Your End-to-End Encrypted Messages Aren't As Secure As You Think

Earlier in May, the Texas Attorney General’s office sued Meta for deceiving users on the level of security offered by end-to-end encryption on WhatsApp. Meanwhile, Apple and Google just announced that rich text messaging between Android and iOS users will now support end-to-end encryption. But that only works if you have RCS enabled on your smartphone, it does not apply to traditional SMS or MMS texting. With apps like Telegram, too, E2EE is not enabled by default on all messages and you need to start a “Secret Chat” each time you want true end-to-end encryption in a text chain. My point: E2EE is used as a catch-all term to describe secure messaging features across a lot of different apps, but these apps each apply different implementation standards and the level of security is never the same. You should not assume that all your communications are safe from interception just because your messaging app supports E2EE.

In fact, there are other opt-in security features that you should enable when you want true peace of mind while exchanging sensitive information in texts. It’s a lot to unpack, so here’s my simplified explanation for how this encryption works across devices and apps, what it protects, and what it doesn’t. How end-to-end encryption (E2EE) worksEnd-to-end encryption (or E2EE) works by scrambling your messages and data as they leave your device, so that only the recipient who holds the right security key on their device can unscramble it. By design, E2EE prevents anyone who might be trying to intercept your communications, including people who work at the company that owns your messaging app, from accessing its contents. While the people who own the messaging app can see that a message was sent, they can’t actually read it since they don’t have the decryption key needed to unscramble it. It’s a good security measure for exchanging sensitive information, like financial or medical data that shouldn’t be public knowledge. That said, it’s not foolproof. End-to-end encryption only works on the contents of your message itself. It doesn’t do anything to encrypt the associated metadata, like the identity of the sender and receiver, their geolocation, or the timestamp on the various messages. Moreover, there are other points of exposure in a messaging app that end-to-end encryption doesn’t cover, like your backups—when you back up your messages on to third-party cloud storage, they are no longer encrypted end-to-end. So when you’re uploading your WhatsApp message history to Google Drive or iCloud, there’s a brief window during transit when your messages can be easily intercepted by WhatsApp, Apple, or Google. E2EE implementation also varies from messaging app to messaging app. Apps like Telegram and Signal offer higher levels of security than WhatsApp or Messenger. At the same time, WhatsApp enables basic E2EE on all your messages by default, whereas Telegram requires you to opt in for the encryption every time you want to use it. E2EE doesn’t always work the same way“Encrypted” can mean many things. Depending on the architecture of your messaging app, its associated security features, and the quality of encryption it uses, your security level can fluctuate wildly. WhatsApp encrypts messages, but not backupsI already mentioned that WhatsApp does not extend end-to-end encryption to your cloud backups—there’s a brief window as you’re uploading your messages to your cloud drive when they can be freely intercepted without a decryption key. However, there’s no direct evidence that Meta secretly reads your messages during WhatsApp backups, so that part is pure conjecture. Telegram’s encryption is opt-in onlyWhen the Texas government sued Meta over WhatsApp encryption claims, Telegram made a big show of promoting itself as the safer alternative that offers stronger encryption. But that’s only part of the truth. In reality, Telegram encrypts all your messages in transit and at rest, but the same company also holds the keys to decrypt your communications. Unless, that is, you opt for “Secret Chats,” which lets you create a more secure communication chain where your messages are truly end-to-end encrypted and cannot be decrypted by Telegram. Meanwhile, group chats and channels on Telegram don’t have an end-to-end encryption feature at all.