If you don’t use secure messaging apps, now is a good time to start.
U.S. officials say a massive Chinese hacking campaign, dubbed Salt Typhoon, has compromised the communications of an unknown number of Americans. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have recommended that people switch to encrypted messaging and phone call options.
Most people don’t think too much about what apps they use to make calls or send texts. They assume some amount of security and privacy is built into their devices or provided by their phone carriers.
Related
White House says at least 8 US telecom firms, dozens of nations impacted by China hacking campaign
FBI tells telecom firms to boost security following wide-ranging Chinese hacking campaign
What’s worse than thieves hacking into your bank account? When they steal your phone number, too
Why you should listen to Twitter on two-factor authentication (2023)
More
With no timeline on when the networks will be safe, and no guarantee it can’t happen again, it may be time to switch your chats to something safer. We’ll get you started.
What’s end-to-end encryption?
When you’re researching apps, what you’re looking for is something called end-to-end encryption, which is the standard for secure communications. That means that you can see a message on your phone, and the recipient can see it on theirs, but other parties along the way — the cell company, the company that makes your phone and any other middlemen — cannot see what it says.
Not all encryption is the same, and there are loopholes to look out for. For example, if you have a cloud backup option turned on, the company storing it might be able to access those files. Or if your app only encrypts in certain situations but not others, such as across different operating systems or in a group text, your messages aren’t always safe. Encryption might also mean that some information — say, the content of a call — is secure but metadata such as the date, time and number are not.
Who actually has to worry about this?
If you’re in a sensitive job, are an activist, journalist or dissident, or are traveling someplace where you’re worried about being targeted for something like being gay, increase your defenses. In general, everyone should have the right to private conversations, and thankfully it’s not too difficult to accomplish.
Hackers aren’t the only risk you should consider. Private conversations can be subpoenaed by law enforcement or shared without consent by other people in the chat.
What encrypted apps are best?
If you are low risk and just getting started, the best app depends on where you’re most likely to find your friends and family. Many third-party options, including Signal and WhatsApp, offer end-to-end encrypted messaging and phone calls.
“Signal is the easiest and works out of the box by default for everyone. WhatsApp is fine but collects more metadata,” according to Thorin Klosowski, a security and privacy activist at the Electronic Frontier Foundation.
Signal is an open-source free tool made by a nonprofit that can be installed on a computer, iOS or Android device and works across platforms. WhatsApp, owned by Meta, is also considered a safe option. Make sure you have WhatsApp message backups turned off for extra safety.
If you are on Apple devices and exclusively talk to other people on Apple devices, then you can use Messages and Wi-Fi calling through FaceTime. However, any communications with people outside the Apple ecosystem won’t be encrypted. For extra safety, turn off iCloud backups of your chats.
The same goes for Google’s default messaging app on Android devices — it’s only encrypted if you’re speaking to other people on the same app.
Another option for one-to-one conversations is Facebook’s Messenger app, which made end-to-end encryption the default last year.
What are other best practices?
Loopholes and hacks are a real risk, but the weakest link is often humans. If the person on the other end of a conversation decides to copy, screenshot or photograph it to share with people outside the chat, encryption won’t stop them.
Avoid saying things in text messages that you don’t want to get out. Always protect your physical devices like phones, tablets and laptops with a passcode or biometric security. Turn on multi-factor authentication for any sensitive accounts instead of just using a password to log in.
Stick to reputable apps, and avoid tools where there’s any doubt. For example, don’t use direct messaging options on apps such as TikTok or X, and definitely don’t say sassy or fireable things on work chat apps such as Slack or Teams, or devices owned by your employer. They can install software that tracks your communications.
Some apps, including Signal, have an option for disappearing messages. You can turn these settings on to keep your conversation history clear, your rants wiped from memory after a day or a week. On Apple devices, you can set all messages to only be saved for a set amount of time, like 30 days. Whatever you do, skip email.
This story was originally published at washingtonpost.com. Read it here.
The Seattle Times does not append comment threads to stories from wire services such as the Associated Press, The New York Times, The Washington Post or Bloomberg News. Rather, we focus on discussions related to local stories by our own staff. You can read more about our community policies here.