Have you ever needed to send someone a confidential message?
Financial files to a tax pro?
Your garage door code to a friend?
A draft of your estate plan to your lawyer?
An embarrassing question to your counselor or therapist?
A photo that’s only for your significant other?
Do you use text messages or emails for messages like this?
Let me ask you a couple of questions:
- Is email secure and private?
- Are text messages secure and private?
There are a few facts that surprise people when I share them. One of the biggest I see is when I tell people that their email is insecure, and their text messaging is insecure.
People tend to believe these messages are private and can only be viewed by the person they’re communicating with. I’ll tell you why email and text messages aren’t secure, and why you should use secure messaging instead of confidential messages.
- The Threats
- Using Secure Messaging To Increase Your Security And Privacy
- Further Reading
- What You Should Do
Email and SMS/text messaging are extremely popular because they’re so easy to use. To email, just send a message to someone’s email address, regardless of the email service they use. To text someone, just send it to their phone number, regardless of the phone service they use. Unfortunately, the strengths of interoperability and ease of use bring the weakness of insecurity.
Email Threats: Why Are Emails Not Secure Or Private?
When you send an email, it goes from your device to your email service provider’s servers. Your service provider stores the email for some time (after it’s sent), and sends a copy through multiple servers owned by different organizations in different locations around the country or world. Eventually, it arrives at the email service provider of the person you emailed. That provider keeps a copy of the email in that person’s mailbox until they check their email. Then it travels to their device. Their provider may also keep a copy of the email for some time. Note: I’ve simplified this for illustration purposes.
Any server along the way could make a copy of the email, which they may keep even after both sender and recipient have deleted the email.
Some email service providers will encrypt some portion of the path your email takes, using encryption in transit. But in many cases, an email travels through multiple email service providers, and they may not all cooperate in encrypting email. So your email may be unencrypted during a portion of its path.
Think back to your school days. Imagine you want to send a note to a friend across the classroom. You write the note on a piece of paper, then fold it in half. You hand it to the girl next to you. She looks at the note and copies it, then passes it to the boy next to her. He looks at the note but doesn’t copy it, then passes it on. The next kid passes it on without looking. It passes through 3 more kids, some looking at it, some copying it, until it reaches your friend. This process is similar to what happens with an unencrypted email.
Some email service providers will encrypt your email when it’s on their servers, using encryption at rest. But, again, in many cases, an email travels through multiple email service providers, and they may not all encrypt email at rest. Even those that do encrypt email at rest can often still read the email themselves. This allows them to provide services such as spam filtering, malware scanning, and indexing (so you can search your email). But it also means they can collect data which can be used for targeted advertising, or which could be accessed by a rogue employee or a hacker who breaks in.
During the times that an email is unencrypted, whether while traveling (in transit) or in storage (at rest), it can be read and potentially changed by the companies that run the email infrastructure, hackers, or governments.
Years ago, one of my relatives was shopping for camping gear. A co-worker recommended a website that sold the product he was looking for. I don’t know if the site didn’t accept payments online, or if they claimed there was a problem with their system, but the site asked my relative to email his credit card details. My relative felt uneasy about it, but because the site was recommended by a co-worker who had received his order, he sent the email.
Can you guess what happened next?
A few days later, there were fraudulent charges on my relative’s credit card. The credit card info may have been stolen by an employee of the site, but it’s also possible that it was stolen by someone who had access to the email as it traversed the Internet. Either way, email is not the way to share credit card details.
SMS/Text Message Threats: Why Are Text Messages Not Secure Or Private?
First, some quick definitions. Most people talk about text messages. Technically, when you send only text, you’re using SMS (Short Message Service). When you send pictures, audio, video, or other media, you’re using MMS (Multimedia Messaging Service). In this post, I’ll use “text message” to refer to SMS and MMS.
When you send a text message, it goes from your phone to a nearby cellular tower. It’s then relayed to your mobile service provider. The provider processes and stores the message. It then sends it to the mobile service provider used by the person you texted, and that provider processes and stores the message. From there it’s sent to a cellular tower near the person you texted. That tower sends the message to the recipient’s phone. Note: I’ve simplified this for illustration purposes.
The mobile service providers may keep the message even after both sender and recipient have deleted it.
Some mobile service providers will encrypt the connection between your phone and the cellular tower, but not all do. And the rest of the message’s path is usually unencrypted. Recall the example of passing a note in a classroom I gave earlier. That process is similar to what happens with unencrypted text messages.
During the times that a text message is unencrypted, whether while traveling or in storage, it can be read and potentially changed by the companies that run the mobile service infrastructure, hackers, or governments.
By the way, it’s because of these and other security shortcomings that I don’t recommend using text messages for two-factor authentication. Use a hardware token or authentication app instead.
