Your texts are not as secure as you think

by: Steven Petrow


I decided to conduct a fun little exercise while writing this column, which is about the cyber security of your text messages. I went back and reviewed the last twenty texts that I had sent, to see how I’d feel if they were broadcast to the world.

Among the sampling were routine matters like dinner dates and my upcoming college reunion. I couldn’t care less if anyone else read those, although I’d prefer to be the one disclosing any information. But a few of them gave me pause: A text volley with a friend who is thinking of leaving her husband. Exchanges about my mother’s recent hospitalization. A highly personal financial discussion with my sister. No doubt about it, I—and those on the other end of the messages—would be extremely unhappy if those got out.

After being hacked in February, I hadn’t really had time to dig into my text options fully. Until this week, that is. The big news recently is that the messaging service WhatsApp now promises “end-to-end encryption” on all texts, videos, photos, and group chats sent by any one of its users to another one of its users. That’s one billion people and counting.

“End-to-end encryption is when you have a message at one end, on your phone, and before you send it to another person it’s encrypted in such a way that only the recipient can decrypt it,” explained Micah Lee, a security technologist in San Francisco. For those whose brains get foggy with tech language, I like to think of “encryption” as locking the door with a key. Decrypting is unlocking the door — you need that same key. Bottom line is that you want your messages to stay locked up, or encrypted, from the moment you hit send to the second they’re read.

“Unfortunately, with normal SMS [text messages] you have very little privacy because they’re not encrypted,” said Lee, who was a staff technologist with the Electronic Frontier Foundation before joining investigative website The Intercept, in part to help protect its journalists from hacking.

When I queried him about how important this is to most of us, he explained: “There are a lot of different things to be concerned about, like private messages with your boyfriend or girlfriend, trade secrets if you’re starting a businesses, or say you’re an activist trying to organize a local protest.”
This is not insignificant — protection against snooping is why our Founding Fathers wrote the Fourth Amendment.

Lee soon convinced me that end-to-end encryption is what I need, so I took a deeper dive into WhatsApp.

WhatsApp has the advantage of using encryption “by default” — meaning you don’t have to turn it on. That’s good (because if you’re like me, you may forget). FaceTime, Apple’s iMessage, and Signal all have this same excellent level of protection. But all of these services only work on messages sent from the app to other app users.

That’s still a cut above other popular apps like Snapchat, Kik, Facebook Messenger, Yahoo Messenger and Skype,which only provide “encryption in transit,” according to the Electronic Frontier Foundation’s Secure Messaging Scorecord. That means messages are only secure between your phone and the nearest cell tower, but not all the way through to the recipient.


THE TAKEAWAY

1. End-to-end encryption is the gold standard, and WhatsApp, Signal and iMessage are best in class. They’re all free, as well.
2. Remember that even if you use a service providing end-to-end encryption texts become vulnerable if the recipient does not. “You both need to be using the same app,” Lee reminded me a couple of times.
3. Security experts recommend apps that use “open-source” software, which means that the code is publicly available and tech gurus can make sure there are no bugs or backdoors. “They can make sure it’s doing what it claims to be doing,” said Lee. Apple’s code is not open source, which means users must trust but cannot verify what’s promised.
4. Nothing is foolproof: While the content of your text messages are secure when using services like WhatsApp, your meta data is vulnerable, which means that the existence of text messages can be determined. Said Lee, “Just by monitoring meta data it would be pretty easy to tell if someone is cheating on their partner, is looking for another job, or had an abortion or is a member of the NRA.” Yikes.

Above all, don’t forget to use common sense when texting. Use a passcode on your device. And be sure to enable the “Lost Phone” feature on your phone in case it is stolen.


Credit: USA Today