Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label End To End Encryption. Show all posts
WhatsApp Security
AI Data Privacy cybersecurity news Encrypted AI Chat End To End Encryption Meta AI Privacy Secure Messaging Trusted Execution Environment WhatsApp Security

Meta’s New Encrypted AI Chat Strategy Faces Trust Challenges


 

A significant structural change in consumer chatbot privacy has taken place over the past two years since Meta launched Incognito Chat with Meta AI on 13 May 2026. As a result of this announcement, the architecture Christakis has been referring to as Sealed Mode in Part 1 of his study on consumer chatbot confidentiality has become a mass-market product and no longer remains a research aspiration. 

The Meta AI app allows WhatsApp users to communicate with the provider in a mode that does not allow Meta to read the conversation, in a similar fashion to the way Meta cannot read two user WhatsApp messages. 

The protection is architectural rather than contractual: Meta has renounced access to content through its hardware design in a Trusted Execution Environment where the chat is processed. Furthermore, the announcement comes as legal and regulatory scrutiny grows on how artificial intelligence providers retain conversational data and respond to law enforcement demands. 

In spite of Google's statement that temporary Gemini chats may be retained for up to 72 hours, OpenAI and Anthropic maintain substantially longer retention periods for temporary and incognito interactions, with ChatGPT sessions and Claude sessions reportedly remaining available for at least 30 days. It has become increasingly necessary to maintain these retention practices since chatbot logs have been used as evidence in numerous high-profile legal cases, including investigations relating to the mass shootings at Tumbler Ridge and Florida State University, as well as a court order requiring indefinite storage of certain ChatGPT conversations in The New York Times litigation. 

Additionally, Google is facing litigation regarding allegations that Gemini encouraged a series of “missions” preceding the death of a 36-year-old man. Meta is positioning Incognito Chat to distinguish itself from conventional cloud AI architectures against this backdrop. Using Meta AI, the company has extended the company's existing Private Processing framework originally deployed within WhatsApp for AI-driven summarization and writing tools directly into conversations with users. This eliminates the previous model of prompts leaving WhatsApp's encrypted channel and reaching Meta's server infrastructure during processing, eliminating the problem. 

Using Incognito Chat, Meta claims that conversations are processed within a Trusted Execution Environment where neither Meta nor WhatsApp has access to plaintext conversation history, while all contextual memory is removed once a session is completed. A web search initiated by Meta AI is also detached from user identity metadata and can be disabled completely by the user at launch. At launch, Meta will provide text-only interactions, with an upcoming "Side Chat" feature that will enable users to privately assist within an active WhatsApp conversation without interrupting the encryption thread. 

Through the new model, Meta AI users will be able to initiate Incognito Chat sessions where they will be able to conduct temporary encrypted interactions. These interactions will be processed in an isolated, secure computing environment whose operations are even inaccessible to Meta AI's internal systems, according to Meta AI. 

By design, Meta says these sessions are ephemeral, with conversations neither being stored nor retained by default following their conclusion. The feature is positioned in a way similar to transient secure messaging rather than conventional cloud-based AI assistance. In the near future, this capability will be available both through WhatsApp and Meta AI's standalone application, along with another privacy-focused feature internally referred to as Sidechat. 

With Sidechat, users will be able to use Meta AI discreetly within an active WhatsApp conversation to summarize exchanges, answer contextual questions, and provide assistance with ongoing conversations without interrupting or exposing the primary encrypted chat thread by invoking Meta AI discreetly within an active conversation. Meta officially stopped supporting end-to-end encrypted direct messages on Instagram less than one week before the rollout, which has increased industry scrutiny.

According to Instagram's support documentation, encrypted direct message functionality will cease on 8 May, and users are advised to export any media or conversations they wish to keep. Users seeking encrypted communication were immediately redirected to WhatsApp, which was explicitly referred to as Meta's sole remaining end-to-end encrypted messaging platform. 

