Have you ever needed to send someone a confidential message? Financial files to a tax pro? Your garage door code to a friend? A draft of your estate plan to your lawyer? An embarrassing question to your counselor or therapist? A photo that’s only for your significant other? Do you use text messages or email for messages like this?
There are a few facts that surprise people when I share them. One of the biggest I see is when I tell people that their email is insecure, and their text messaging is insecure. People tend to believe these messages are private and can only be viewed by the person they’re communicating with. I’ll tell you why email and text messages aren’t secure, and why you should use secure messaging instead for confidential messages.
Email and SMS/text messaging are extremely popular because they’re so easy to use. To email, just send a message to someone’s email address, regardless of the email service they use. To text someone, just send to their phone number, regardless of the phone service they use. Unfortunately, the strengths of interoperability and ease of use bring the weakness of insecurity.
When you send an email, it goes from your device to your email service provider’s servers. Your service provider stores the email for some time (after it’s sent), and sends a copy through multiple servers owned by different organizations in different locations around the country or world. Eventually, it arrives at the email service provider of the person you emailed. That provider keeps a copy of the email in that person’s mailbox until they check their email. Then it travels to their device. Their provider may also keep a copy of the email for some time. Note: I’ve simplified this for illustration purposes.
Any server along the way could make a copy of the email, which they may keep even after both sender and recipient have deleted the email.
Some email service providers will encrypt some portion of the path your email takes, using encryption in transit. But in many cases an email travels through multiple email service providers, and they may not all cooperate in encrypting email. So your email may be unencrypted during a portion of its path.
Think back to your school days. Imagine you want to send a note to a friend across the classroom. You write the note on a piece of paper, then fold it in half. You hand it to the girl next to you. She looks at the note and copies it, then passes it to the boy next to her. He looks at the note but doesn’t copy it, then passes it on. The next kid passes it on without looking. It passes through 3 more kids, some looking at it, some copying it, until it reaches your friend. This process is similar to what happens with unencrypted email.
Some email service providers will encrypt your email when it’s on their servers, using encryption at rest. But, again, in many cases an email travels through multiple email service providers, and they may not all encrypt email at rest. Even those that do encrypt email at rest can often still read the email themselves. This allows them to provide services such as spam filtering, malware scanning, and indexing (so you can search your email). But it also means they can collect data which can be used for targeted advertising, or which could be accessed by a rogue employee or a hacker who breaks in.
During the times that an email is unencrypted, whether while traveling (in transit) or in storage (at rest), it can be read and potentially changed by the companies that run the email infrastructure, hackers, or governments.
Years ago, one of my relatives was shopping for camping gear. A co-worker recommended a website that sold the product he was looking for. I don’t know if the site didn’t accept payments online, or if they claimed there was a problem with their system, but the site asked my relative to email his credit card details. My relative felt uneasy about it, but because the site was recommended by a co-worker who had received his order, he sent the email. Can you guess what happened next? A few days later, there were fraudulent charges on my relative’s credit card. The credit card info may have been stolen by an employee of the site, but it’s also possible that it was stolen by someone who had access to the email as it traversed the Internet. Either way, email is not the way to share credit card details.
SMS/Text Message Threats
First, some quick definitions. Most people talk about text messages. Technically, when you send only text, you’re using SMS (Short Message Service). When you send pictures, audio, video, or other media, you’re using MMS (Multimedia Messaging Service). In this post I’ll use “text message” to refer to SMS and MMS.
When you send a text message, it goes from your phone to a nearby cellular tower. It’s then relayed to your mobile service provider. The provider processes and stores the message. It then sends it to the mobile service provider used by the person you texted, and that provider process and stores the message. From there it’s sent to a cellular tower near the person you texted. That tower sends the message to the recipient’s phone. Note: I’ve simplified this for illustration purposes.
The mobile service providers may keep the message even after both sender and recipient have deleted it.
Some mobile service providers will encrypt the connection between your phone and the cellular tower, but not all do. And the rest of the message’s path is usually unencrypted. Recall the example of passing a note in a classroom I gave earlier. That process is similar to what happens with unencrypted text messages.
