The Human Rights Act 1988 stipulates that “everyone has the right to respect for his private and family life, his home and his correspondence”. That means the government and state agencies can’t spy on your personal communications – at least, not without a court order.
Unfortunately, that doesn’t stop hackers and cybercriminals (or some governments). And the truth is that many of our communications are transmitted and stored insecurely. A malicious actor could intercept your messages in transit, or access them while they’re sitting on a provider’s servers – and then leak your personal information, forge messages using your identity or even blackmail you.
You can reduce the risk by using a secure messaging platform. The problem is that there are several options to choose from. To an extent your choice may be guided by what your colleagues are using, but it’s well worth understanding the strengths and weaknesses of each one, and how you can use them to keep your correspondence private.
iMessage
iMessage is the official Apple instant messaging service. It’s available in the Messages app for iOS, iPadOS and macOS, and at its launch in 2011 it was the first messaging service to use end-to-end encryption (E2EE) by default – meaning that your messages are encrypted on your device before being sent, and can only be decrypted by the recipient. Even though your communications are relayed through Apple’s servers, Apple can’t decode their content – and nor can any spies or hackers who might hypothetically intercept your messages.
To provide further security, if several devices are signed in to the same iMessage account – say, a Mac using an iCloud address, an iPad using a Gmail address and an iPhone using a phone number – then each one receives a uniquely encrypted message. The data received by any one of them would be a scrambled string if opened by one of the others.
In the latest versions of iOS, iPadOS, watchOS and macOS, as well as end-to-end encryption, iMessage includes a way to provide reassurance that the person you’re messaging really is who they say they are – as long as it’s someone who’s already saved in your contacts. The feature is called Contact Key Verification, and it works by generating a unique code that you can share with others to confirm your identity. To access it, tap Settings on your iPhone, followed by your name, then Contact Key Verification. From here you can create a code that contacts can check to confirm they really are communicating with you (and you can do the same in return).
For most of its lifetime iMessage has used encryption built on the AES standard, but Apple has recently begun rolling out a new “postquantum cryptographic protocol” called PQ3, which is designed to protect against the possibility of hackers using quantum computing methods to crack the encryption. PQ3 is available now in iOS and iPadOS 17.4, macOS 14.4 and watchOS 10.4; if you’re an iMessage user it’s recommended that you upgrade immediately, because while it’s not currently possible to decode iMessage encryption, there’s a possibility that hackers could gain access to archives of currently encrypted messages and decrypt them in the future, once the quantum technology is available.
Even though your communications are relayed through Apple’s servers, Apple can’t decode their content
While iMessage has a lot going for it, it also comes with one major limitation: it only works on Apple devices. If you’re exchanging messages with an Android user, the Messages app will do so using the old unencrypted SMS and MMS protocols. To give a visual indication of which platform you’re using, iMessages are shown in blue bubbles within the Messages app, while regular unsecured SMS communications appear in green bubbles.
If you choose to use iMessage, therefore, keep an eye on the colour of the bubbles appearing in Messages – and if they’re not all blue, consider switching to another messaging service, such as Signal or WhatsApp, which allows users on all platforms to communicate securely.
RCS
RCS – short for Rich Communication Services – isn’t an app, but a standard that any messaging service can implement. Originally released in 2008 as an intended replacement for SMS and MMS, it supports smart features such as typing indicators, read receipts and file sharing, much like WhatsApp. Android has supported RCS for more than a decade, and while RCS isn’t natively encrypted, Google added its own E2EE layer (based on the Signal Protocol) in 2020. Encrypted RCS is now the default for all communications through the Google Messages app, so if you’re exchanging messages with an Android-using colleague, you should see a little padlock icon indicating that you’re protected.
Unfortunately, as with iMessage, RCS isn’t universally supported. Apple has long resisted building it into its Messages app, preferring to stick to its proprietary messaging platform. And although the company recently announced it would be adding RCS support to the next full-point release of iOS and iPadOS, it doesn’t plan to support Google’s encryption system. That means RCS messages between Android and iOS users will still be insecure, and will appear in green bubbles like SMS and MMS messages.
Signal
Signal is one of the most popular secure messaging platforms, for several reasons. For one, it’s not restricted to any platform – you can get the official app for Android, iOS, iPadOS, Windows, macOS and various flavours of Linux.
It also has all the features you’d expect of a modern messaging platform, including text, video and voice communication, voice note support and the ability to exchange files with your interlocutors. Everything uses E2EE by default, and the Signal Protocol is so well respected that it’s used by Google for encrypting RCS messages and by WhatsApp.
The Signal app also adds some powerful features. You can verify the identity of the person you’re communicating with by scanning a QR code on their phone, or comparing a 60-digit string of numbers with the same string displayed on your handset (the same technique used to confirm contacts in WhatsApp). To verify a contact in Signal, tap their icon, then tap View Safety Number and use your phone to scan the QR code that appears.
Signal messages can also be set to disappear after a set period, at which point they’re deleted from both the sender’s and recipient’s handsets (a feature also offered by Telegram). Another neat feature is the ability to automatically blur faces in photos before they’re sent; this makes it easy to share images of protests and other sensitive events without potentially exposing or incriminating anyone.
Although you need a phone number to initially register your account, it doesn’t have to be the phone number of the device on which you’re installing Signal; it could even be a landline or VoIP number if you prefer. And once you’re on the platform, you can create and share a public username while keeping your number private.