Using Secure Messaging To Increase Your Security And Privacy
There are steps you can take to increase the security of your email. But, because of how email works, the more you secure it, the more of a pain it is to use. You need to jump through a lot of hoops. There’s not much you can do to increase the security of texting, also because of how the technology works.
So, instead of trying to secure your email and texting, I recommend using a secure messaging service whenever you need to send confidential messages. Of course, you can use secure messaging all the time, but using secure messaging properly takes more effort than email and texting, so you may decide to use secure messaging only when necessary.
The main thing that makes secure messaging secure is end-to-end encryption. This keeps data secret along the entire path from the sender to the intended recipient so that only the intended recipient can see/hear it. It keeps data encrypted while in transit (traveling) and at rest (in storage). This prevents not only hackers, but also governments and even the companies transmitting the data from seeing it.
Recall the example of passing a note in a classroom I gave earlier. Now imagine that after you write your note, you lock it in a box using a key that only you and your friend have. Your classmates pass the box along, but are unable to open it to see what’s inside. Your friend receives the box and uses their key to open it and read your note. This process is similar to what happens with end-to-end encrypted messages.
You may see messengers advertise that they use Transport Layer Security (TLS), and that’s great in that it encrypts data while in transit (traveling), but it doesn’t encrypt data at rest (in storage). The messages are still vulnerable when in storage. Don’t settle for anything less than end-to-end encryption.
To be end-to-end encrypted, generally you and the person you’re communicating with the need to use the same communication system. For example, you must both use the Signal app or Apple’s iMessage. That’s one of the hurdles to secure messaging, and a major reason that secure messaging isn’t as commonly used as insecure email and text messaging.
Secure Messaging Systems
There are many secure messaging options, so I’ll share a few with you. The one that’s right for you will depend on how you relay your message; whether you need to communicate by text, audio, or video, and whether you need to send files.
If you use an Apple device (Mac, iPhone, iPad, Apple Watch), you can use Apple’s iMessage system, which powers its Messages app. Messages sent to other Apple devices are end-to-end encrypted. However, if you send a message to someone who’s not using an Apple device (if the message is green rather than blue), that message is outside the iMessage system, using the standard, unencrypted text message infrastructure.
Also, be aware that if you have an iPhone and have iCloud Backup enabled (and don’t have Messages in iCloud enabled), then Apple can read your messages. Learn how to prevent this in the Apple iOS Security & Privacy Guide. Keep in mind that your messages sent to others could still be backed up into their iCloud accounts. That’s a concern for other secure messengers that back up to the cloud, too. If you’re concerned about the privacy of your messages, consider a different secure messenger.
Apple’s FaceTime is end-to-end encrypted as well, and can be used for audio or video calls between Apple devices.
WhatsApp offers end-to-end encrypted messaging, audio calls, video calls, and file-sending. It’s extremely popular, especially outside the US, which helps with the challenge of communicating with people who use the same system you do. It’s available for iOS, Android, Windows phone, Mac, and Windows.
Signal is the secure messenger I see most frequently recommended by cybersecurity and digital privacy experts. It offers end-to-end encrypted messaging, audio calls, video calls, and file-sending. It’s available for iOS, Android, Mac, and Windows.
Wire is another frequently recommended option. It too offers end-to-end encrypted messaging, audio calls, video calls, and file-sending. It’s available for iOS, Android, Windows, and Linux, and can also be accessed through the major web browsers regardless of operating system.
I’ve also seen Wickr recommended by cybersecurity and digital privacy experts, and Facebook Messenger is also end-to-end encrypted (using the Signal protocol) if you opt into Secret Conversations (see the Facebook Security & Privacy Guide). Facebook Messenger is extremely popular in the US, which helps with the challenge of communicating with people who use the same system you do.
I’ve read that Whisper, Secret, and Telegram are not secure and private enough to use.
As you think about which secure messenger is right for you, consider features beyond security and privacy. The EFF (Electronic Frontier Foundation) says,
… security features are not the only variables that matter in choosing a secure messenger. An app with great security features is worthless if none of your friends and contacts use it, and the most popular and widely used apps can vary significantly by country and community. Poor quality of service or having to pay for an app can also make a messenger unsuitable for some people. And device selection also plays a role …
The EFF has an excellent article that helps you think through what you need in a secure messenger.
You can find lists of secure messaging apps in the Further Reading section below.
Sending Text Messages Securely
If you don’t regularly use secure messaging, but you need a way to securely send some text, consider PrivateBin. It’s a web-based tool that allows you to send text with end-to-end encryption. It generates a link for you to share, and you choose when that link expires. You can also enable the Burn after reading option, which causes the text to self-destruct after it’s read. I recommend setting a password. You should send the password through a different channel than you use to send the link.
Sending Files Securely
If you don’t regularly use secure messaging, but you need a way to securely send files once in a while, consider Firefox Send. It’s a web-based tool that allows you to send files with end-to-end encryption. It generates a link for you to share, and you choose when that link expires. I recommend using the Protect with password option. You should send the password through a different channel than you use to send the link. You can send files (including .zip files) up to 1 GB.