During the times that a text message is unencrypted, whether while traveling or in storage, it can be read and potentially changed by the companies that run the mobile service infrastructure, hackers, or governments.
By the way, it’s because of these and other security shortcomings that I don’t recommend using text messages for two-factor authentication. Use a hardware token or authentication app instead.
How to Increase Your Security & Privacy
There are steps you can take to increase the security of your email. But, because of how email works, the more you secure it, the more of a pain it is to use. You need to jump through a lot of hoops. There’s not much you can do to increase the security of texting, also because of how the technology works.
So, instead of trying to secure your email and texting, I recommend using secure messaging whenever you need to send confidential messages. Of course, you can use secure messaging all the time, but using secure messaging properly takes more effort than email and texting, so you may decide to use secure messaging only when necessary.
The main thing that makes secure messaging secure is end-to-end encryption. This keeps data secret along the entire path from sender to intended recipient, so that only the intended recipient can see/hear it. It keeps data encrypted while in transit (traveling) and at rest (in storage). This prevents not only hackers, but also governments and even the companies transmitting the data from seeing it.
Recall the example of passing a note in a classroom I gave earlier. Now imagine that after you write your note, you lock it in a box using a key that only you and your friend have. Your classmates pass the box along, but are unable to open it to see what’s inside. Your friend receives the box and uses their key to open it and read your note. This process is similar to what happens with end-to-end encrypted messages.
You may see messengers advertise that they use Transport Layer Security (TLS), and that’s great in that it encrypts data while in transit (traveling), but it doesn’t encrypt data at rest (in storage). The messages are still vulnerable when in storage. Don’t settle for anything less than end-to-end encryption.
To be end-to-end encrypted, generally you and the person you’re communicating with need to use the same communication system. For example, you must both use the Signal app, or Apple’s iMessages. That’s one of the hurdles to secure messaging, and a major reason that secure messaging isn’t as commonly used as insecure email and text messaging.
Secure Messaging Systems
There are many secure messaging options, so I’ll share a few with you. The one that’s right for you will depend on how you message; whether you need to communicate by text, audio, or video, and whether you need to send files.
If you use an Apple device (Mac, iPhone, iPad, Apple Watch), you can use Apple’s iMessages system, which powers its Messages app. Messages sent to other Apple devices are end-to-end encrypted. However, if you send a message to someone who’s not using an Apple device (if the message is green rather than blue), that message is outside the iMessages system, using the standard, unencrypted text message infrastructure.
Also, be aware that iMessages are stored in your iCloud backup, giving Apple the ability to access them. You can disable iCloud backup to prevent this (see the Apple iOS Security & Privacy Guide), but keep in mind that your messages sent to others could still be backed up into their iCloud accounts. That’s a concern for other secure messengers that back up to the cloud, too. If you’re concerned about the privacy of your messages, consider a different secure messenger.
Apple’s FaceTime is end-to-end encrypted as well, and can be used for audio or video calls between Apple devices.
WhatsApp offers end-to-end encrypted messaging, audio calls, video calls, and file-sending. It’s extremely popular, especially outside the US, which helps with the challenge of communicating with people who use the same system you do. It’s available for iOS, Android, Windows phone, Mac, and Windows.
Signal is the secure messenger I see most frequently recommended by cybersecurity and digital privacy experts. It offers end-to-end encrypted messaging, audio calls, video calls, and file-sending. It’s available for iOS, Android, Mac, and Windows.
Wire is another frequently recommended option. It too offers end-to-end encrypted messaging, audio calls, video calls, and file-sending. It’s available for iOS, Android, Windows, and Linux, and can also be accessed through the major web browsers regardless of operating system.
I’ve also seen Wickr recommended by cybersecurity and digital privacy experts, and Facebook Messenger is also end-to-end encrypted (using the Signal protocol) if you opt in to Secret Conversations (see the Facebook Security & Privacy Guide). Facebook Messenger is extremely popular in the US, which helps with the challenge of communicating with people who use the same system you do.
I’ve read that Whisper, Secret, and Telegram are not secure and private enough to use.