Another feature we’d recommend Signal users look into is Registration Lock, which lets you assign a PIN to your user account, which must then be entered each time you log into a different device. This makes it very hard for anyone to impersonate you on the platform, while making it easy for you to hop onto a new device as needed – a particularly useful ability for anyone who frequently uses burner numbers or short-term VoIP accounts. Turn it on by tapping Settings in the Signal phone app, followed by Privacy, then Signal PIN. Then tap Registration Lock.
With all these protections in place, Signal is an excellent defence against eavesdroppers
Signal even lets you send messages semi-anonymously with its “sealed sender” feature. This technology encrypts your own identity so that the Signal servers can deliver secure messages to their recipients without ever even knowing who they’re from – and it’s automatically enabled if your message recipient has you in their contacts list.
With all these protections in place, Signal is an excellent defence against hackers and eavesdroppers. And since the operator stores almost no identifiable information about its users, even if it were ever required to hand over user data to lawenforcement agencies, it’s very unlikely it would be able to provide anything that could identify or incriminate any individual.
Telegram
The development of Telegram was inspired by a real-life incident. In 2011, its founder Pavel Durov (who also set up Russian social networking site VK) rejected government demands to shut down the pages of anti-Kremlin election candidates; shortly afterwards, he received a visit at home from a Russian SWAT team. The experience made him acutely aware of the value of private, secure communications, and he began work on Telegram.
Today, the company that operates Telegram is officially headquartered in Dubai, but it works from undisclosed locations and has a complex organisational structure consisting of several shell companies, designed to make it difficult to pin down legally.
In use, Telegram is similar to WhatsApp and Signal. Originally launched for iOS and Android, it now has native clients for Windows, macOS and Linux, and can also be accessed through a browser at web.telegram.org. It supports text-based messaging between individuals and groups, transmission of images and other media, and live voice and video calls.
Perhaps surprisingly, while voice and video connections on Telegram are fully encrypted by default, chats aren’t: regular messages are encrypted when they leave the user’s handset, but are decrypted on Telegram’s servers. To gain full security, users need to initiate a “Secret Chat”, which does use end-to-end encryption. The messages in a secret chat can also be set to expire after a defined period, at which point the content is wiped from all participants’ handsets, with no recovery possible.
There are a few limitations with Telegram’s secret chats. For maximum security the messages in a secret conversation can’t be forwarded to other users, and they’re locked to a device rather than a user account, so they won’t synchronise to multiple devices if you’re logged in to several at once.
It’s also worth noting that regular chats can’t be converted to Secret Chats in retrospect, so you’ll need to initiate the feature at the beginning of your conversation if you want to use it. To do so, open Telegram, then find the contact with whom you want to communicate securely. Tap their avatar or icon at the top of the screen, then tap the “…More” button on the bar running across the middle of the screen; this reveals several options, one of which is Start Secret Chat.
You can sign up to Telegram with your mobile phone number, but if you don’t want to associate any personal information with the service it’s also possible to obtain a nongeographic number with the 888 country code through the Fragment platform (fragment.com/numbers), and sign up using that.
WhatsApp is the world’s most popular non-native messaging platform, claiming two billion active users as of April 2024; for comparison, Telegram has “only” 900 million.
Notoriously, WhatsApp is owned by Meta, a company that hasn’t always had a great reputation for protecting users’ privacy and personal data. However, WhatsApp has been fully end-to-end encrypted since 2016; all messages and other data – such as photos, videos and voice notes – are scrambled at the point of creation, using the same encryption method as Signal, and only decrypted when they arrive at the recipient’s device. This means that nobody who intercepts your messages in transit should be able to view their contents – including Mark Zuckerberg.
However, it’s important to remember that once encrypted messages reach their destination, they can be read, stored and shared just like any other data. This is particularly pertinent in the case of WhatsApp, as many businesses use it for customer service; companies that you interact with on the platform can still process your messages in accordance with their own privacy and data-protection policies, and data relating to your interaction may be shared back to Meta.
This isn’t necessarily as sinister as it may sound. It just means that, for example, a business might use the content of your message to determine whether you should be shown an ad on Facebook, or it could ask Meta to generate a response using AI. Meta sometimes uses the chats it processes to improve its own AI quality; look out for the tag “uses AI from Meta” below the company name, if you’d prefer that your data isn’t used in this way.
There aren’t many security settings to play with on WhatsApp – it’s a highly secure platform by default. It doesn’t store messages once they’ve been delivered, and doesn’t even keep logs of delivered messages (undelivered messages may remain on its servers for 30 days, after which they’re deleted). Another benefit of the Signal Protocol is that the encryption keys change regularly, so even if someone managed to extract them from your device, the compromised keys couldn’t be used to decrypt previously transmitted messages.
If you have any doubts about who you’re talking to, there is a way for you and your correspondents to view and compare your encryption keys. To do so, open a chat on your phone, then tap your contact’s name to open the contact information screen. Now tap Encryption to reveal a QR code and a 60-digit key. If you’re in the same place as your colleague you can each scan the code on each other’s phone to verify that it’s valid; otherwise you can share copies of your 60-digit keys to confirm that they match.
Picking a platform
While each of the mainstream messaging platforms offers some sort of encryption, it’s clear that not all platforms are equally secure by default, or don’t necessarily offer protection for all communications. It’s also vital to remember that E2EE is only as secure as the person you’re sending your messages to. We’ve all seen screenshots of politicians’ WhatsApp groups, which have been leaked to the press and shared with the public.
As well as choosing an appropriate platform and implementing its security options as appropriate, therefore, remain mindful of the low-tech ways your words can come back to haunt you. No matter how much you may trust the platform, it’s safest to avoid saying anything in a private chat that you wouldn’t want to be made public.
@PCPRO
