Technology

Why the U.S. government is saying all citizens should use end-to-end encrypted messaging

Why the U.S. government is saying all citizens should use end-to-end encrypted messaging

Think twice before sending your next text message. Or better yet, make sure you are using an end-to-end encryption method.

Consumers regularly use different types of messaging technology from the biggest technology companies including Apple, Alphabet and Meta Platforms, including iMessage, Google Messages, WhatsApp and SMS, but the level of protection varies. Now, the U.S. government is expressing greater concern after a recent massive hack of the nation’s largest telecom companies. 

Last month, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation revealed a campaign by hackers associated with China, Salt Typhoon, that compromised AT&T and Verizon, and others, and was one of the largest hacks of U.S. infrastructure in history. Following that warning, CISA, the National Security Agency, the FBI and international partners published a joint guide to help protect Americans. One suggestion is to use end-to-end encryption, a method that makes communications more secure.

End-to-end encryption helps ensure that only the intended recipients can read your messages as they travel between your phone and another person’s phone. Secure messaging apps use end-to-end encryption to protect communications from hackers, surveillance and unauthorized access, so even messaging app providers can’t read your messages.

“All things being equal, if you have the opportunity to use a platform that’s end-to-end encrypted, you should,” said Michael Hughes, chief business officer of Duality Technologies, which allows organizations to share and analyze sensitive data using encryption.

Many consumers don’t know their options for communicating securely over messaging apps. Here are the basics.

WhatsApp, Signal among best end-to-end options

Consumers use different messaging apps for various purposes, often without giving a second thought to security. However, there are notable differences among platforms that people need to be aware of. 

From a security perspective, free messaging apps like Meta’s WhatsApp and Signal — whose co-founder was one of the creators of WhatsApp — are considered the best because end-to-end encryption is built in. That makes these apps highly preferable to SMS and MMS, two older methods of messaging that don’t offer end-to-end encryption, said Trevor Horwitz, founder of TrustNet, a cybersecurity and compliance services provider.

Even platforms considered the best for end-to-end encryption have downsides. Signal is a favorite among many privacy enthusiasts because its mission emphasizes not collecting or storing sensitive information. This can be especially compelling for people who are wary of WhatsApp’s parent Facebook and its privacy practices. The downside to Signal is it’s not as widely used as WhatsApp and if your contacts aren’t on it, you can’t communicate, said Roger Grimes, an analyst at KnowBe4, a security platform provider.

There are also paid messaging apps that are end-to-end encrypted, such as Threema. It’s privacy by design and no phone number or email address is required, but it costs a few dollars, and getting your friends and family to join when there are free options that are already popular might be a challenge.

Most people will use encryption “if it’s default and they don’t have the slightest inconvenience,” Grimes said.

RCS and iMessage

Many messaging platforms now use RCS, which stands for Rich Communication Services. It’s a successor to SMS and MMS that has enhanced features and also offers the ability for end-to-end encryption, though not by default on all devices. For example, RCS messages using Google Messages are automatically upgraded to end-to-end encryption, but Apple’s implementation of RCS on iPhones is not end-to-end encrypted, Horwitz said. 

For any Apple device user, the company’s proprietary iMessage app is end-to-end encrypted, but for users sending RCS messages through other text plans, such as a mobile carrier text option, end-to-end encryption isn’t offered. As Apple explains itself of sending messages through non-iMessage RCS options: “They’re not protected from a third-party reading them while they’re sent between devices.”

Additionally, not all devices are compatible with RCS and it’s not universally supported by carriers. Plus, there are compatibility issues between some iPhone and Android devices that are still being worked out, Horwitz said. 

Facebook Messenger gaps in encryption

It’s even more complicated because technology companies have multiple messaging products and not every application from a particular provider supports end-to-end encryption in the same way. For example, Facebook Messenger offers end-to-end encrypted messages, but not in all cases. According to Facebook, some products don’t currently support end-to-end encryption, such as community chats for Facebook groups, chats with businesses or accounts using business messaging tools, Marketplace chats and others. 

Consumers should try to dig deeper into the apps they are using to understand how end-to-end encryption works for a particular app, said Deirdre Connolly, cryptography standardization research engineer at SandboxAQ, an AI applications developer. This information is often available in the support or privacy section of a provider’s website. But even then, it can be hard to find and decipher. “You have to go into the fine print,” Connolly said.

Google vs. Apple

Google Messages is the default messaging app on many devices running the Android operating system and many people use it to communicate, but consumers need to understand that not all messages sent or received using the app are end-to-end encrypted. The app supports end-to-end encryption when messaging other users using Google Messages over RCS, according to the company. But messages aren’t end-to-end encrypted when communicating with an iPhone user, for example. Text messages appear dark blue in the RCS state and light blue in the SMS/MMS state. Users will also see a lock symbol when end-to-end encryption is active in a conversation. 

In Apple’s case, communications between two iMessage users are end-to-end encrypted, but iMessage is an Apple-specific platform. That means, at present, communications between iMessage users and Android device users aren’t end-to-end encrypted. A green message bubble instead of a blue one indicates the message was sent using MMS/SMS instead of iMessage.

In fact, a Department of Justice antitrust case against Apple harps on the failure to offer end-to-end encryption outside its iOS messaging app as a monopoly concern.

Protocols are being developed to allow end-to-end encryption between different communication platforms using RCS, but that’s still a work in progress. “Work with key industry stakeholders is progressing well and we look forward to updating the market in the coming months,” said a spokesperson for GSMA, an industry organization spearheading this effort. 

Phone settings and ongoing risk of hacks

One thing people should do is check the settings on their phones. Many consumers have older phones and those who don’t have auto updates enabled may miss critical security updates, which could include messaging apps that allow for end-for-end encryption, said Chris Henderson, senior director of threat operations at Huntress, a cybersecurity company. Also, with a new phone, settings on transferred apps might not migrate. If you have enabled end-to-end encryption for apps on your prior phone, it’s also a good idea to check that the settings are enabled on the new phone as well, Henderson said.

End-to-end encryption is not foolproof because hackers can intercept users’ communications in other ways, such as if the device itself is compromised, Horwitz said. For security purposes, it’s also important to keep your devices healthy by installing all software updates, avoiding sketchy downloads, and performing periodic reboots.

Even so, using end-to-end encryption is a good practice, when available. “Threat actors go where the masses go,” said Kory Daniels, global CISO for Trustwave, a cybersecurity and managed security services provider. “If the masses are still using unencrypted communication methods, [bad actors] will continue to exploit the opportunity until users begin to evolve their digital behaviors.”