End-to-end encryption (nicknamed E2EE) has been a major selling point of Meta's WhatsApp messenger since the feature was introduced in 2016. In short, true E2EE ensures that texts, calls, images, and audio or video files are impenetrably scrambled from the moment you send them to the moment someone receives them, and vice versa. At no point in transit can the message be read, not even as it passes through a provider such as Meta's servers. A new U.S. federal lawsuit questions that assertion.
According to the complaint, plaintiffs allege that Meta misrepresented the degree to which WhatsApp message data is inaccessible to the company, including whether Meta can technically access or derive information from messages under certain conditions. The suit also accuses the company of accessing metadata – such as who you’re messaging, when messages are sent, how often, from which devices, and sometimes your location or IP address. (Meta disputes the claims.) Meta is not alleged to be reading the content of messages.
(Meta disputes the claims.) It also makes me wonder about the security of so-called encrypted direct messages on Meta-owned Instagram.
There's a long way to go in proving or disproving these claims. But the allegations give me pause and make me wonder about the security of so-called encrypted direct messages on Meta-owned Instagram. Fortunately, you have several solid alternatives – each with pros and cons – to consider.
Read more: When Cell Networks Go Down, These 6 Steps Keep You Connected
Why encryption matters for everyone
Most of us aren't high-ranking government officials, celebrities, captains of industry, dissidents, or investigative journalists who would be specific targets of spies, paparazzi, or repressive regimes. But anyone can benefit in other ways. A trustworthy E2EE service provider can't peek inside message contents to get information for its own marketing profiles or to sell info to other advertisers or data brokers.
No one intercepting the messages or harvesting them in a data breach can access confidential information, such as credit card numbers or sensitive communications that could be used for scams or blackmail. (For instance, the alleged “Salt Typhoon” Chinese hacking campaign against U.S. wireless carriers is claimed to have exposed metadata from unencrypted SMS traffic.)
When you move more of your relationships to one or more encrypted platforms, it's easier to spot spam and scam messages from outsiders not in your circle of contacts. And as tension and mistrust rise on all sides of politics, encryption may instill a sense of security – even if you never actually need it.
Read more: iOS Apps Have Been Leaking Users’ Information. Here’s How to Stop It
How encrypted message apps compare
Leaving out WhatsApp and Instagram for the moment, the nonprofit Signal Foundation's namesake app is the best option. However, that only works if you can convince enough of your friends and family to use it. In terms of compatibility, you're more likely to succeed with Apple iMessage, Google Messages, or a newer technology called Rich Communication Services (RCS), which works across Android and iOS devices. Here are the pros and cons to consider for the so-far trustworthy alternatives to WhatsApp.
Signal
Pros: The app is managed by the nonprofit Signal Foundation and built on technology developed by widely respected cryptographer Moxie Marlinspike. The Signal protocol is so trusted that other services, including Google Messages, WhatsApp, Facebook Messenger, and the now-defunct Skype. Signal works on Android and iOS.
According to Signal’s public documentation and court filings, it retains only a user’s phone number, the date the account was created, and the date the account last connected; it does not store message content, contact lists, or message metadata. To contact you, someone needs your exact phone number, your Signal username, or a QR code you provide. (Although they could still spam numbers at random.)
If you don't enable biometric unlock, the app requires an additional PIN code to access. You can set messages to “disappear” after a pre-set amount of time. Messages you want to keep can now be encrypted and stored online, making transfers between phones easier.
Cons: Unlike the other top E2EE services, Signal is not built into device operating systems. You and others have to make a point of installing it, creating an account, and configuring it, such as setting up encrypted online backup. To unlock that backup, you must provide (and not lose) a 64-character key.
Apple iMessage
Pros: iMessage is built into the most-popular smartphone platform in the U.S. as well as the operating systems for iPads, Macs, and Apple Watches. Apple's revenue comes overwhelmingly from selling devices and services, not from advertising based on user data. In fact, privacy is a key selling point for the company. Apple has also taken high-profile stands against even law-enforcement efforts to access user data.
Cons: iMessage is not available on Android or Windows devices. Conversations in iMessage with people on Android (the derided green bubbles) drop down to insecure SMS messages. Also, you can make iMessage available on unlimited Apple devices with the same Apple ID, which provides more targets for people to access your communications
Google Messages
Pros:When RCS is enabled, Google Messages uses the Signal protocol for end-to-end encryption of one-to-one and group chats. Messages also has advanced features to flag and block spam and phishing texts. It's integrated into Android phones and tablets, and accessible in a browser via Messages for Web.
Cons: Encryption between Android devices requires enabling Rich Communication Services, which is typically not on by default. You have to ensure that anyone you communicate with also has RCS properly enabled, including everyone on a group chat. (You confirm it's active by checking for a lock symbol on the send button and/or a banner saying “RCS chat.”) Otherwise, chats with any device drop down to SMS. Google Messages encryption is incompatible with iMessage: While both support RCS, they use forms that don't work together.
Read more: Texting Just Got Much Better Between iPhones and Android
Rich Communication Services to the rescue?
RCS offers a universal set of advanced features similar to what iMessage provides on Apple devices. When implemented, it can enable read receipts, typing indicators (the three dots), high-resolution photo and video sharing, better group chat features, and end-to-end encryption.
For Apple, RCS requires iOS 18 and phones starting with the iPhone XS and XR. (Although it's currently superfluous, as iMessage already has encryption.) Google devices require Android 9 or later and typically models launched after 2018.
To enable RCS in iOS, go to Settings > Apps > Messages > RCS Messaging. In Android Messages, tap your account icon in the upper right and go to Messages Settings > RCS chats.
RCS encryption does not currently work between Android and iOS devices. Wireless carriers are starting to implement RCS across their networks so it will work with all devices automatically – eventually replacing insecure SMS text messages with the gold-standard E2EE. That transition is uneven, carrier-dependent, and may take years – or may never fully deliver universal end-to-end encryption.
[Image credit: Techlicious via ChatGPT and Adobe Firefly]