Following the Instagram encryption rollback, a spokesperson from the company indicated that limited adoption prompted the rollback, stating that only a small percentage of users enabled encrypted direct messages, but stressed that WhatsApp's infrastructure could still be used by those who needed encrypted communication.

Meta’s Incognito Chat initiative ultimately represents more than a new privacy feature it signals a broader shift in how major AI platforms are attempting to redesign trust at the infrastructure level rather than through policy language alone. By combining encrypted messaging pathways with Trusted Execution Environment-based processing, Meta is testing whether consumer AI systems can operate with reduced provider visibility while still delivering real-time contextual assistance at scale. 

Yet the rollout also exposes the growing contradiction at the center of the AI industry: as chatbot interactions become increasingly personal, legal demands for data retention, safety monitoring, and platform accountability continue to expand in parallel. Whether Meta’s architecture can withstand both regulatory pressure and public skepticism may determine how future AI communication systems balance usability, privacy, and operational transparency.
Read more »
Secure Messaging
Apple Privacy Apple Security Encrypted RCS End To End Encryption iOS 26.5 iPhone Security Mobile Cyber Security RCS Protocol Secure Messaging

iOS 26.5 Introduces Private RCS Messaging and Core Feature Improvements


 

By introducing end-to-end encrypted RCS messaging between iPhone and Android devices for the first time, Apple has taken another step towards unifying secure cross-platform communication. 

In the update, Apple's messaging architecture has been significantly altered, extending advanced encryption protections beyond its proprietary ecosystem and into carriers' Rich Communication Services networks. This feature is currently being tested across major US networks and enables encrypted message exchange through the most recent version of Google Messages for Android, as well as Apple's native messaging experience, which is enhanced with visual encryption indicators and automatic activation mechanisms. 

RCS encrypted messages are currently available through a phased beta rollout to iPhone users running iOS 26.5 across supported carrier networks. Android compatibility is dependent on the latest version of Google Messages. It has been confirmed that encryption will be activated by default and gradually extended to both newly initiated and existing RCS conversations, eliminating the need for users to configure encryption manually.

Supported chats are now equipped with a dedicated lock icon that acts as a real-time confirmation layer, making sure messages are not readable while in transit between devices. Apple reiterated its commitment to privacy as its first priority, stating that iMessage remains fully encrypted within its native ecosystem, while the expansion of encrypted RCS provides an additional layer of security for cross-platform communication. 

According to industry analysts, the move is more of a strategic extension of Apple's broader device security framework than simply a messaging upgrade. According to Faisal Kawoosa, Founder and Chief Analyst at Techarc, the latest update enhances security assurances for Apple users outside of the iOS ecosystem, despite the fact that third-party messaging platforms will continue to be relevant.

With iOS 26.5, multiple system-level vulnerabilities are addressed, including issues relating to malicious media files and crafted text messages, causing application crashes, interface freezing, and potential denial-of-service exploitation scenarios before. 

Along with messaging overhaul, iOS 26.5 incorporates stability and security fixes. Modernizing the functionality of RCS itself, the update also brings advanced messaging capabilities, including high-resolution media transfer, typing indicators, read acknowledgement, reactions, and collaborative group chats across multiple devices. 

 Additionally, iOS 26.5 introduces a series of ecosystem refinements for personalization, subscription flexibility, and contextual user experiences in addition to its security-focused messaging upgrades. Apple has released an animated vertical light band wallpaper collection entitled Pride Luminance in honor of Pride Month, which shifts subtly as the device is unlocked, highlighting the importance of awareness of Pride Month. 

Apple continues to integrate adaptive visual design into iOS with its newest features, allowing users to customize wallpaper based on 11 predefined colour combinations or to create their own palette configurations. In addition to expanding subscription controls in the App Store, developers may also now offer monthly payment structures for discounted annual plans, a move that is intended to reduce upfront costs for long-term subscriptions while maintaining yearly commitments. 