As you think about which secure messenger is right for you, consider features beyond security and privacy. The EFF (Electronic Frontier Foundation) says,
… security features are not the only variables that matter in choosing a secure messenger. An app with great security features is worthless if none of your friends and contacts use it, and the most popular and widely used apps can vary significantly by country and community. Poor quality of service or having to pay for an app can also make a messenger unsuitable for some people. And device selection also plays a role …
The EFF has an excellent article that helps you think through what you need in a secure messenger.
You can find lists of secure messaging apps in the Further Reading section below.
Sending Text Securely
If you don’t regularly use secure messaging, but you need a way to securely send some text, consider PrivateBin. It’s a web-based tool that allows you to send text with end-to-end encryption. It generates a link for you to share, and you choose when that link expires. You can also enable the Burn after reading option, which causes the text to self-destruct after it’s read. I recommend setting a password. You should send the password through a different channel than you use to send the link.
Sending Files Securely
If you don’t regularly use secure messaging, but you need a way to securely send files once in a while, consider Firefox Send. It’s a web-based tool that allows you to send files with end-to-end encryption. It generates a link for you to share, and you choose when that link expires. I recommend using the Protect with password option. You should send the password through a different channel than you use to send the link. You can send files (including .zip files) up to 1 GB.
A similar tool is Tresorit Send. It too lets you set a password, though you can’t set an expiration. It supports files up to 5 GB.
Both of these tools (and the companies that created them) have good reputations for security and privacy.
If you want to stick with email but use it more securely, you need to find a way to end-to-end encrypt your email. There are a few ways to do this.
Mailvelope is frequently recommended by cybersecurity and privacy experts. It uses a browser extension to add OpenPGP encryption to webmail services including Gmail, Yahoo! Mail, and Outlook.com.
There are also secure email providers:
- ProtonMail (the one I see most frequently recommended by cybersecurity and privacy experts)
With secure email providers, you usually have a couple choices for dealing with email sent to someone who isn’t using the same secure email provider. You can create a password that the recipient will need to enter to read your message, or you can send the email unencrypted. I highly recommend using the password option unless you’re certain you don’t need the privacy.
You can also add PGP, OpenPGP, or GPG to your email client (the software you use for sending and receiving email). The instructions vary based on the email software you use and the security software you select, so you’ll need to look for instructions.
What about Gmail’s Confidential Mode? It has some nice features, but it’s no substitute for secure messaging. It isn’t end-to-end encrypted. Google can still read the emails (and presumably, so can anyone Google grants access to). And Google stores the emails even after their expiration. Learn more in this EFF article.
- What Do You Mean My Email Isn’t ENCRYPTED? (rokacom.com)
- Why Email is “Not Secure” (goironbox.com)
- Gmail encryption: Everything you need to know (computerworld.com)
- Email Encryption FAQs (google.com)
- Is universal end-to-end encrypted email possible (or even desirable)? (csoonline.com)
- Email is completely insecure by default. (viget.com)
- Are Text Messages Encrypted? (rokacom.com)
- Your texts are not as secure as you think (usatoday.com)
- Thinking About What You Need In A Secure Messenger (eff.org)
- “The Art of Invisibility” by Kevin D. Mitnick (Book Summary) (defendingdigital.com)
- privacytools.io: see sections on Instant Messaging, VoIP, Pastebin, File Sharing, Email
- Cybersecurity 101: How to choose and use an encrypted messaging app (techcrunch.com)
- The apps to use if you want to keep your messages private (recode.net)
- Practical Application of EFF’s Guide to Choosing a Messenger (securechatguide.org)
- Secure Messaging Apps Comparison (securemessagingapps.com)
What You Should Do
- Think about how you exchange confidential information. Text? Files? Audio conversations? Video conversations?
- Think about who you exchange confidential information with. What software can you reasonably expect them to use?
- Research the secure messaging options that fit the use cases you’ve identified. Use the resources in the Further Reading section above. Signal is a good option.
- Whenever you need to exchange confidential information, use the tool(s) you selected. You may need to help the person you’re communicating with use the same tool.
- When others send you confidential information via unencrypted email or text messages, talk to them about the dangers and how to use more secure options.