TOC

How We Protect Your Messages: E2E Encryption

5 min read850 words
securityencryptionprivacye2emessaging
End-to-end encryption explained with lock icons and security badges showing AES-256 and Argon2id
End-to-end encryption explained with lock icons and security badges showing AES-256 and Argon2id

How SpokeToWork Protects Your Messages

The Bottom Line

Your messages on SpokeToWork are end-to-end encrypted. This means we literally cannot read them—only you and the person you're messaging can. Even if someone broke into our servers, your message content would be scrambled nonsense to them.

Why We Built This

Most social networks can read your private messages. Not because they're nosy (hopefully), but because of how they're built. Your messages sit on their servers in readable form, protected only by company policies and employee access controls.

We wanted something different. We believe private conversations should actually be private—not just from hackers, but from us too. Learn more about our authentication system that works alongside this encryption.

How It Works (The Simple Version)

Imagine you have a special lockbox:

    • Your password creates your unique key - When you set up messaging, your password transforms into a digital key that only you have. We never see this key.
    • Every message gets locked before sending - Before your message leaves your device, it gets scrambled using your key and the recipient's key together.
    • Only the recipient can unlock it - The scrambled message travels through our servers to the other person. They use their key to unscramble it.
    • We only see scrambled text - Our servers store your messages, but they're just random-looking characters to us. We couldn't read them even if we wanted to.

How We Compare to Other Platforms

Platform comparison chart showing SpokeToWork vs Facebook, Instagram, Twitter, and WhatsApp - only SpokeToWork and WhatsApp use encryption

WhatsApp also uses encryption, but there's a key difference: they control the key generation process. With SpokeToWork, your keys come from your password on your device—we're never involved in creating them.

What We're Honest About

No security system is perfect, and we believe you deserve to know our limitations:

We protect your message content, not everything

  • Protected: The actual words you write
  • Not protected: Who you message and when (we need this to deliver messages)
Think of it like the postal service: they can see you sent a letter to someone, but they can't read what's inside.

Your password is crucial

If you forget your messaging password, we cannot recover your old messages. This is actually a security feature—it means we truly don't have access—but it also means write down your password somewhere safe.

We haven't had a professional security audit yet

We built this using industry-standard techniques recommended by OWASP (the same math that protects banking websites), but we're a small team and haven't paid for a formal security audit. We're transparent about this.

One password, all messages

If someone gets your password, they could read all your messages (not just new ones). Some messaging apps like Signal rotate keys constantly to prevent this, but it would mean you couldn't access messages from a new device. We chose convenience here—but it's a tradeoff you should understand.

Your Questions Answered

Q: What happens if you get hacked? A: Hackers would get scrambled data. Without your password (which we don't have), they can't unscramble it.

Q: Can you read my messages if law enforcement asks? A: No. We literally don't have the ability. We can only provide the scrambled version, which is useless without your password.

Q: What if I forget my password? A: You'll need to set up encryption again with a new password. Old messages will be unreadable. Sorry—that's the price of real privacy.

Q: Is this the same as Signal? A: Similar concept, different implementation. Signal uses a more advanced protocol with additional protections. We use proven cryptography but simpler key management.

Q: Should I trust this for highly sensitive information? A: We'd recommend dedicated secure messengers (Signal, etc.) for extremely sensitive communications. SpokeToWork's encryption is solid for normal private conversations, but hasn't been audited like those specialized apps.

The Technical Details (For the Curious)

If you're interested in the specifics:

  • Key derivation: Argon2id (memory-hard, time-hard)
  • Key exchange: ECDH with P-256 curve
  • Message encryption: AES-256-GCM
  • Random IV: 96 bits per message
These are all industry-standard, OWASP-recommended algorithms.

Have questions about our security? We're happy to discuss—transparency is part of our commitment to you. Check out our other blog posts or reach out anytime.

TurtleWolfe
TurtleWolfe
Software Craftsman

Discussion