Please Stop Texting

If you're not like me, that is to say, terminally online, then you might not be aware of the current and ongoing telecom security crisis. The tl;dr is that US telecom infrastructure has been thoroughly hacked by China's Volt Typhoon and Salt Typhoon (both will be referred to as just Volt or Salt moving forward). As of writing this, there isn't any confirmation that Canada was affected, however given how tightly bound our systems are with those of the US, it's more than likely we were also targeted by these attacks.

Why is this so bad?

North Americans love texting, and we can't seem to quit our addiction to the now 31 year old standard, SMS. Given that every phone is equipped to send SMS messages and that it's genuinely interoperable means that this what-should-be-dead-by-now protocol is still ever-present. According to this Pew Research Centre study, "Some 83% of American adults own cell phones and three-quarters of them (73%) send and receive text messages... Some 55% of those who exchange more than 50 messages a day say they would rather get a text than a voice call." Or if you want some different numbers, in 2021 there were 2 trillion SMS messages sent. That's nearly 6 billion per day or 227 million per hour (again, that's just SMS, and doesn't include other types like WhatsApp, etc). With that level of addiction, you can see how and why bad actors world over want to snatch up all that juicy plaintext information about us; it's quite literally right there for the taking.

So where do Volt and Salt fit into this? Well, strap in for one hell of an oversimplification. As far as I can make out, both are believed to be Chinese state-sponsored cyberattacks. Where they differ, however, are the intended targets. Volt primarily aims for critical infrastructure (energy and transportation) and is more focused on being able to create long-term disruptions, whereas Salt typically goes after telecom companies (phone networks and the internet) and is more about spying and gaining control over our communications systems.

If your eyes glazed over, don't worry. I can't possibly cover every single aspect of these attacks, so I'll be focusing strictly on the communications aspect and what that means for our digital privacy. The tl;dr to the tl;dr is that if you're currently using unencrypted messaging as your default, then please for the love of all that is good, stop. This extends broadly speaking to iMessage and RCS, and for entirely different reasons WhatsApp and Telegram.

iMessage & RCS: Frenemies

When Apple rolled out iMessage in 2011, they did so by effectively hijacking SMS and adding in a layer of proprietary functionality and security. However, over the last 13 years, Apple steadfastly refused to make iMessage compatible with more secure forms of messaging. This meant, for an iPhone user, there was a two-tiered system: iMessages with other iPhone users with high-res images and full encryption, and standard texts with Android users stuck using unencrypted SMS. This was entirely because Apple knew how important iMessage's "stickyness" was to create platform lock-in.

Even now, with Apple finally adopting RCS, they did so in the most frustratingly Apple way possible by choosing an outdated version of the standard - a version that lacks end-to-end encryption. This means, yet again, messages sent from an iPhone to an Android still aren't encrypted. I will also note here that Google is absolutely not without fault either. They spent the better part of the same 13 years struggling to come up with a coherent and consistent messaging strategy, which has also played a hand in the current security crisis we find ourselves in. And somehow, it's still just as confusing as ever.

This is why, according to a Toronto Star report, "The FBI is recommending iPhone and Android users avoid texting each other following unprecedented cyberattacks on American telecom networks, reportedly by a Chinese government-sponsored group of hackers dubbed “Salt Typhoon.”

The default recommendation in these cases often falls to either WhatsApp or Signal. Personally, I'm of the belief that the only recommendation should be Signal.

Don't use WhatsApp

Back in 2021, I wrote about how it was time to stop using WhatsApp, given the changes made to their Terms of Service and Privacy Policies. Effectively, while WhatsApp's parent company, Meta (yep, the same one that owns Facebook and Instagram), was switching to encrypted messaging using the Signal Protocol, what was actually happening was that Meta modified the encryption to allow for the collection of valuable metadata, data that can include what kind of message was sent, when it was sent, and other important details like your IP address, all of which could be shared with other "Facebook companies."

So now, you might be thinking to yourself, "who cares about metadata? Isn't the actual content of the messages what's most valuable?" And the answer to that might surprise you. A 2015 study conducted by MIT researchers found that you only need four pieces of vague information, such as the dates and locations of four purchases, to identify 90% of people in a data set that recorded three months of credit-card transactions by 1.1 million people. To really make this land, I'm going to use an admittedly grim example whereby Meta can collect a wealth of information about you just by virtue of using WhatsApp:

"Jane" speaks with "John", and 1️⃣ goes to visit him, 2️⃣ stays at his place over night, 3️⃣ later sends a few messages to a phone number that is associated with an abortion clinic and 4️⃣ personally visits the clinic the day after sending those messages.

