First of all, let's talk about end-to-end encryption. Let's say we have Frank and we have Sally. Sally opens up her messaging app that supports end-to-end encryption - the app automatically generates a private key and a public key. Sally's private key is never going to leave her phone, but her public key is stored on a server where it is available to anyone who sends her a message. When Frank sends Sally a message, her public key is retrieved and used to encrypt his message in such a way that only Sally's private key can decrypt it. The encrypted file is then sent through the server to Sally. When the file is received, Sally's private key is used to decrypt the message. Now, only the people who are intended to read the message (Sally and Frank) have access to the message. With proper encryption, no one will have access to the messages - not internet service providers, not the app maker, not the government, not evil cyber actors, no one. If the app maker gets hacked, the data in the messages will still be encrypted.
There has been a lot of information in the news about Zoom. It's free and it's easy, but that doesn't mean it's our only solution for keeping in contact with friends and family.
But what are we looking for? Encryption is a great first step, and arguably the hardest to find a solution that supports it. I'm going to run through some alternatives, some are better than others, but all are better than Zoom. They aren't ranked, but I am trying to give you pros and cons for each.
Google Duo, a native app on Android devices, is slowly growing, now supporting group calls with up to 12 participants. The upside is it is available for any device that can connect to the internet, iOS, Android, etc. But want to hear the best part? All calls are end-to-end encrypted, so not even Google has access to the communication. They have a feature known as "Knock Knock", which allows you to see who is calling before you answer a call. Note, Google Duo doesn't actually support instant messaging, only audio and video calls.
Viber stands out in the security world for securing all 1-on-1 and group chats with end-to-end encryption. They don't store chat information, and according to their security and privacy practices, if there is any problem or delay in delivering a message, the message remains encrypted until the receiver gets it, and then it disappears from the server once it has been delivered.
Signal is kind of weird. They're part of the nerdy security group, but they're also part of the popular group, like if the popular kids need something, they call up Signal to get what they need, but otherwise, they're cast aside. The Senate approved Signal for staff use back in 2017. And they support end-to-end encryption! But just not for group video chats.
Another benefit of Signal is that you can add in an extra layer of security by having a separate pass code or requiring another level of authentication to get in.
Apple's FaceTime has always been end-to-end encrypted, and even group Facetime supports end-to-end encrypted chats for up to 32 participants. The biggest downside is that all users must have an Apple device to do a FaceTime. There are also reports out there of poor quality with group FaceTime, users are better off with more modern devices and a strong internet or wireless connection. Apple had an issue with their group FaceTime but this was fixed back in February 2019. Just make sure your device is running the most up-to-date software.
Discord unfortunately does not support end-to-end encryption, however it does take other aspects of security more seriously than many other companies (cough Zoom). It has a bug bounty program, it supports two factor authentication, and it gives power to the server admin to kick out members who shouldn't be there. There is a also a section in the settings that allows users to request all their own data. Despite all that, Discord's policies tend to be far more reactive than proactive. Messages are logged, so in case of a report (related to criminal activity for example), the Discord team still has access to it. There are mechanisms in place to prevent team members from abusing this privilege.
Discord got some bad press in 2017 and 2018 because private channels were used in 2017 and 2018 to plan white nationalist demonstrations. They then worked to shut down white nationalist and other hateful servers as well as ban users.
Skype is trying, it really seems like they are, but they just haven't hit the mark yet. They technically now support end-to-end encryption in their chat conversations, using the Signal Protocol from Open Whisper Systems. But this isn't automatic, nor does it apply to video calls. You have to go in and select "New Private Conversation" and then all calls and messages within that conversation will be encrypted end-to-end until the message is terminated. The problem seems that information is sketchy when it comes to having multiple private conversations going at the same time, most reporting looks like you can only have one private conversation at a time per device. Plus, this doesn't apply to group video conversations.
Webex is the closest in look and feel to Zoom, partly because Zoom's founder used to be an engineer at Webex. Webex supports end-to-end encryption, but the Webex site administrator needs to make sure this is enabled (it is disabled by default). Many of their best practices are similar to those of Zoom, but it is an easier interface to deal with.
There are a lot of options out there, and again it's always going to come down to some end of risk vs. reward. Some of the better options, like Google Duo, unfortunately only allow 12 participants per call. Others, like Webex are going to be easier to use, but don't have as solid of security or privacy.