LONDON (AP) — After a sprawling hacking campaign exposed the communications of an unknown number of Americans, U.S. cybersecurity officials are advising people to use encryption in their communications.
To safeguard against the risks highlighted by the campaign, which originated in China, federal cybersecurity authorities released an extensive list of security recommendations for U.S. telecom companies — such as Verizon and AT&T — that were targeted. The advice includes one tip we can all put into practice with our phones: “Ensure that traffic is end-to-end encrypted to the maximum extent possible.”
End-to-end encryption, also known as E2EE, means that messages are scrambled so that only the sender and recipient can see them. If anyone else intercepts the message, all they will see is a garble that can't be unscrambled without the key.
Law enforcement officials had until now resisted this type of encryption because it means the technology companies themselves won't be able to look at the messages, nor respond to law enforcement requests to turn the data over.
Here's a look at various ways ordinary consumers can use end-to-end encryption:
Texting
Officials said the hackers targeted the metadata of a large number of customers, including information on the dates, times and recipients of calls and texts. They also managed to see the content from texts from a much smaller number of victims.
If you're an iPhone user, information in text messages that you send to someone else who also has an iPhone will be encrypted end-to-end. Just look for the blue text bubbles, which indicate that they are encrypted iMessages.
The same goes for Android users sending texts through Google Messages. There will be a lock next to the timestamp on each message to indicate the encryption is on.
But there's a weakness. When iPhone and Android users text each other, the messages are encrypted only using Rich Communication Services, an industry standard for instant messaging that replaces the older SMS and MMS standards.
Apple has noted that RCS messages “aren’t end-to-end encrypted, which means they’re not protected from a third party reading them while they’re sent between devices.”
Samsung, which sells Android smartphones, has also hinted at the issue in a footnote at the bottom of a press release last month on RCS, saying, “Encryption only available for Android to Android communication.”
Chat apps
To avoid getting caught out when trading texts, experts recommend using encrypted messaging apps.
Privacy advocates are big fans of Signal, which applies end-to-end encryption on all messages and voice calls. The independent nonprofit group behind the app promises never to sell, rent, or lease customer data and has made its source code publicly available so that it can be audited by anyone to examine it “for security and correctness.”
Signal's encryption protocol is so reputable that it has been integrated into rival WhatsApp, so users will enjoy the same level of security protection as Signal, which has a much smaller user base. End-to-end encryption is also the default mode for Facebook Messenger, which like WhatsApp is owned by Meta Platforms.
What about Telegram?
Telegram is an app that can be used for one-on-one conversations, group chats and broadcast “channels" but contrary to popular perception, it doesn't turn on end-to-end encryption by default. Users have to switch on the option. And it doesn’t work with group chats.
Cybersecurity experts have warned people against using Telegram for private communications and pointed out that only its opt-in ‘secret chat’ feature is encrypted from end-to-end. The app also has a reputation for being a haven for scammers and criminal activity, highlighted by founder and CEO Pavel Durov's arrest in France.
Making calls
Instead of using your phone to make calls through a wireless cellular network, you can make voice calls with Signal and WhatsApp. Both apps encrypt calls with the same technology that they use to encrypt messages.
There are other options. If you have an iPhone you can use Facetime for calls, while Android owners can use the Google Fi service, which are both end-to-end encrypted.
The only catch with all these options is that, as with using the chat services to send messages, the person on the other end will also have to have the app installed.
WhatsApp and Signal users can customize their privacy preferences in the settings, including hiding IP address during calls to prevent your general location from being guessed.
___
Is there a tech topic that you think needs explaining? Write to us at [email protected] with your suggestions for future editions of One Tech Tip.
Kelvin Chan, The Associated Press