The revised billing framework will require users who subscribe to annual packages through monthly payments to complete the payment cycle, regardless of whether the subscription is cancelled prior to the expiration date. Along with these additions, Apple has been continuing to expand its RCS rollout. Even though Rich Communication Services support was introduced with iOS 18 in 2024, it did not initially offer end-to-end encryption support, despite offering advanced messaging features such as high-resolution media sharing, typing indicators, read receipts, and advanced group chat features. 

In response to the integration of E2EE standards in the RCS specification by the GSMA last year, Apple has begun testing encrypted RCS support through the iOS 26 beta cycle and is preparing for a wider stable rollout. The availability of RCS support on iPhones continues to vary according to the network provider, because RCS functionality remains dependent on carrier-level implementation. 

Through the Messages settings panel, eligible users can manage the feature, displaying dedicated visual verification indicators, such as lock icons and encrypted session labels, in encrypted RCS chats. Aside from the refinement of core applications within Apple's release cycle, other core applications are being refined as well, including Maps updates that incorporate recommendations based on nearby trends and recent search behaviour, demonstrating the company's growing emphasis on contextually relevant software. 

Apple's iOS 26.5 not only extends feature parity between platforms but also reinforces its broader strategy to embed privacy and resilience deeper into everyday digital communication. By implementing end-to-end encryption for RCS conversations and simultaneously addressing media-handling vulnerabilities at the system level, the company is strengthening security controls around one of the most widely targeted layers of the mobile ecosystem. 

It reflects the growing industry trend towards interoperable, yet encrypted communication standards, where usability enhancements will increasingly coexist with enterprise-grade security protections and real-time threat mitigation.
Read more »
WhatsApp Privacy
cybersecurity news digital surveillance End To End Encryption Federal Investigation Meta Security Privacy Secure Messaging WhatsApp Encryption WhatsApp Privacy

WhatsApp Encryption Comes Under Spotlight Following Federal Allegations

 


Federal Investigation Into WhatsApp Encryption

A confidential federal investigation into encryption integrity has morphed into a broader debate addressing the technical transparency of one of the largest messaging platforms in the world. According to a Bloomberg report citing individuals familiar with the matter, investigators quietly examined whether Meta’s WhatsApp could, under certain internal conditions, expose access to user conversations despite its longstanding end-to-end encryption assurances. 

There was considerable weight to these allegations, considering WhatsApp has more than three billion users globally, many of whom depend on the platform for confidential personal communications, corporate coordination, and sensitive business communications. The inquiry was led by a special agent from the U.S. Department of Commerce's Bureau of Industry and Security over a period of nearly ten months, during which internal documents were reviewed, interviews were conducted, and an assessment of the handling of message data behind the platform's infrastructure layers was carried out. 

The investigation reportedly intensified after a January 16 internal memorandum circulated across multiple federal agencies claimed that certain Meta employees and contractors could access message content in ways that conflicted with WhatsApp’s public encryption narrative. In spite of the technical and regulatory implications of the findings, the federal investigation was abruptly ended earlier this year without any explanation of the reasons for the sudden halt of the investigation. 

In 2024, an anonymous whistleblower alleged that WhatsApp’s privacy architecture was not as impenetrable as it was publicly portrayed, resulting in renewed controversy surrounding WhatsApp. According to the reports, U.S. authorities began a federal investigation quietly in 2025, ordering investigators to examine whether the messaging service's internal systems allowed access to the supposedly encrypted communications through its internal systems. 

The investigation is reported to have taken nearly ten months. Investigators collected technical records, interviewed personnel, and reviewed the internal operational processes related to Meta's storage and handling of message data. A report indicates that preliminary findings suggested that a mechanism could be established that would allow message content to be exposed unencrypted under certain circumstances, prompting internal attention to the investigation. The investigation was ultimately terminated without any formal public findings, further deepening concerns surrounding transparency and encrypted data governance.

