Oct. 21, 2021
When you pick up your phone to communicate with a friend, partner, or colleague, you likely assume your messages will remain private. Whether you are texting, messaging, chatting, or video-calling one or more people, there are many different services, applications, and systems that you can use—all with varying levels of security.
Many of these apps and services use some form of encryption to protect communications from eavesdropping by third parties. Encryption is the process of taking information in its original form and scrambling it so that it is unintelligible to anyone but the intended recipients. Given the amount of information we share online and the amount of time we spend online, everyone connected to the Internet benefits from the security and privacy that encryption provides. Access to the information found in our communications can reveal a lot about our private lives, and expose individuals to targeting by advertisers, malicious actors, or app makers themselves. For some groups, such as minorities targeted by the government, the consequences of having communications intercepted can be especially dangerous.
When it comes to encryption and privacy, all communications services are not created equal. Some apps implement encryption by default—the gold standard—but many apps still place the onus on the user to complete certain steps before their communications are fully encrypted. Further, the forms of encryption these services use can vary greatly. End-to-end encryption is the most privacy-preserving form, in which the contents of a transmitted message are only visible to the sender and recipient, or the two “ends” of that communication. If the message is intercepted by a third party, or by the platform itself, that party will be unable to decipher the contents of the message. With end-to-end encryption, the message remains encrypted even as it travels from sender to server to receiver, thereby protecting the confidentiality of the message, and making the contents of the message less vulnerable to interception. End-to-end encryption gives users the agency to choose exactly who the recipients of their communications are, and the security to converse freely without fear of their messages or calls being read or heard by anyone else.
So which apps and services offer the strongest protection? Which messaging apps fall short by offering less than full end-to-end encryption? With so many tools for encrypted communications, which are the most important features? What security protections should users be looking for when deciding how they would like to communicate? When should users choose certain tools over others? Although these are complicated questions, there are a few basic factors that could help an average user choose one tool over another.
One-to-one messaging refers to communication between one sender and one recipient. This could include a user messaging an acquaintance on Facebook Messenger or contacting their grandmother on Apple iMessage. It is particularly important for companies to offer end-to-end encryption in one-on-one messaging because this is where more personal conversations are likely to happen, including those involving medical or financial information.
However, some of these tools are not encrypted end-to-end by default, which is important because it means users must remember to turn on encryption if they want their messages to be protected. Apps that offer end-to-end encryption by default for one-to-one messaging include Signal, Facebook’s WhatsApp, Viber, Wire, and Wickr. Services that offer end-to-end encryption, with some caveats, for one-to-one messaging include Google Messages, Apple iMessage, and Facebook Messenger.
For Google Messages, end-to-end encryption is only available when chat features are turned on, and only for messages sent using the RCS protocol, but not for those sent with SMS or MMS protocols. With Facebook Messenger, users must turn on the “Secret Conversations” feature in their settings for each individual conversation in order to enable the provided encryption; even then, the encryption is only offered for mobile devices and tablets, but not computers. Signal makes end-to-end encryption between Signal users automatic on all devices, but if an Android user makes Signal their default messaging app, they may send and receive SMS and MMS messages within Signal that are not encrypted. With Apple iMessage, all messages between iMessage users are end-to-end encrypted, but again, users can still send and receive SMS and MMS messages. However, if you have iCloud backup enabled on your device, Apple has a copy of your iMessage encryption key, which it can use to decrypt and read or share your messages.
It is important for users to distinguish between services that offer encryption by default and those that don’t so that they are better able to make decisions about which platforms are appropriate for more private conversations or more personal information. If users must communicate over services that require user action to enable encryption, they should complete the necessary steps as soon as they download the app to ensure that all future conversations are protected. However, this is not possible on every app, so users should tread carefully. For example, Telegram is another app where, like Facebook Messenger, users must switch on the “Secret Chats” feature if they want end-to-end encryption for one-to-one messages. Not only do users have to manually enable end-to-end encryption for every conversation, they must also do so every single time they pick that conversation up. This is particularly deceptive because Telegram has built itself a reputation for being highly secure and trustworthy. Unfortunately, despite security professionals calling attention to Telegram’s lack of security for many years, the app now has over 500 million users, many of whom recently joined after becoming disgruntled with other messaging services.
Group messaging is a conversation between multiple people as senders and recipients. This could include five students coordinating a study group over Signal, or twenty-five people sharing life updates through a WhatsApp group chat. End-to-end encryption for group messaging is crucial in many scenarios, as it can be used for communication and coordination among grassroots organizers, political dissidents, human rights activists, and journalists.
