When top White House defense and national security leaders discussed plans for an attack on targets in Yemen over the messaging app Signal, it raised many questions about operational security and recordkeeping and national security laws. It also puts Signal in the spotlight.
Author
- Frederick Scholl
Associate Teaching Professor of Cybersecurity, Quinnipiac University
Why do so many government officials , activists and journalists use Signal for secure messaging? The short answer is that it uses end-to-end encryption , meaning no one in position to eavesdrop on the communication - including Signal itself - can read messages they intercept.
But Signal isn't the only messaging app that uses end-to-end encryption, and end-to-end encryption isn't the only consideration in choosing a secure messaging app. In addition, secure messaging apps are only part of the picture when it comes to keeping your communications private, and there is no such thing as perfect security.
I'm a cybersecurity professor who worked for several decades advising companies on cybersecurity . Here are some of the factors I recommend considering when looking for a secure messaging app:
Secure app choices
The most common messaging protocol, SMS, is built into every smartphone and is easy to use, but does not encrypt messages. Since there is no encryption, carriers or government agents with a warrant, which are typically submitted by law enforcement and issued by a judge, can read the message content. They can also view the message metadata, which includes information about you and your recipient, like an internet address, name or both.
Truly secure messaging is based on cryptography, a mathematical method to scramble data and make it unreadable. Most secure messaging apps handle the scrambling and unscrambling process for you. The gold standard for secure messaging is end-to-end encryption. End-to-end encryption means your message is fully encrypted while in transit, including while transiting the communications provider's networks. Only the recipient can see the message. The communication provider does not have any encryption key.
Apple iMessage and Google Messages use end-to-end encryption, and both are widely used, so many of your contacts are likely already using one of them. The downsides are the end-to-end encryption is only iPhone to iPhone and Android to Android, respectively, and Apple and Google can access your metadata - who you communicated with and when. If a company has access to your metadata, it can be compelled to share it with a government entity.
WhatsApp , owned by Meta, is another widely used messaging app. Its end-to-end encryption works across iOS and Android. But Meta has access to your metadata.
There are a number of independent secure messaging apps to choose from, including Briar , Session , Signal , SimpleX , Telegram , Threema , Viber and Wire . You can use more than one to adapt to your individual needs.
Default end-to-end encryption is only the first factor to consider when thinking about message security. Depending on your needs, you should also consider whether the app includes group chats and calls, self-destructing messages, cross-device data syncing, and photo and video editing tools. Ease of use is another factor.
You can also consider whether the app uses an open-source encryption protocol, open-source code and a decentralized server network. And you can weigh whether the app company collects user data, what personal information is required on sign-up, and generally how transparent the company is.
Human factors
Beyond the messaging app, it's important to practice safe security hygiene, like using two-factor authentication and a password manager. There's no point in sending and receiving messages securely and then leaking the information via another vulnerability, including having your phone itself compromised.
People can be lured into compromising their apps and devices by unintentionally giving access to an attacker. For example, Russian operatives reportedly tricked Ukrainian troops into giving access to their Signal accounts.
Also, if you use Signal, you should probably use its nicknames feature to avoid adding the wrong person to a group chat - like National Security Adviser Michael Waltz apparently did in the Signalgate scandal.
Frederick Scholl does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