Based on the above hypothetical, here's everything Meta can understand:

Meta can see that "Jane" and "John" are messaging each other. They can't see the content of the message, but they can see the type of messages being sent (text, audio, photos, etc. i.e. metadata).
Meta can see that both phones are connected to the same WiFi network, and therefore,
Both phones must be in the same location for a period of time i.e. "Jane" and "John" are together.
Later, when Jane visits the clinic, her location + clinic WiFi are registered to "Jane's" phone, therefore WhatsApp can collect even more information should "Jane" send a WhatsApp message while at the clinic.

All it took was four pieces of innocuous information to connect those seemingly disparate dots. And while the above hypothetical may not have actually happened (yet), something similar in 2022 has already occurred in Nebraska with the then unencrypted Facebook Messenger (Meta has since rolled our E2EE across all it's chat apps).

None of this is particularly new either - Meta has long engaged in collecting information about you, whether you consent to it or not. One of the novel ideas Meta has to generate more revenue is to introduce ads. Meta has said that the ads won't be in the inbox or conversation windows, but would be limited to the Status and Channels views. And how will Meta know what to advertise to you? By using metadata collected from your private conversations.

Meta has made it clear for a while now that they view WhatsApp as their way into their next hundreds of billions in revenue. But we've seen what happens to their products once they decide that user experience, safety, and privacy are secondary to profits - Facebook helping to incite a genocide in Myanmar, Instagram actively harming the mental health of our youth (not to mention the scourge of "influencers" hawking detox teas to now outright crypto scams). Part of that is the new push to jam AI into everything, including shoving Meta AI's chatbot into Instagram DMs, FB Messenger, and WhatsApp. Meta claims that the chats will still maintain their E2E Encrypted status, but given that the data collected will be used to train Meta's LLM, and that E2EE really only exists between users and not between a data-hungry AI provided by the platform itself and a user, I'm not sure I necessarily believe them.

And with Meta's other recent AI announcement (which is part of the broader enshittification cycle driving us straight into the Dead Internet), it's now more important than ever before to protect yourself with encrypted messaging.

What about Telegram?

While WhatsApp is certainly not the best, Telegram is even worse. By default, one-on-one messages are not encrypted, and there's no global toggle either, meaning every time you start a new conversation, you have to manually enable encryption. Worse yet is that the barebones encryption that's offered doesn't extend to broadcast channels or even group chats. Telegram also has a reputation for being a haven for scammers and criminal activity, as highlighted by the arrest of the founder and CEO in France.

0/10 do not recommend.

But I have nothing to hide!

Even if you feel like you have nothing to hide, privacy still matters. Privacy isn't meant for hiding; it's meant to protect. We have a right to privacy in all aspects of our lives, and that extends to whom, what, when, where, why, and how we choose to message. Using encrypted messaging doesn't just protect you, it also protects the people that you know and love.

What can I do?

The answer here obviously entails a lot more than me just saying to use Signal, but for the sake of keeping this somewhat focused and on topic, that's where I'll leave it for today.

Signal is the gold standard when it comes to encrypted messaging, so much so that the Signal Protocol is quickly becoming the default (Meta uses a modified and closed-source version of this, and Google is planning on enabling it more broadly as the underpinning for RCS encryption on Android). It collects virtually no data, and once you sign up, you can protect your phone number by sharing your Signal Username. It has all the features you want and need from a modern messaging application, is a nonprofit, and doesn't track or serve you ads.

The ways in which the Volt and Salt attacks will continue to impact us are vast. What helped me to really understand the scope of this was to hone in on one aspect - the direct, significant, and very real effects this has had on our sense of privacy.

There's a reason why journalists rely on Signal to communicate securely with sources, and why authoritarian governments world over either want a backdoor to be installed or to ban Signal outright from within their borders: the tools we use to communicate are deeply important, and something that we must protect. If Big Brother is begging you to stop using unencrypted messaging, then you know that this is incredibly serious. It's why I've been a sustaining donor to Signal for a while now, because despite being free-to-use, it's not free-to-run.

Network effects are important, but it's also good to remember that nothing is inevitable. We saw the moves from Friendster to MySpace to Facebook to TikTok (and to, my hope and desire, eventually a federated social web). BBM was replaced with iMessage, Twitter with Bluesky and Mastodon. Phones replaced our watches, mp3 players, and everything else we could cram into our pockets. Platforms that once sought engagement driven through genuine interaction have turned into AI-generated brain-rot content because it's cheaper to make and far more profitable. All of these changes were driven, yes, largely by the enshittification cycle, but also by people making a choice. A choice for what tools to use, content to consume, and platforms to socialize and communicate.

Things can change, and in this case, change requires all of us to choose privacy by default.