A similar tool is Tresorit Send. It too lets you set a password, though you can’t set an expiration. It supports files up to 5 GB.
Both of these tools (and the companies that created them) have good reputations for security and privacy.
If you want to stick with email but use it more securely, you need to find a way to end-to-end encrypt your email. There are a few ways to do this.
Mailvelope is frequently recommended by cybersecurity and privacy experts. It uses a browser extension to add OpenPGP encryption to webmail services including Gmail, Yahoo! Mail, and Outlook.com.
There are also secure email providers:
- ProtonMail (the one I see most frequently recommended by cybersecurity and privacy experts)
ProtonMail allows you to get a secure email account for free. Get automatic email security, anonymous email, and secure your data and neutrality.
With secure email providers, you usually have a couple of choices for dealing with an email sent to someone who isn’t using the same secure email provider. You can create a password that the recipient will need to enter to read your message, or you can send the email unencrypted. I highly recommend using the password option unless you’re certain you don’t need the privacy.
You can also add PGP, OpenPGP, or GPG to your email client (the software you use for sending and receiving email). The instructions vary based on the email software you use and the security software you select, so you’ll need to look for instructions.
Is Gmail Confidential Mode Secure?
What about Gmail’s Confidential Mode? It has some nice features, but it’s no substitute for secure messaging. It isn’t end-to-end encrypted. Google can still read the emails (and presumably, so can anyone Google grants access to). And Google stores the emails even after their expiration. Learn more in this EFF article.
Are Text Messages More Secure Than Emails? Or Are Emails More Secure Than Text Messages?
After all this talk of the insecurity of email and SMS/text messages, you may wonder, which is more secure: emails or texts?
As I’ve explained throughout this post, neither email nor texting should be considered private or secure (unless you’re using end-to-end encrypted email).
But to get back to the question, the short answer is, it depends. That’s because many factors determine the security of a text message or an email.
- Security of the sender’s device
- Security of sender’s email or phone service
- Security of recipient’s email or phone service
- Security of recipient’s device
An email from one Google/Gmail user to another Google/Gmail user, if both users have strong passwords and two-factor authentication on their Google accounts, will be fairly secure. The email will remain encrypted because it’s traveling on Google’s servers.
An email from a Google/Gmail user to someone using a small email service provider with poor security, and both users having weak passwords and no two-factor authentication, will be quite insecure.
So, there isn’t a single level of email security.
The same is true of text messages. Different phone service providers have different levels of security that determines if the text messages you sent are secure. Text messages that travel between service providers will likely be less secure than those that travel within the same provider. Because texting can also be done with Internet-based phone numbers (such as Google Voice), which further complicates the question.
My advice, which I’ve explained above: use a secure messenger for any sensitive messages. Don’t trust email or SMS/text messages for anything confidential. By doing so, you don’t have to ask any of the following questions anymore.
- Are text messages secure?
- Are emails secure?
- Are text messages private?
- Are emails private?
With a trusted messaging app, you’ll have the confidence to relay information through email or SMS, just be sure you can trust the person or company you’re sending those information to.
- What Do You Mean My Email Isn’t ENCRYPTED? (rokacom.com)
- Why Email is “Not Secure” (goironbox.com)
- Gmail encryption: Everything you need to know (computerworld.com)
- Email Encryption FAQs (google.com)
- Is universal end-to-end encrypted email possible (or even desirable)? (csoonline.com)
- Email is completely insecure by default. (viget.com)
- The Best Encrypted Email Services You Need to Use in 2019 (heimdalsecurity.com)
- Are Text Messages Encrypted? (rokacom.com)
- Your texts are not as secure as you think (usatoday.com)
- Thinking About What You Need In A Secure Messenger (eff.org)
- “The Art of Invisibility” by Kevin D. Mitnick (Book Summary) (defendingdigital.com)
- privacytools.io: see sections on Instant Messaging, VoIP, Pastebin, File Sharing, Email
- Cybersecurity 101: How to choose and use an encrypted messaging app (techcrunch.com)
- The apps to use if you want to keep your messages private (recode.net)
- Practical Application of EFF’s Guide to Choosing a Messenger (securechatguide.org)
- Secure Messaging Apps Comparison (securemessagingapps.com)
- Choosing the Right Messenger (privacytools.io)
What You Should Do
- Think about how you exchange confidential information. Text? Files? Audio conversations? Video conversations?
- Think about who you exchange confidential information with. What software can you reasonably expect them to use?
- Research the secure messaging options that fit the use cases you’ve identified. Use the resources in the Further Reading section above. Signal is a good option.
- Whenever you need to exchange confidential information, use the tool(s) you selected. You may need to help the person you’re communicating with using the same tool.
- When others send you confidential information via unencrypted email or text messages, talk to them about the dangers and how to use more secure options.