Meta Defends WhatsApp’s Encryption Architecture

According to Meta, WhatsApp's end-to-end encryption framework prevents even the company itself from gaining access to message content while it is being transmitted. WhatsApp has consistently denied allegations that it reads private conversations on the service. After Meta acquired WhatsApp in 2014, the platform introduced end-to-end encryption globally in 2016. The system was designed so that only the sender and recipient possess the cryptographic keys required to unlock conversations. From a technical standpoint, the encryption architecture continues to be regarded by many cybersecurity researchers as fundamentally secure during message transmission. 

Public Distrust and Global Security Concerns

The public, however, remains skeptical of the program, partly because many users believe ads often appear to relate to topics discussed in supposedly private conversations. The perception of large-scale data collection practices in digital ecosystems has continued to fuel distrust, even though no verifiable evidence has conclusively demonstrated that WhatsApp monitors encrypted communications for advertising purposes. 

A number of governments and state institutions have emphasized the potential threat WhatsApp poses to sensitive communications, despite its claims that it is encrypted. The concerns extend beyond consumer privacy issues to national security concerns and operational risk management concerns. A number of countries, including Iran and Russia, have repeatedly expressed concerns regarding the platform’s data handling practices and foreign ownership structure, including the United States, where the application was prohibited from being used on official devices for the House of Representatives. 

In addition, a class action lawsuit filed in San Francisco in 2026 alleges that Meta unlawfully intercepted and shared private WhatsApp communications with unauthorized parties, adding further pressure. It was alleged in the complaint that company personnel could access messages in real time via internal request systems. According to report, one federal investigator involved in the investigation concluded Meta can store text, audio, image, and video data in a non-encrypted format within certain backend environments. This claim has been strongly contested by the company. 

India’s Encryption and Traceability Clash

In India, where privacy rights and regulatory oversight have increasingly collided over digital communications, the encryption debate has been particularly significant. After WhatsApp updated its privacy policy in 2021, tensions escalated. At the same time, the Indian government introduced new information technology rules requiring message service providers to provide a method for “tracing” messages so that law enforcement can examine them. 

WhatsApp would have been forced to fundamentally change its encryption model in order to comply with the regulations, effectively undermining the fundamental principle of end-to-end encryption. As a result, the platform challenged the requirements in court, arguing that a requirement for traceability would substantially compromise user privacy and weaken the protections provided by digital security.  In spite of India enacting the Digital Personal Data Protection Act in 2023, the legal dispute has not yet been resolved. 

When WhatsApp appeared before the Delhi High Court in 2024, it stated that it may be forced to cease operations in India if forced to violate encryption safeguards, a scenario that would negatively impact approximately half a billion users. Despite the ongoing legal standoff, the platform continues to operate in India without implementing the government's traceability requirement, tkeeping the broader debate surrounding encryption, surveillance, and digital privacy far from resolved. 

Whistleblower Complaint and Operation Sourced Encryption

The allegations against Meta did not originate from online speculation or public conspiracy theories but reportedly emerged through a formal whistleblower complaint submitted to the U.S. As stated in the complaint filed by the Securities and Exchange Commission in 2024, WhatsApp may have provided limited access to user communications, despite repeated assurances regarding end-to-end encryption provided by the platform. 

The seriousness of the allegations prompted federal authorities to quietly launch an internal investigation that remained largely shielded from public scrutiny. An investigation was later handled by a special agent within the Bureau of Industry and Security, specifically through its Office of Export Enforcement, where Operation Sourced Encryption was reportedly conducted. 

During the inquiry, officials interviewed individuals familiar with Meta’s operational workflows, reviewed internal technical processes, and examined whether backend systems created any pathway through which employees or contractors could access message-related content after transmission. 

Internal Findings and Access Allegations

The investigation reached a turning point in January 2026 when the lead agent circulated a memo to numerous agencies, including the Securities and Exchange Commission and the Federal Trade Commission, regarding the allegations of misrepresentation. According to the memorandum referenced in the report, the agent concluded that Meta possessed the technical capability to store and potentially access WhatsApp communications, including text messages, photographs, audio clips, and video recordings.

