“Give me six lines written by the most honest man in the world, and I will find enough in them to hang him.” Cardinal Richelieu.
Yikes! Now that I’m retired, I try to avoid even wearing a necktie. And I text more than six lines a day.
Text messaging services provided by your phone company are neither private nor secure. Message content is visible to the phone company and to the account owner. Messaging services provided by the phone company implement the Short Message Service (SMS) protocol. SMS was not designed for privacy, therefore you should assume that your messages might be viewed by third-parties.
The iMessage service provided on iPhones is much more secure. Message content is protected by an encryption key held only on the sending and receiving devices. However, iMessage only works between two iPhones, not between and iPhone and Android device. And if you backup your messages to iCloud, and fail to enable Advanced Data Protection, Apple may disclose your messages under subpoena (see the post on Backup and Recovery).
Further, while the content of iMessages is encrypted, metadata such as the contact with whom you’re chatting can still be accessed and disclosed under a subpoena. This includes information like the sender, recipient, and timestamps of messages.
Private and secure messaging services protect your messages in-transit and at rest. They retain very little metadata associated with your messages, and therefore cannot disclose much data under subpoena, or for any other purpose.
Private messaging features to consider include:
- Service provider and servers are located in a good privacy jurisdiction
- Service has been reviewed by third-party auditors
- Service provider has no access to messages and has little or no logging
- Product is open source and has had extensive expert community review
- Strong end-to-end encryption is employed
- User-friendly apps are available for major devices and operating systems
- Service supports text, voice, video, document, and picture messages
- Service provides for group messaging
- Messages can be time limited and can self-destruct at all end points
The only private messaging service I recommend for most users is Signal. While Signal is owned by a U.S. based non-profit, it’s open-source and has been extensively reviewed by security professionals. It otherwise meets the criteria above and has a broad user-base. A broad user-base is important. You can’t message family and friends if none of them are using the same messaging service. It’s free for all users and supported by donations.
Signal may be found at: https://signal.org/
A phone number is required to register. This is a concern for some. It’s possible to register with a second phone number, a process I will not further discuss here. It is now also possible to identify yourself to those with whom you message with a user name instead of your phone number if you would prefer not to share your number with others.
If you choose Signal, I recommend you become familiar with its features, in particular, how you verify the identity of people you are messaging. If you use it, please make a donation. Fair is fair.
If you wish to explore further, Wire and Threema are reasonable alternatives.
And if you are messaging over an Internet connection, remember to enable your VPN.
Now what did our friends Alice and Bob do?
Alice carries an iPhone for both personal and business calls. She installed Signal on her phone and required her business associates and customers to use Signal for all business related messaging. She was, after all, an IT professional. She cajoled and wheedled family and friends to join her on Signal with some success. For those friends that chose not to do so, she is perfectly comfortable using iMessage to communicate with them if they has an iPhone. For her Android friends, she suffers SMS messaging for inconsequential communications. For things she cares about, she calls them. And she still receives SMS two-factor authentication codes (2FA) from services that provide no other option. This is not a great option in her view, but it’s better than nothing (see the post on Password Management).
Bob only uses his Android phone for phone calls. The one exception he grudgingly makes is text messaging with Alice and his older sister. They refuse to message him unless he uses Signal. And they bake him cookies. He has no choice. He also accepts SMS 2FA codes, cursing and wailing, when there is no other option.
Now it’s time for you to take action. Keep your private messages private. It’s up to you.
Next we’ll discuss virtual credit cards.
Information provided in this post is subject to the disclaimer in the first post of this series.