CNET también está disponible en español.

Ir a español

Don't show this again

Mobile

Why you need a better handle on the WhatsApp, Signal and Telegram apps

You might not really understand how encrypted messaging works, and you're not alone.

James Martin/CNET

You've likely heard by now that encrypted messaging apps are a good way to keep your communications private. But there's a good chance you're not totally sure what makes them so safe.

It's OK. You have company.

New research from experts in computer science has found that even though many people are using secure messaging apps like WhatsApp, Signal and Telegram, they can't say with confidence how the apps protect user privacy. What's more, they're not sure that the services are safer than other options like SMS text messages and landline phone calls.

"Overall, our results suggest that [end-to-end] encrypted tools are widely used but not accurately understood," wrote the report's authors, led by doctoral student Ruba Abu-Salma from University College London.

That's a problem, the researchers say.

It means that people might not choose encrypted messaging to send their most sensitive information, if they think their messages are likely to be intercepted and read on those services. What's more, if people don't see encrypted messaging as having a special level of security, they might not have a problem with government efforts to undo end-to-end encryption. That adds to the pressures tech companies already face in saying no to governments all over the world that want to get their hands on encrypted messages.

Government access to encrypted communications

The pressure is very real. Right now encrypted messaging service Telegram is in a legal battle with the Russian government, which shut down the service after the company refused to let it access encrypted messages. In 2016, a Facebook executive was arrested in Brazil when the company declined to give authorities access to WhatsApp messages as part of a criminal investigation.

And though there haven't been huge legal dustups over encrypted messaging apps in the US, the country's intelligence agencies do have programs that scoop up communications from US residents, and federal lawmakers and law enforcement agencies have expressed concern about encrypted services that won't let them access user messages even with a warrant.

Abu-Salma, joined by Elissa Redmiles of the University of Maryland and Blase Ur and Miranda Wei of the University of Chicago, will present research on Tuesday at a workshop on Free and Open Communications on the Internet, an annual event that showcases research on internet censorship and online threats to privacy.

How does this thing work again?

Encrypted messaging apps scramble up your messages and phone calls so that only you and the person you're communicating with can access them. That means not even the messaging service can see what you're sending, and neither can anyone else who might intercept your web traffic. That's different from SMS messages and phone calls, which can be intercepted by your phone carrier and law enforcement, as well as hackers with the right equipment.

In their research, Abu-Salma and her colleagues surveyed 125 people in the UK about their understanding of encrypted messaging services, and found two major misconceptions.

First, 75 percent of people surveyed said they believed "unauthorized entities" could access messages secured with end-to-end encryption. That could happen in specific circumstances, like if the company providing the service made a mistake with the encryption, or if they gave in to government pressure to give access to messages.

But working properly, end-to-end encryption is designed so that only the devices sending and receiving the messages can access their content. That's pretty much the opposite of SMS messages, which by default can be seen by the companies that help transport them to your recipient.

"If it's not sent encrypted, then any of those parties along the way can see the full contents of your message," said Serge Egelman, director of usable security and privacy research at the International Computer Science Institute.

Now playing: Watch this: 11 WhatsApp features you might not know
2:40

Second, 50 percent of the study's participants said they believed SMS text messages and landline phone calls were just as secure, or even more secure, than an encrypted message. Since end-to-end encryption blocks out other people from accessing your messages and phone calls, that's simply not true.

Even when news breaks that a given messaging app has a flaw in its encryption, Egelman said, you should keep using it for your sensitive communications.

"Encryption with an obscure flaw that is likely only exploitable by nation-states is still much better than not using any encryption," he said.

Make good choices

How you decide to communicate is up to you. Which messages are too sensitive to send from a vulnerable system? The answer will vary from person to person.

For Abu-Salma and her fellow researchers, the most important thing is that users understand that end-to-end encryption is the most secure option.

Based on their research, that's not the case right now. This might be because it's too much to ask one clunky-sounding phrase to remind users of all the nuanced ways secure communications matter.

"Our results suggest that a high-level description of a secure communication tool as 'end-to-end encrypted' is too vague," the researchers wrote.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.