Secure Communication
Understand end-to-end encryption, choose the right messaging apps, and protect your family's conversations.
The Difference Between Encrypted and Actually Private
Almost every messaging app claims to be "encrypted." But there's a crucial distinction between encryption in transit and end-to-end encryption (E2E) โ and understanding this difference determines whether your conversations are truly private.
Encryption in Transit (Not Enough)
When an app uses encryption in transit, your messages are encrypted between your device and the company's server, and between the server and the recipient's device. But the company can read the messages on the server. The messages are decrypted, processed, and re-encrypted at each hop.
This means:
- The company can read your messages
- Employees with server access could potentially view them
- A government subpoena can compel the company to hand them over
- A data breach at the company exposes your message content
- The company can scan messages for advertising, content moderation, or other purposes
Apps that use encryption in transit (but not E2E by default): Telegram (regular chats), Facebook Messenger (before 2023), Slack, Discord, email (standard SMTP)
End-to-End Encryption (The Real Deal)
With E2E encryption, messages are encrypted on your device before they leave, and can only be decrypted by the recipient's device. The server in the middle only sees encrypted blobs. Not even the company operating the service can read your messages.
This means:
- The company cannot read your messages, even if they wanted to
- A government subpoena produces only encrypted data the company can't decrypt
- A data breach exposes only encrypted blobs, not message content
- Server-side employees have no access to content
Apps with E2E encryption by default: Signal, iMessage (between Apple devices), WhatsApp, FaceTime
The Metadata Problem
Even with E2E encryption, metadata can reveal a lot:
- Who you're communicating with
- When and how often you communicate
- How long your conversations last
- Your location when communicating (from IP addresses)
- Message sizes (which can hint at content type)
Metadata tells a story even without message content. If you call a divorce attorney at 11 PM, then a real estate agent at 8 AM, the pattern reveals plenty without reading a single message.
Different apps handle metadata differently:
- Signal retains almost no metadata โ they've been subpoenaed and could only provide the date an account was created and the last connection date
- WhatsApp retains who you message, when, group memberships, and address book contacts
- iMessage retains conversation participants and timestamps, but Apple has fought to minimize what they're required to keep
The Protocol Matters
The Signal Protocol is the gold standard for messaging encryption. It's used by:
- Signal (obviously)
- WhatsApp (all messages)
- Google Messages (RCS conversations between Google Messages users)
- Facebook Messenger (since late 2023, default E2E)
The Signal Protocol provides:
- Forward secrecy โ Even if encryption keys are compromised in the future, past messages can't be decrypted
- Post-compromise security โ If a key is compromised, future messages are automatically re-secured
- Deniable authentication โ You can verify who you're talking to, but messages can't be cryptographically proven to be from you (protects against selective message leaking)
What About iMessage?
iMessage uses Apple's own E2E encryption protocol. It's solid, but has some important caveats:
- Only E2E between Apple devices. If anyone in a group chat has an Android phone, the conversation falls back to SMS/MMS โ which is completely unencrypted.
- iCloud backup loophole. If you have iCloud Backup enabled (without Advanced Data Protection), your iMessage history is backed up to iCloud where Apple can access it. Enable Advanced Data Protection to close this gap.
- The green bubble problem. Apple/Android mixed conversations use SMS, which is unencrypted and stored by carriers. This is a genuine security gap, not just an aesthetic one.
Practical Recommendation
For your most sensitive conversations, use Signal. For everyday family chat, iMessage (if all Apple) or WhatsApp (if cross-platform) are both solid. Just understand the metadata tradeoffs and iCloud backup implications.