There’s a relatively easy way to improve your digital privacy protections—use end-to-end encrypted messaging apps. And in light of recent, widespread cyberattacks, even the Department of Homeland Security has issued a public service announcement urging Americans to switch to E2E encrypted platforms for texting.
Hackers operating on behalf of the Chinese government have engaged since at least October in what one US senator has called the “worst telecom hack in our nation’s history.” The operation, known as Salt Typhoon, is reportedly so thoroughly embedded in US telecom infrastructure that it can grant bad actors access to targeted individuals’ unencrypted texts and phone calls. Many of the hackers are also still presumed active.
[Related: Why end-to-end encryption is so important now.]
The security issue’s severity prompted DHS’s Cybersecurity and Infrastructure Security Agency to publish a bulletin on December 18th with suggestions for “highly targeted” individuals—defined as senior government employees and politicians who are “likely to possess information of interest to these threat actors.”
“Highly targeted individuals should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation,” CISA experts warn, adding that, “While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors.”
Although specifically directed at politicians and government personnel, the bulletin underscores digital privacy strategies that remain equally beneficial to average users. Specifically, CISA highlights the importance of using only end-to-end encryption communications on all devices and online accounts whenever possible.
A number of free messaging apps offer E2E encryption, either by default, or available in their settings. Signal is one of the most popular options, and many security experts believe it to be the best on the market. Alternatives include WhatsApp (despite its past privacy controversies and parent company) and Dust. Beyond text messaging, E2E is also available on Zoom for video chat. Despite the heightened privacy, however, it’s important to use each service with the mindset that no app is necessarily impervious to hacking.
Digital security also goes beyond just E2E encryption. CISA’s bulletin lists a number of additional steps for protection, including enabling Fast Identity Online (FIDO) where possible, and using a password manager. There are also strategies to avoid—most notably, moving away from SMS-based multifactor authentication (MFA) methods. These are the text messages sent to account holders that usually include a numerical code or passkey to verify their identity. Instead, CISA recommends alternatives like standalone authenticator apps offered by companies like Google, Microsoft, and Authy.
“SMS messages are not encrypted—a threat actor with access to a telecommunication
provider’s network who intercepts these messages can read them,” CISA explains. “SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.”
There is a bit of irony to leading law enforcement agencies suddenly promoting the switch to encrypted communications. Agencies like the FBI, for example, have long criticized civilian use of E2E encryption, arguing that it poses a major and often insurmountable block during investigations. Regardless, be sure to check out the PSA for a more extensive list of digital privacy tips, even if you don’t meet the qualifications for a a “highly targeted” individual
Win the Holidays with PopSci’s Gift Guides
