“The FBI says you should stop texting” sounds like something your estranged uncle would post on Facebook about, but it’s actually true: Both the FBI and CISA (Cybersecurity & Infrastructure Security Agency) are sounding the alarm around certain texting platforms, and, in some cases, phone calls themselves.
To simply leave it at that, however, would be massively misleading. America’s security agencies don’t think you should do all your communicating by snail mail. Instead, they’re specifically concerned with citizens using insecure means of communication, and are encouraging them instead to use secure, end-to-end encrypted options. Here’s why.
“Salt Typhoon” is compromising Americans’ security
This current wave of concern stems from Salt Typhoon, a hacking group thought to be run by the Chinese government. In recent months, Salt Typhoon has compromised the privacy and security of many Americans, both private and public citizens. The group is accused of hacking 80 telecom groups, including U.S.-based providers that the federal government relies on for wiretapping purposes. (Verizon and AT&T were both affected.) These hackers reportedly tapped the phones of President-elect Trump and Vice President-elect Vance, as well as the phones of staffers for the Harris campaign.
Through these attacks, the FBI and CISA say hackers stole “a large amount of metadata,” including, in limited cases, phone calls and messages.
It’s not just Salt Typhoon, either. Insecure messaging has long been a concern of security experts and professionals. These hackers may have been the catalyst to get the FBI and CISA to warn Americans about it, but it’s good practice to ensure your communications are always protected.
Where encryption comes into play
While it doesn’t appear at this time that hackers are routinely scraping and monitoring everything you text or say on the phone, the reason they’ve been able to access the contents of these communications at all is due to a lack of end-to-end encryption.
In brief, end-to-end encryption (E2EE) protects the contents of messages and calls between recipients. The contents here are scrambled through encryption, so to an unauthorized user, your text appears to be a jumble of meaningless characters. The only way to unscramble the message is to have the “key,” which, in our case, lies in the apps of the recipients in question. So, when you send a message from an E2EE app to another user with E2EE, that message is only readable by the two of you. The same goes for messages in E2EE group chats, or E2EE audio calls.
The issue is that traditional phone calls are not E2EE, and neither are SMS text messages. (When the FBI says “don’t text,” what they mean is don’t use insecure texting methods like SMS.)
You may already be communicating securely
The thing is, many (if not most) of your communications may already be E2EE. If you have an iPhone and you only message other iPhones, you’re using Apple’s iMessage, an E2EE message platform. (The blue bubbles are a giveaway.) Android users who use recent versions of Google Messages are also likely communicating through RCS, not SMS, and are able to take advantage of E2EE—just look out for the little “lock” icon that appears when messaging. FaceTime, both audio and video calls, are encrypted, too.
However, there are far too many instances where messages and call are not E2EE. Traditional phone calls, for example, are not E2EE. SMS, as noted above, is not E2EE. Even when you’re trying to avoid SMS, it pops up: Since RCS requires an internet connection, for example, your phone might default to SMS when messaging in low-signal areas. The same goes for iMessage.
But even when you have a good connection, RCS isn’t always encrypted, either. Sure, if you have two Androids messaging through Google Messages, you’re likely protected, but using RCS between Android and iPhone isn’t encrypted. An Android using another messaging app with another Android using Google Messages is also not encrypted.
When in doubt, use a dedicated app
The only way to guarantee your messages and calls are encrypted end-to-end is to use a service that guarantees the practice with all communications.
While there are a number of messaging platforms that offer E2EE, the go-to recommendation is Signal. Signal’s messages and calls are always E2EE, so there’s no risk of your communications being intercepted—as long as someone doesn’t get a hold of the other person’s device, of course. WhatsApp is also an E2EE platform by default. While Meta has plenty of privacy and security concerns as a company, WhatsApp is an exception. I understand some security-minded users’ concerns in using a Meta product, but if you’re one of the billions already using it, you can keep using it securely.
There are apps with E2EE options that aren’t E2EE by default. Messenger (formerly known as Facebook Messenger) now uses E2EE as the default, but existing chats (especially group chats) might still be unencrypted, so be careful. Telegram and Instagram also offers E2EE, but you have to choose to message with encryption. If you just download the apps and message away, you’re not much better off than using SMS.
Remember, too, that this isn’t just about messaging and calling with your phone. All your devices need to be considered. If you message or call people from your tablet or computer, make sure the apps you use are E2EE by default.