The findings further suggested that certain internal practices could conflict with federal standards governing consumer privacy and corporate disclosure One of the investigation’s central findings involved what the agent described as a ‘tiered permissions system,’ an internal access framework allegedly active since at least 2019. 

According to the memo, the structure provided varying levels of platform visibility to employees, contractors, and overseas personnel, including workers based in India. Individuals interviewed during the probe reportedly stated that moderation-related operations conducted through Accenture involved broad access to message-associated content.” 

Sudden Shutdown of the Federal Probe

If the findings were circulated internally, senior leadership of the Commerce Department reportedly ordered the investigation to be terminated shortly thereafter. Those officials who supported the closure of the investigation later referred to the agent's conclusions as "unsubstantiated" and argued that the investigation exceeded the authority typically granted to export enforcement officers. 

Though the federal investigation was formally terminated without any public release of its conclusions, the controversy has intensified scrutiny of the ways in which encrypted communication platforms manage backend infrastructure, moderation systems, metadata processing, and administrative access controls.

The investigation has heightened industry concerns over whether large-scale messaging platforms will be able to simultaneously maintain strong encryption guarantees, regulatory compliance, and operational oversight without creating hidden exposure points, despite Meta's continued rejection of allegations that WhatsApp compromises private conversations. 

There are now many questions raised by regulators, cybersecurity researchers, and privacy advocates that go far beyond a particular application, resulting in a profound debate regarding transparency, trust, and the future architecture of secure digital communications.
Read more »
State Surveillance
Cyber Governance data localization Digital Sovereignty End To End Encryption Messaging Security Network Control Privacy State Surveillance

Russia promotes Max platform as questions grow over user data security


 

Russian daily communication has been disrupted in recent weeks, as familiar digital channels are experiencing problems under mounting regulatory pressure, disrupting the rhythms of everyday communication. 

What appears at first glance to be a technical inconvenience is in fact a deliberate realignment of the country's information ecosystem that has been going on for several years. A domestically developed alternative known as Max has been elevated by authorities in parallel to globally embedded messaging platforms such as WhatsApp and Telegram, while authorities restrict access to these platforms. 

There is no subtlety or incident in the shift. It is an assertive attempt to redefine the boundaries of digital interaction within the state's sphere of influence. Millions of users are directed towards a platform that remains closely aligned with Kremlin interests in terms of architecture and governance.

With Max, introduced in 2025 by VK, the platform becomes much more than just a conventional messaging platform, marking a significant escalation in this strategy. By consolidating communication tools with state-linked utilities, such as access to government services, financial transactions, and the development of a digital identity framework, it provides the functionality of an integrated digital ecosystem.

Despite bearing structural similarities to WeChat, the implementation is in line with Moscow's long-standing pursuit of technological autonomy. Although adoption is a voluntary process, infrastructure incentives and regulatory constraints have combined to create conditions in which disengagement has become increasingly difficult.

A secure and sovereign alternative has been framed by endorsements from Vladimir Putin, reinforcing the policy direction, as noted by internet governance scholar Marielle Wijermars, that has culminated efforts to reconfigure the nation's internet architecture toward tighter state oversight. 

As part of the transition, technical integration and controlled accessibility are being implemented. Max has been pre-installed on numerous domestically sold consumer devices since September, reducing entry barriers while subtly standardizing its presence. 

A number of features are included in the interface, including private messaging, broadcast channels, and user engagement, which minimize friction for new users as it mimics established platforms. However, its differentiation lies in its privileged network status: by being included on Russia's approved "white list," the company ensures uninterrupted connectivity during periodic connectivity restrictions, which authorities attribute to defensive measures against external threats. 

Furthermore, geopolitical considerations also play a role, as initial restrictions on Russian and Belarusian SIM cards have been expanded selectively to a limited group of countries who are considered politically aligned. 

