X

Encrypted messages don't always stay private. Here's what that means for you

An alleged plot to kidnap the governor of Michigan puts the spotlight on secure messaging apps.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
cybersecurity-2511

Encrypted messaging locks down your chats -- but only while they're traveling to the recipients.

Angela Lang/CNET

As a group of alleged conspirators recently learned, encrypted messaging isn't a guarantee that your private conversations will stay between you and the recipient. The FBI arrested six men on Thursday for allegedly plotting to kidnap Michigan Gov. Gretchen Whitmer. How did the feds get the information they needed? They read the group's encrypted conversations. 

To be clear, accessing the communications wasn't a highly technical effort. The FBI had a confidential informant who participated in the group message threads in which much of the conspiracy was laid out, according to a criminal complaint. That kept the FBI in the loop even when the group changed messaging apps to avoid detection. 

"Because the group still included [the informant], the FBI has maintained the ability to consensually monitor the chat communications," FBI special agent Richard J. Trask II said in the complaint.

The incident underscores a basic fact about encrypted messaging apps, like Signal, Telegram and WhatsApp. While they all offer a layer of privacy , there are plenty of ways for someone to access your messages from these services. 

That's good news and bad news. On the bright side, it means criminals plotting violence can't rely completely on encrypted messaging services to hide their plans from the police. While law enforcement has warned that encryption threatens to make their investigations into the worst criminals "go dark," this case is one example of how investigators can continue to read messages sent with encrypted services.

On the other hand, it means regular users who want to protect their data from hackers, creeps and foreign governments need to rethink what encrypted messaging really does for them. It isn't a magic wand. Here's what you should know about what encryption does -- and doesn't do -- to protect your privacy.

How does encrypted messaging work?

It's OK, most people don't have a handle on just what encrypted messaging apps like Signal, Telegram and Facebook-owned WhatsApp do. They look and act like regular text messaging tools. But behind the scenes, the services scramble up your messages as they travel across cellular communications systems and the internet to get to the intended recipient's phone. 

That means no one involved in sending the message -- including the encrypted messaging service -- can read your messages. Regular SMS messaging is sent in plaintext and doesn't have this layer of protection, so your SMS messages are vulnerable to interception at multiple points as they travel from your phone to the recipient's device.

Is my phone encrypted, too?

If you use an iPhone , the data on your phone is encrypted when the device is locked. On Android phones , users have to enable disk encryption themselves. Device encryption will protect your messages as long as the phone is locked.

Apple describes this form of encryption as essential to users' privacy. For one thing, it protects all the personal data on your phone if it gets stolen. Think private messages and photos, as well as access to your email account and financial information.

Like encrypted messaging, device encryption has been a sore subject with law enforcement. The FBI tried to get a court order in 2016 to force Apple to help it access encrypted messages on an iPhone used by an extremist shooter. After Apple refused, the agency was eventually able to access the data on the phone with another technique.

How can someone get my encrypted messages?

As the Michigan case shows, anyone you send a message can share it with a wider circle of people, regardless of whether it's sent on an encrypted service. The same goes for anyone who has the ability to unlock your phone, which disables device encryption. If you don't lock your device at all, anyone who gets your phone can access your messages.

Then there's hacking, which is used by law enforcement, as well as criminals and foreign governments, to target someone's phone with malicious software. Once the device is compromised, the malware can read messages on the device just like someone looking over your shoulder to watch you type. These tools are sophisticated, can be very expensive, and require someone to target you specifically. 

Another form of malware that can get your communications is called stalkerware. That's phone monitoring software that many people admit to using to spy on their partners or exes, and it usually requires the person to have access to your phone. There are steps you can take if you're worried your device has stalkerware.

Finally, there are your backups. Data on your cloud accounts might not be encrypted, and anyone who has the password could access your backed-up messages there. Some stalkerware works by accessing your phone's cloud backup. That's a great argument for using a unique, hard-to-guess password to protect your cloud accounts, and using a password manager.

Watch this: Are passwords dead? Let's talk about the future of authentication