Security and Privacy in Uncertain Times
Authored by the DFL49 Data and Tech Team
Very brief summary (TL;DR): use Signal for texts and calls
There’s a firehose of information pounding out warnings and worries by the minute. Some are global or far away, and some are very personal and in daily activities. We’ve pulled together a summary of what’s going on in electronic communications, especially computers and cell phones, and how to make your own calls and messages more secure.
Links to further information about security and privacy practices are included at the bottom of the article.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed publicly that a hacker group called “Salt Typhoon”—believed to be affiliated with the Chinese government—gained access to the systems of several global telecom companies. They have stolen call records and compromised private communications of senior U.S. politicians and government officials.
In response, CISA released a set of best practices for mobile communications. The guidelines apply to anyone concerned about privacy and data compromised by bad actors—foreign or domestic. Expert organizations, like the Electronic Freedom Foundation (EFF), have published similar advice for years.
All U.S. residents can use the same recommended software and techniques to greatly reduce risk and increase communication privacy.
Messages and Calls
Messaging applications for text, voice, and video are in almost everyone’s pocket. There are two important factors to understand and evaluate the security of these apps: encryption and metadata.
Encryption
Many apps encrypt data to some extent. The gold standard for secure communications is end-to-end encryption. Even if a bad actor intercepts an end-to-end encrypted message, they cannot read the “content” of the communication. Only the sender and recipient can decrypt and understand the content.
Metadata
Metadata is information describing the content and data we exchange. It can reveal sensitive information about us. This information is commonly collected and stored on servers owned by the makers of communications sites and apps we use.
This can have serious implications for user privacy. Anyone who gains access to this metadata could learn details about your: medical history, banking relationships, political affiliations, group memberships, friends and contacts, events you attend, where you live and travel, etc.
Even a tiny sample of metadata can provide a privacy-invading look into a person’s life … A telecommunications company may know:
you called the suicide prevention hotline from the Golden Gate Bridge.
you called a gynecologist, spoke for half an hour and then called a clinic that provides abortions later that day.
– EFF: Why Communication Metadata Matters
Strategies to Protect Communications
There’s a wide variety of communications apps and websites to choose from on our computers and mobile devices. Many are features of social networks. Others are work tools. Few come with strong privacy features and many require extra effort to enable those features if they exist. Privacy between users with different types of devices (Apple and Android, for example) may be weak and can be compromised by a single user having a non-secure configuration.
There is one standout: The EFF and CISA both recommend an app called Signal for its strong security and privacy features. Signal offers end-to-end encryption and does not collect or store sensitive metadata. There is no web app so all users must download and use Signal to communicate. The software is open-source and offers versions for the most common devices and operating systems.
There are other options that offer varying degrees of privacy and security. Many collect metadata and are regularly pressured to turn over records to various authorities without notice to users.
Apple’s Messages (AKA iMessage) and FaceTime apps offer end-to-end encryption out of the box but the company collects and stores metadata.
Meta’s WhatsApp also offers end-to-end encryption. However, WhatsApp shares data with Facebook and also collects metadata.
Google’s Google Messages app uses a different security protocol than Apple and requires users to activate encryption features. As a result, messages between iPhone and Android devices are generally not secure.
There are many other options as well but we strongly recommend everyone use Signal for communications where security and privacy are paramount (examples: birth dates, social security numbers, messages intended to be private).
References