Skip Navigation

Encrypted Communications

End-to-end encryption of personal communications is essential for maintaining digital privacy. Common communication methods used by most Americans are either not end-to-end encrypted or are controlled by a single company, raising the potential of hidden key escrow vulnerabilities.

Page Contents

Salt Typhoon

In November 2024, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) jointly announced that the People’s Republic of China (PRC) had compromised the infrastructure of multiple telecommunications companies.1 Both Microsoft Corporation and the United States Government use names ending in Typhoon to refer to attacks carried out with PRC state sponsorship. The particular group of hackers in this case, whose exact identities are not necessarily known to the intelligence community, has been labeled Salt Typhoon using this nomenclature.2 As of early 2025, Salt Typhoon was found to have infiltrated networks operated by Verizon, AT&T, Lumen Technologies, Charter, Consolidated, and Windstream, plus at least 3 additional network providers that had not been named.3

Salt Typhoon attackers evidently compromised networking hardware at these communications companies and were thereby able to access geolocation data, communications metadata, and even the contents of some phone calls and text messages.4 CISA responded by recommending that “‘highly targeted’ individuals who are in senior government or senior political positions” immediately move to using communications systems with end-to-end encryption.5 As of early 2025, the breadth and depth of the entire attack is not completely known, and the investigation is likely to remain incomplete since since Donald Trump fired the expert review board that was investigating the attack.6

From a security and privacy perspective, this successful attack by a foreign adversary was a completely foreseeable and predictable consequence of the policy that law enforcement agencies should always have access to Americans’ communications for the purposes of criminal investigations.7 The Federal Bureau of Investigation (FBI) has spent years campaigning for a system of “lawful access” to encrypted communications for investigative purposes.8 Mathematically, this “lawful access” is a pipe dream from policy makers who either possess no understanding about the confidentiality properties of encryption or who choose to ignore them for their own self-serving interest in making investigations easier. An end-to-end communications channel exists in one of two states: it is either securely encrypted and can provide confidentiality, or it can’t. There is no way to provide an access mechanism only for the “good guys,” since this access mechanism itself becomes an attack vector for outside threat actors – a fact that the FBI has even admitted in an industry notification.9 Years of sensationalistic lobbying against “warrant-proof encryption,” justified by the usual politically popular categories of crime (terrorism and child exploitation),8 has now led to the expected outcome. We as a nation now have the Chinese Communist Party monitoring our day-to-day communications.

Insecure Messaging

Most Americans communicate via messaging systems that are not encrypted or not meaningfully encrypted. For example, text messages sent over wireless carriers cannot be considered secure in any way. Mobile phone carriers are generally required by law to provide some kind of backdoor access in their systems for so-called “lawful interception” as a condition of using the wireless radio spectrum.10 Another system that people often use for communications without realizing the insecurity is electronic mail (email), which was never designed for confidentiality. It is the digital equivalent to sending a postcard: anyone can read it between sender and destination. However, it is so convenient to send an email that people often don’t consider the security and privacy implications and will put sensitive information into the message.11

Popular Internet-based communications systems also tend not to support meaningful encryption. Snapchat, which many of today’s college-aged students use, is neither secure nor private. Messages sent in the platform are not encrypted, the mobile phone apps collect user data, and there is reportedly even an internal tool available to company employees for reading messages and viewing photos sent via the service, ostensibly to provide data for law enforcement requests. At the same time, Snapchat engages in privacy theater by convincing its users that messages sent via the service self-destruct.12 Although supposedly carried out by a different mechanism, threat actors have successfully stolen and shared photos and videos that users sent via the service with the expectation of privacy.13

End-to-End Encryption

In order to maintain privacy of communications, it is necessary to use End-to-End Encryption (E2EE) for the entire conversation. A properly implemented E2EE system fully encrypts a message before it leaves the sender’s device, and the message can be decrypted only on the recipient’s device, using public key encryption. There should not be any mechanism by which a service provider is capable to decrypting a message sent via an E2EE channel.

Unfortunately, E2EE has become a marketing term in recent years. Discord, a popular messaging platform among video gamers, claims to support E2EE starting from 2024.14 However, the protocol they have developed makes no mention about whether or not key escrow, or the practice of keeping a copy of the encryption key so that messages between users can be decrypted when requested, is part of their system.15 The company behind Discord has also been criticized for vague privacy policies, invasive data collection by the system itself, and even platform-specific malware.16

Other examples of privacy theater involving E2EE include WhatsApp and Apple’s iMessage, both of which have the ability to provide message content on demand according to the FBI.17 Several companies have entered the privacy market with encrypted email services, with Proton receiving a significant amount of press. However, much of this (overwhelmingly positive) press might have something to do with Proton’s affiliate program, in which “partners” can earn a significant amount of revenue by steering people to the service.18 As a rule, services that participate in affiliate marketing tend to be found on “best” lists that populate search results and in “review” articles that contain affiliate links. Objectively evaluating such services becomes impossible if the service decides to engage in this type of marketing behavior.

As a general rule, E2EE services can only maintain true encryption for messages both sent and received within the service. For encrypted chat or email services that actually implement E2EE correctly, messages that cross service boundaries normally lose their encryption. For example, an encrypted email provider cannot send a fully encrypted email to an address outside its own system, owing to the way email is implemented. Email contents can always be encrypted ahead of time using a tool like GNU Privacy Guard,19 which implements the OpenPGP encryption standard.20 However, this approach works with any email service and thereby does not require some specialized, encrypted provider. For this reason, I suggest focusing on the email provider’s data collection and privacy policies when considering email service instead of reflexively jumping to an “encrypted” provider.