Although the platform has been widely distributed in countries such as the European Union and Ukraine, these markets are notably absent, even as the platform becomes enmeshed in larger information dynamics, including its perceived role as a means of countering rival cross-border coordination applications such as Telegram and WhatsApp. 

Russia itself continues to receive uneven receptions, suggesting an increasing divide between state-driven digital consolidation and a population long accustomed to more open communication systems. As a result of this transition, established communication patterns are disrupted, which has already begun to affect professionals who rely on continuity and reliability as part of their workflows. 

Before routine connectivity began to fail without warning, Marina, a freelance copywriter based in Tula, had been relying on WhatsApp for both client interactions and personal exchanges. There has also been little success in shifting conversations to Telegram, reflecting a broader trend experienced by millions as Roskomnadzor imposed restrictions on voice and messaging functions across the country's most widely used platforms in mid-August. 

There have been concerns about the timing of these limitations, which coincide with the rapid deployment of the state-backed Max ecosystem. With WhatsApp's user base estimated at approximately 97 million, and Telegram's user base estimated at 90 million, this disruption goes far beyond inconvenience, reaching into the foundations of social and economic interaction on a daily basis. 

These platforms have been providing informal digital backbones for many years, facilitating everything from family coordination and residential management groups to hyperlocal commerce in areas lacking conventional internet access. For example, message applications often serve as a substitute for broader digital infrastructure in remote parts of the Russian Far East, enabling services such as ride coordination and small-scale transactions as well as information sharing within the community. 

In addition to implementing end-to-end encryption, both platforms have also implemented security architectures that prevent intermediaries, including service providers, from gaining access to communications' contents. 

Russian authorities assert that the restrictions are justified by compliance failures, particularly the refusal to localize user data within national borders, along with concerns over fraud. Based on available financial sector data, however, most scams remain perpetrated through traditional mobile networks rather than encrypted applications, according to data available to the financial sector. 

Analysts and segments of the public view these measures as part of a broader effort to improve visibility into interpersonal networks and information flows, with a less technical but more strategic interpretation.

According to Marina, who requested anonymity due to concerns about possible consequences, the shift is not simply one of technology, but one of social space narrowing, with the ability to maintain connections outside of state-mediated channels gradually becoming increasingly restricted. 

Through regulatory pressure as well as institutional dependency, Max is being reinforced within everyday workflows. 

To maintain access to essential services, individuals across sectors report a growing requirement for the platform. In her experience, Irina describes being forced to utilize Max to communicate with her children's school communications and navigate the Gosuslugi, where patient appointments are increasingly coordinated. 

Across corporate and educational environments, similar patterns are emerging as employers and schools standardize their internal communication platforms. The public visibility of Max is also increasing as celebrities and digital influencers migrate their content ecosystems to Max, enhancing its normalization, parallel to this structural push. 

According to analysts such as Dmitry Zakharchenko, the campaign has been unusually strong, comparing it to the centrally orchestrated messaging efforts of earlier eras, which has nonetheless been able to accelerate adoption to approximately 100 million users within a short period of time. 

In terms of technical characteristics, the platform represents a broader trajectory of Russia's "sovereign internet" initiative, which prioritizes control over data flows and infrastructure over international interoperability. As opposed to Telegram and WhatsApp, Max does not utilize end-to-end encryption technology, and its data governance framework requires that all user information be stored on domestic servers, thereby making it subject to the jurisdiction of government regulators and security agencies. 

Many users express only a limited level of concern, regarding compliance as inconsequential when there is no perceived risk. However, others have sought alternatives, including IMO, or have refused to adopt Max altogether. However, this resistance appears to be increasingly constrained as Max's structural integration into critical services increases.

Even among skeptics, prevailing sentiment indicates that participation may soon become unavoidable as the country's digital environment narrows toward a state-defined center of gravity. For policymakers, technologists, and civil society observers, Max's trajectory provides a valuable example of how digital sovereignty and user autonomy are evolving in an increasingly dynamic environment. 