However, end-to-end encryption is more difficult with group messaging. There is no one-size-fits-all solution to the mathematical problems that encrypting group messages entail. Accordingly, encrypted group messaging is offered by fewer providers than one-to-one encrypted messaging. Some services that offer end-to-end encryption by default for group messaging include Signal, WhatsApp, Viber, Wire, and Wickr. Systems that offer end-to-end encryption, with some caveats, for group messaging include Apple iMessage and Facebook Messenger. Apple iMessage only offers end-to-end encrypted group messaging when all the participants in the conversation have Apple devices. As with one-to-one messaging, Android users who make Signal their default messaging app and iMessage users communicating with non-Apple users may also receive SMS and MMS messages that are not encrypted. Google Messages does not offer end-to-end encryption for group messaging at all.
In 2019, security researchers identified multiple flaws with WhatsApp’s group messaging function, including the ability to decrypt and manipulate the content of a text, and the ability to alter the identity of a sender. WhatsApp also patched a vulnerability in 2019 that allowed hackers to send a group message which would cause the whole application to repeatedly crash for the users in that group until they deleted and re-downloaded the app without that particular group chat. These examples show how platforms can unwittingly betray our trust, even when they purport to be committed to privacy or security. While companies may not be intentionally deceptive about their encryption practices and the range of protection they offer, users rarely have the full picture of what is happening on the technical side, and undiscovered vulnerabilities in the code may mean that platforms themselves are unaware of their security holes.
Other Non-Text-Based Communications
There are two other types of communication that might be included in encrypted applications: audio calls and video calls. These calls are made through an app or service with an internet connection rather than through a phone carrier, such as T-Mobile or Verizon, which requires a phone signal. End-to-end encryption of audio and video calls is particularly important because people often discuss extremely sensitive information using these forms of communication. Users might not want to send a particular statement in writing, and instead opt for an audio or video call. But without end-to-end encryption protecting the call, it may actually be more vulnerable to interception or eavesdropping than a text-based message. And during the pandemic, users have replaced many important in-person interactions, including visits to the doctor’s office, meetings with friends, and job interviews, with video calls. In the same way a person might close the door to a room before having a private conversation, it is important to make sure the apps we use have analogous virtual protections, including end-to-end encryption.
Systems that offer end-to-end encryption by default for audio and video calls include Signal, Wire, Wickr, and Google Duo (though messages sent during the call are not). Services that offer end-to-end encryption, with some caveats, for audio and video calls include Apple’s FaceTime, Facebook Messenger, and Skype. Signal offers default end-to-end encryption for all audio calls and video calls, whether for one-on-one or group conversations. This is important, because users don’t have to worry about manually turning on encryption before making a call, or for any particular conversations. Apple FaceTime provides default end-to-end encryption for audio calls and video calls, and now offers this encryption for calls made over FaceTime between an Apple user and a non-Apple user. For Facebook Messenger, as with other communications on the app, you must opt in to the “Secret Conversations” feature to turn on end-to-end encryption for one-on-one audio and video calls, but it has only recently started to roll out end-to-end encryption for group audio and group video calls. Putting the onus on users to activate the feature is already a needless barrier to increased security, made worse by the fact that they must remember to do so for every other user they communicate with.
Zoom purported to offer end-to-end encryption for its video call services starting in 2016, and is now facing a lawsuit from the Federal Trade Commission. Not only were calls not end-to-end encrypted, meaning that Zoom had access to the content of user meetings, but recordings of calls (which were also supposed to be stored using end-to-end encryption) were stored for up to 60 days without encryption. This became especially problematic when Zoom emerged as the primary communication tool for both workplace and personal conversations during the COVID-19 pandemic. By April 2020, Zoom had over 300 million users relying on its promise of end-to-end encryption for events as varied as weddings, layoffs, and court proceedings.
The ability to communicate securely and privately is extremely important for individuals’ peace of mind, confidence, relationships, and livelihoods. End-to-end encryption is a crucial tool that provides users with this ability, and we hope that in the future, we will see all communications services offer end-to-end encryption by default. Currently, not enough services have made improving encryption for their products a priority; instead, they are placing the burden on users to pay attention and take steps to protect themselves. These platforms are capable of providing end-to-end encryption by default, so it is not a matter of what is possible, but rather a matter of what they choose to offer. For now, our best option is to vote with our apps just as we vote with our feet; that is, to support those applications which are more privacy and security focused.