Selecting Services

Properly encrypted communications services do exist, but research and due diligence are both required in order to avoid falling for marketing claims that are mere privacy theater. When searching for providers, I recommend that you consider the following:

  1. Review the provider’s Privacy Policy to understand what kind of data are being collected. If the company is vague about data collection, or if the company admits to collecting data for targeted advertising, then any E2EE claims are meaningless. The company is likely collecting at least some information from your interaction with the service, including the contents of your communications.
  2. Look for an affiliate or partner program. If a company even has such a program, then you’re going to find a bunch of phony “recommendations” and “reviews” for the service all over the Internet. These sites, which are trying to generate revenue through affiliate links, will overwhelm search results and make an objective review of the service nearly impossible to conduct. My advice is to steer clear of any company that uses affiliate marketing, even if their service otherwise looks promising.
  3. Be wary of messaging systems that require a centralized service. Decentralized services that use open standards, such as those based on the Matrix protocol,21 are less likely to make abrupt changes to their encryption or privacy standards. Services that rely on a single provider are ultimately at the mercy of that provider. If business needs change, the provider can quietly weaken or eliminate the encryption and privacy capabilities of the service.
  4. Use open-source software that is released under a license approved by the Open Source Initiative.22 It is not possible to verify that software released under a proprietary (non-open-source) license actually implements encryption the way that its vendor claims it does. Open source licenses permit the source code to be reviewed and studied for security vulnerabilities.
  5. In spite of the previous recommendations, don’t assume that an open-source license automatically means that the communications application is secure or private! By way of example, the Signal service ostensibly releases the source code for their applications and claims to be open source.23 However, Signal’s Android app contains proprietary components, its developers have historically disallowed full open source rebulds of the app from using the Signal name, and its developers have also historically forbidden open source rebuilds from communicating on the official Signal servers.24 While the known information about FBI data collection17 suggests that Signal is still secure from an E2EE standpoint as of the time of this writing, see item 3 above about centralized services. The company behind Signal could discontinue the open source code releases and fundamentally change the product without any warning to its users.

Unfortunately, the privacy and security landscape is ever-changing, so it would not be feasible to maintain a list of recommended services. Some websites do exist for that purpose, but many of them are monetized through affiliate links, YouTube sponsorships, and other financial conflicts of interest that raise questions about their objectivity. That said, such sites can be good starting points for locating services. They should not, however, be considered authoritative.

Notes and References

  1. Cybersecurity and Infrastructure Security Agency. Joint Statement from FBI and CISA on the People’s Republic of China (PRC) Targeting of Commercial Telecommunications Infrastructure. November 13, 2024. 

  2. Chris Jaikaran. “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications.” Congressional Research Service. In Focus 12798. November 15, 2024. 

  3. Jessica Lyons. “Charter, Consolidated, Windstream reportedly join China’s Salt Typhoon victim list.” The Register. January 6, 2025. 

  4. Jessica Lyons. “More telcos confirm China Salt Typhoon security breaches as White House weighs in.” The Register. December 30, 2024. 

  5. Cybersecurity and Infrastructure Security Agency. Mobile Communications Best Practice Guidance. December 18, 2024. 

  6. Lorenzo Franceschi-Bicchierai. “Trump administration fires members of cybersecurity review board in ‘horribly shortsighted’ decision.” TechCrunch. January 22, 2025. 

  7. Kevin Collier. “U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack. NBC News. December 3, 2024. 

  8. Federal Bureau of Investigation. Lawful Access

  9. Federal Bureau of Investigation. Easy Access to Information for Conducting Fraudulent Emergency Data Requests Impacts US-Based Companies and Law Enforcement Agencies. Private Industry Notification 20241104-001. November 4, 2024. 

  10. Stephen Gleave. “The mechanics of lawful interception.” Network Security 2007(5): 8-11. May 2007. 

  11. Doug Bernard. “Why Is Our Email So Insecure?.” Voice of America. August 21, 2015. 

  12. Chris Burns. “Snapchat Is Not Private, Nor Is It Safe.” SlashGear. February 15, 2022. 

  13. Kim Lachance Shandrow. “‘The Snappening’ Really Happened: 100,000 Snapchat Photos and Videos Leak Online.” NBC News. October 13, 2014. 

  14. Stephen Birarda. Meet Dave: Discord’s New End-to-End Encryption for Audio & Video. Discord. September 17, 2024. 

  15. Discord’s audio/video end-to-end encryption (DAVE) protocol

  16. Paulius Masiliauskas. “Discord security and privacy issues in 2021.” Cybernews. December 22, 2022. 

  17. Ben Zion Gad. “Can the FBI monitor your WhatsApp conversations?.” The Jerusalem Post. November 30, 2021. 

  18. Join Our Partners Program. Proton. 

  19. GNU Privacy Guard

  20. RFC 4880. November 2007. 

  21. Matrix: An open network for secure, decentralised communication

  22. OSI Approved Licenses. Open Source Initiative. 

  23. Signal. GitHub. 

  24. Signal Android app on F-Droid store / F-Droid status. Signal Community. 

Steganography

Encryption
Passwords