For this report we have interviewed 12 journalists and human rights observers from Belarus, Russia, Ukraine, Iran, Taiwan and Hong Kong. While our previous needfinding research was solely focused on Ukraine, this time we have extended our sample to countries with authoritarian contexts and/or intense social conflicts (wars, protests or high rate of human rights violations). While the first report covered individuals as well as members of institutionalized media or NGOs, this time we have focused solely on people who worked in organizations as our main development priorities concern what we call “organizational support”, especially for so-called “asymmetric scenarios”. We had 5 people who work in the field and 7 people who work mostly in the office, however 2 of them had previous experience of being mobile observers or reporters.

SecureJoin protocols provide a usable model for message end-to-end encryption which is secure against attackers trying to break authenticity, confidentiality or integrity of messages as can occur with compromised servers and networks. They are implemented, user-tested and continuously refined in production-releases of the cross-platform Delta Chat messenger. Other messenger implementors as well as researchers are welcome to submit remarks, questions or critique either through github or by contacting Delta Chat teams.

We analyse the cryptographic protocols underlying Delta Chat, a decentralised messaging application which uses e-mail infrastructure for message delivery. It provides end-to-end encryption by implementing the Autocrypt standard and the SecureJoin protocols, both making use of the OpenPGP standard. Delta Chat’s adoption by categories of high-risk users such as journalists and activists, but also more generally users in regions affected by Internet censorship, makes it a target for powerful adversaries. Yet, the security of its protocols has not been studied to date. We describe five new attacks on Delta Chat in its own threat model, exploiting cross-protocol interactions between its implementation of SecureJoin and Autocrypt, as well as bugs in rPGP, its OpenPGP library. The findings have been disclosed to the Delta Chat team, who implemented fixes.