by Dave Moore, CISSP
02/13/2022
What if someone told you, “I can read all of your text messages?” It’s quite likely they would be correct.
Did you know if you are using the text messaging service offered by your phone carrier, which most of us do (AT&T, Verizon, T-Mobile, etc.) your texts are not encrypted? Nope, they’re not. SMS (Short Messaging Service) is what every phone carrier offers, and all messages are sent in what’s called “plain text.” That means “plain English,” or, “plain Spanish,” or plain whatever language you speak, because that’s how they are written, that’s how they are sent across the Internet, and that’s how they can be intercepted and read. No secrecy involved.
If that scenario doesn’t sit well with you, you should be using encryption with your text messaging. You can even use encryption with your phone calls, too. While you’re thinking about privacy for your text messages, though, let me encourage you to do this: forget WhatsApp. I repeat, forget WhatsApp.
What prompted this column was a TV commercial I saw recently featuring a delivery driver bringing people packages and letters that had already been opened. It’s a clever commercial, the first I’ve ever seen advertising a texting app. Folks in the commercial are complaining that their letters and packages have no privacy if they’re that easy to open and read.
A good point is made; standard SMS text messages are, with the right knowledge and skills, easy to intercept and read. The problem here, the thousand-pound gorilla sitting in the corner, is who made the commercial, and who’s making the point: WhatsApp. A messaging app owned by privacy nightmare Facebook.
OK, to be clear: last October, Facebook changed its name to Meta, to align with its new quest: creating a “MetaVerse.” Please, don’t get me started on the Metaverse, Mark Zuckerberg’s creepy, dopey, pointless vision of our future world. That’s another discussion. Just know that Facebook changed its name to Meta, and then made Facebook (the social media website) one of its products. Sort of like when Southwestern Bell (SBC) bought AT&T in 2005, and then changed their name to… AT&T. Got it?
So, Meta (Facebook) owns WhatsApp, the messaging app that says they will provide awesome privacy for your text messages. Problem is, they don’t. It’s a lot like the Big Bad Wolf telling the Three Little Pigs he’s not going to eat them. WhatsApp even tells you, right in their terms of service, the crummy privacy they offer, and how they are going to collect everything they possibly can about you and turn it into money.
Does WhatsApp encrypt your messages? Sure, but everything else is up for grabs. Your purchase history, phone number, “other” user content, identifiers like your User ID and your phone’s Device ID, advertising and “product interaction” data, financial and payment data, email address, everyone in your address book, all of it is theirs to exploit however they see fit. Little pig, little pig, let me in.
This is the same Facebook/Meta/WhatsApp that was fined $70 million last year in England for failure to comply with disclosure orders, paid $5 billion in 2019 to the US FTC for violating consumer’s privacy over the Cambridge Analytica scandal (and to protect founder Mark Zuckerberg from prosecution), and was fined $60 million in France for privacy violations. WhatsApp itself was fined $270 million last year in Ireland for data privacy violations. So please, forget WhatsApp.
The text app to use for privacy is called Signal. It’s in the Android and Apple app stores, good for both Android and iPhones. It has none of the drawbacks that make WhatsApp such a bummer. It’s super easy to download and install. The major requirement is that whoever you wish to communicate with also has to have the Signal app installed. An added bonus is, it can make international phone calls, not only private, but free.
Now that you know what’s up, round up all your friends and family folks, everyone install Signal, and get private.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.com