Standardizing by Running Code: The Signal Protocol and De Facto Standardization in End-to-End Encrypted Messaging

Abstract

In the wake of the Snowden revelations, encryption of communications at a large scale and in a ‘usable’ manner has become a matter of public concern. This turning of encryption into a ‘political’ issue, coupled with seminal secure messaging protocols such as PGP (Pretty Good Privacy) and OTR (Off-the-Record Messaging) starting to show their age in terms of security and usability, has led to renewed efforts by the cryptography community (in particular by academic and free software colectives) to create next-generation secure messaging protocols. One of the leading motivations behind this effort consisted to facilitate key exchange and key verification process, previously identified as the main obstacles to the mass adoption of encryption (Whitten & Tygar, 1999). The most advanced and popular of these next generation protocols is currently the Signal Protocol (formerly Axolotl, firstly introduced in Signal and adopted or forked by other instant messaging applications, ranging from WhatsApp and Wire to Matrix and Conversations). While the Signal protocol is widely adopted and considered as an improvement over both OTR and PGP, it remains officially unstandardized, even though there is an informal draft elaborated towards that goal by the protocol’s creators, Trevor Perrin and Moxie Marlinspike. This paper analyses the reasons behind this absence of official standardization and explores how and why, in parallel, a de facto standardization process is happening in the field of end-to-end encrypted messaging that mostly revolves around the development and adoption of the Signal protocol. Drawing from an ongoing three-year investigation, from an STS perspective, of end-to-end encrypted messaging, we seek to unveil the ‘subtle’ processes that make the Signal protocol a quasi-standard. In its conclusions, the paper seeks to comment on the governance implications of this quasi-standardization process, both for the end-to-end encrypted messaging field and for the main existing Internet governance standardization bodies, such as the IETF.