want to keep this message, they still won’t be able to see it again once that time expires.
DD: With Xessages, will people be able to do group chat or just one-on-one right now?
XD: It works with group chat. Everyone in the group chat would need the app to be able to read the message. Anyone who doesn’t have the app, when they click on the Xessages payload, they just get sent to the app store to download the application. They can read it after they get the app. If they don’t, there’s no way to read the messages.
DD: Who is this app for? Who is the target audience?
XD: It’s kinda funny. We did it for hustlers so they could have a way to use an encrypted chat application that’s, basically, person-to-person. So, you can’t have someone jump in the middle and intercept the messages. It’s not really possible.
DD: Does that mean there’s no way that cops could check in on the message?
XD: No. Even if you subpoena someone’s message history, these messages would never show up. They can’t. It’s impossible.
It was also created for people who just want to have a private chat app. You might send someone a message about proprietary software you’re building or you may send a message to your side chick or something but you don’t want anyone to know the message.
Another thing to note is that if someone does iCloud backup, these messages don’t go to iCloud, so there’s no way to even back this stuff up.
DD: Can somebody just take a screenshot of the message and keep it?
XD: Yes. Here’s the thing about screenshotting because people always ask that question and say, oh well, Snapchat will let you know if someone’s screenshotted the app. The problem with the logic there is that screenshot detecting really is not very helpful for anyone because first, a little background; this app is really just designed for two people who trust each other. If someone screenshotted it, you’re compromised no matter what– they could be sitting with the cops while you’re messaging them. This is really for two trusted people to send discrete messages and that no one can intercept and after they’re gone, they’re gone. No one can subpoena them.
The reason why we think the screenshot doesn’t hold value is because all someone actually has to do is to get another phone and take a picture of the other phone. So on-device screenshotting actually holds no value because if someone takes a screenshot on the phone, you can edit that screenshot to say whatever you want in the text, you can alter it and make it seem like they said something they didn’t say, and there’s no way to really verify that it’s the actual screenshot. What does make sense if you’re trying to set somebody up using the app would be to take another phone and record that phone, and that works for Snapchat, too. The end user wouldn’t know if you’re screenshotting their messages because they’re not even using their phone to take the picture anymore. So, there’s really no way to actually stop that. It’s like a gimmick Snapchat uses that people say, oh yeah, but you can tell when you screenshot the message. Yeah, but that’s only if they took the screenshot on the same phone, not if they intercept the messages on the server because they’re on a WiFi network and that kind of stuff, which are actually the cases you want to try to stop, but there’s no solution for that.
DD: What are your views on privacy? Do you think it’s more companies’ responsibility to respect people’s privacy or is it just what it is, that they’re going to be invasive?
XD: I definitely think that people’s privacy should be respected. That’s one of the reasons why the app is only for iPhone because the messages app itself already provides layers of encryption and protection, and iPhone’s unique architecture basically is all on-device.
One of the things about is, on the Android platform, basically when you accept that licensing, when you first activate your android phone, you’re giving Google permission to read your messages, look at your emails, everything, and we want to stay off that platform because once you make an app for that platform, you’re compromised already.
We value privacy very high and that’s the main reason why the app is only for iPhone, and we wanted to give an extra layer of protection and auto delete of things you don’t want people to be able to go recover later.
DD: What can people look forward to from Xessages in the future and what else do you have in store.
XD: Xessages is one layer that we have and we also have another asset out, but we’re actually working on enhancing it now, called Chilll. Chilll is a way to host events privately and get paid for them. It’s almost like you become your own ticket master and you can host parties, you can send invites, you can do all that kind of stuff. And it follows along the same mantra where it’s very private, everything’s deleted. Once the event is over, it’s erased forever, so there’s no ledger of the history, who was there, who paid, none of that kind of stuff. It’s not even a concept of making friends. It really is driven off your contacts. A person you don’t know technically can’t be invited unless you share an invite code on the open internet.
We have a few other privacy products coming but yeah, just Xessages and Chilll. We have encrypted private, self-deleting chat and we have encrypted private event hosting that self-deletes once the event’s over also. So, we’re following that same pattern in the stuff we build.
Xessages can be downloaded at the Apple App Store for $1.99 here.