By rapidly integrating the platform into essential services, people can see how infrastructure can be a subtly effective tool for shaping behavioral compliance, particularly when alternatives are systematically restricted. As a result, centralized control over communication ecosystems raises further concerns regarding transparency, data governance, and long-term consequences. 

Russia is likely to continue to grapple with a defining tension as they advance this model in order to balance national security objectives with individual privacy rights. This type of system will ultimately be determined by the level of state enforcement as well as the level of trust among users, the resilience of alternative networks, and the worldwide response to fragmented digital environments.
Read more »
Privacy
encrypted messaging apps End To End Encryption Instagram Law Enforcement Meta Privacy

Meta to Discontinue End-to-End Encrypted Chats on Instagram Come May 2026

 



Meta Platforms has confirmed that it will remove support for end-to-end encrypted messaging in Instagram direct messages beginning May 8, 2026. After this date, conversations that previously relied on this encryption feature will no longer be protected by the same privacy mechanism.

According to guidance published in the platform’s support documentation, users whose conversations are affected will receive instructions explaining how to download messages or media files they want to retain. In some situations, individuals may also need to install the latest version of the Instagram application before they can export their chat history.  

When asked about the decision, Meta stated that encrypted messaging on Instagram saw limited adoption. The company explained that only a small percentage of users chose to enable end-to-end encryption within Instagram direct messages. Meta also pointed out that people who want encrypted communication can still use the feature on WhatsApp, where end-to-end encryption is already widely used.


How Instagram Encryption Was Introduced

Instagram’s encrypted messaging capability was originally introduced as part of a broader push by Meta to transform its messaging ecosystem. In 2021, Meta CEO Mark Zuckerberg outlined a “privacy-focused” strategy for social networking that aimed to shift communication toward private and secure messaging environments. 

Within that initiative, Meta began experimenting with encrypted direct messages on Instagram. However, the feature never became the default setting for users. Instead, it remained an optional capability available only in certain regions and had to be manually activated within specific conversations.

The tool also gained relevance during geopolitical tensions. Shortly after the outbreak of the Russia-Ukraine conflict in early 2022, Meta expanded access to encrypted direct messages for adult users in both Russia and Ukraine. The company said the move was intended to provide safer communication channels during the early phase of the war.


Industry Debate Over Encrypted Messaging

The decision to discontinue Instagram’s encrypted chats comes amid a broader debate in the technology sector about whether strong encryption improves or complicates online safety.

Recently, the social media platform TikTok said it currently has no plans to introduce end-to-end encryption for its messaging system. The company told the BBC that such technology could reduce its ability to monitor harmful activity and protect younger users from abuse.

End-to-end encryption is widely regarded by cybersecurity experts as one of the strongest ways to secure digital communication. When this technology is used, messages are encrypted on the sender’s device and can only be decrypted by the recipient. This means that even the platform hosting the conversation cannot read the message contents during transmission. 

Because of this design, encrypted systems can protect users from surveillance, data interception, or unauthorized access by third parties. Many messaging services, including WhatsApp and Signal, rely on similar encryption models to secure billions of conversations globally.


Law Enforcement Concerns

Despite its privacy advantages, encryption has long been controversial among law enforcement agencies and child-safety advocates. Critics argue that encrypted messaging makes it harder for technology companies to detect criminal behavior such as terrorism recruitment or the distribution of child sexual abuse material.

Authorities describe this challenge as the “Going Dark” problem, referring to situations where investigators cannot access message content even when they obtain legal warrants. Policymakers have repeatedly warned that widespread encryption could reduce the ability of platforms to cooperate with criminal investigations.

Internal documents previously reported by Reuters indicated that some Meta executives had raised similar concerns internally. In discussions dating back to 2019, company officials warned that widespread encryption could limit the company’s ability to identify and report illegal activity to law enforcement authorities. 


