Sometimes the small print really does matter
Stop sending texts—the FBI warned iPhone and Android users last month, turning the messaging world upside down. Coming just weeks after the long-awaited launch of RCS messaging on iPhones, the advice issued by the bureau and the U.S. cyber defense agency was to use end-to-end encrypted messaging and calls whenever possible. But now a surprising new data harvesting admission should come as a warning to all messaging users that all is not as it seems.
There’s a wry irony behind the “massive spike” Telegram’s data sharing with law enforcement. The self-styled secure app built its brand on privacy and not sharing user data with anyone, especially not with the authorities. But then Mr. Telegram himself — Pavel Durov — was arrested in Paris and suddenly everything changed.
As 404Media explains, “a month after Durov’s arrest in August, Telegram updated its privacy policy to say that the company will provide user data, including IP addresses and phone numbers, to law enforcement agencies in response to valid legal orders. Up until then, the privacy policy only mentioned it would do so when concerning terror cases, and said that such a disclosure had never happened anyway.” All change now.
The second irony is that while Telegram has built a brand as the bête noire of the messaging world, disclosing user data is exactly the kind of “responsible encryption” the FBI emphasized last month, prompting calls for other platforms to adjust the way they operate and the data they collect. The FBI would like warranted access to content as well, of course. Which brings us to the third irony: Telegram isn’t actually an end-to-end encrypted platform, and while the only data it disclosed was metadata, almost all its content could have been shared as well.
As many more users now understand — thanks to China’s Salt Typhoon, the FBI and the U.S. cyber defense agency — messages are either end-to-end encrypted or they’re not. WhatsApp and Signal pass the test, Telegram, RCS messages between Android and iPhone, and all SMS messages do not.
But behind the scenes, while your content if properly end-to-end encrypted cannot be accessed without compromising one of those endpoints, the tracking data can be collected centrally and shared. This is metadata: who you know, who you message, how often and when, where from and where to. This data can be visualized and analyzed as a network of interrelated contacts that expands like a spider’s web. Sometimes metadata is as valuable as the content itself.
That’s why CISA — the U.S. cyber defense agency — warned users that “when selecting an end-to-end encrypted messaging app, evaluate the extent to which the app and associated services collect and store metadata.” And that I guess is the final irony, because that warning came from U.S. law enforcement which has pushed so hard for access to encrypted content between criminals and for whom metadata is the only data they can currently collect.
CISA highlighted Signal as a suitable messenger to choose. Signal famously collects very little metadata, whereas other leading platforms are operated by big tech collect much more. Meta has been criticized for this in the past, and it was central to its spat with Elon Musk over alleged data harvesting last year. Putting that aside, for everyday use WhatsApp remains my recommendation for almost all users. For those more concerned about privacy, Signal should be your pick.
Every so often metadata makes headlines, as it has done this week. There’s little real information on what is captured and how it’s used. It comes across as part of the secretive data machines underpinning the platforms we use every day. But you should be aware of what’s going on behind the scenes and how much information is being collected. Apple’s App Store and Google’s Play Store provide details for each app on the types of data collected and shared, albeit not how it’s used. The likes of Apple, Google and Meta set out some of this in their privacy policies, but it’s all very generically phrased.
Put very simply, only use a fully encrypted platform. That means Signal or WhatsApp or iMessage (if strictly between Apple users) or Google Messages (if strictly between Android users). Do’t message between the two, at least until encryption is extended cross-platform, which is under development and not sue anytime soon.
And when using these platforms remember two things. First, that their encryption is only as secure as every one of the ends to a discussion or call. If it’s a group, that means many different ends. If any one of the devices is taken or compromised, you can assume the content is as well. Second, that a spider’s web of your metadata its likely being harvested in the background unless you have chosen a platform that specifically does not do that. That probably doesn’t matter to you — but if it does, you should go check those data labels and policies for yourself.
One Community. Many Voices. Create a free account to share your thoughts.
Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.
In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.
Your post will be rejected if we notice that it seems to contain:
User accounts will be blocked if we notice or believe that users are engaged in:
So, how can you be a power user?
Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.