Regulatory Pressure and Future Policy

The global policy debate around encryption is still evolving and charting new courses. The European Commission is expected to release a technology roadmap on encryption later this year. The initiative aims to explore ways to allow lawful access to encrypted data for investigators while preserving cybersecurity protections and civil liberties.


A Changing Messaging Strategy

Meta’s decision to remove encrypted messaging from Instagram highlights the complex trade-offs technology companies face when balancing privacy protections with safety monitoring and regulatory expectations.

While encryption remains a cornerstone of messaging on WhatsApp and has expanded across other platforms, the rollback on Instagram suggests that adoption rates, platform design, and policy pressures can influence whether such security features remain viable.

For Instagram users who relied on encrypted chats, the upcoming change means reviewing conversations before May 2026 and exporting any information they wish to keep before the feature is officially retired.

Read more »
Zero Day Exploits
Cyber Reconnaissance End To End Encryption Metadata Exposure Mobile Spyware Privacy Risks Vulnerabilites and Exploits WhatsApp Security Zero Day Exploits

WhatsApp Bug Leads to Exposure of User Metadata

 


The Meta organization has begun to address a number of vulnerabilities in WhatsApp that expose sensitive user information. These vulnerabilities indicate that, even when platforms are encrypted, they can inadvertently reveal critical device details. 

The vulnerabilities are caused by the messaging service's multi-device architecture, which allows subtle implementation differences to reveal whether the user is using an Android or an iOS device, while still maintaining end-to-end encryption for message content. 

According to security researchers, this type of capability, which helps identify or identify operating systems by their fingerprints, is of particular value to advanced threat actors. These actors often choose WhatsApp-with its more than three billion active users per month-as their preferred channel for delivering advanced spyware to their customers.

It was discovered that attackers are able to exploit zero-day flaws that allow them to passively query WhatsApp servers for cryptographical session details without being able to interact with the victim, using variations in key identifiers, such as Signed Pre-Keys and One-Time Pre-Keys, in order to determine the target platform. 

By utilizing this intelligence, adversaries can tailor exploits to the specific needs of their victims, deploying Android-specific malware only to compatible devices, while avoiding detection by others, emphasizing the difficulties in masking metadata signatures even within encrypted communication ecosystems despite this intelligence.

It has been warned that threat actors who abuse WhatsApp as an attack vector may be able to passively query WhatsApp's servers for encryption-related content, which would allow them to obtain information regarding devices without the need for user interaction. With this capability, adversaries can accurately determine the operating system of a victim, with recent findings suggesting that subtle differences in key ID generation can be used to reliably differentiate between Android and iOS devices. 

APT operations that are targeted at advanced persistent threats (APTs) often involve the deployment of zero-day exploits tailored to specific platforms. However, deploying these exploits to inappropriate devices can not only result in the failure of the attack, but may expose highly sensitive attack infrastructure worth millions of dollars. 

 Furthermore, the study concluded that there may also be a risk of data theft, as it estimated that data linked to at least 3.5 billion registered phone numbers could possibly be accessed, a number that may include inactive or recycled accounts as well. 

Besides cryptographic identifiers, the accessible information included phone numbers, timestamps, “About” field text, profile photos, and public encryption keys, which prompted researchers to warn against the possibility that, in the wrong hands, this dataset could have led to one of the largest data leaks ever documented in human history. 

Among the most concerning findings of the study was the fact that more than half of the accounts displayed photos, with a majority displaying identifiable faces. There is a strong possibility that this will lead to large-scale abuse, such as reverse phonebook services using facial recognition technology.

It was pointed out by Gabriel Gegenhuber, the study's lead author, that the systems should not be allowed to handle such a large number of rapid queries from a single source as they might otherwise. He pointed out that Meta tightened the rate limiting on WhatsApp's web client in October 2025 after the problem had been reported through the company's bug bounty program earlier that year, which led to a change in rate limits on WhatsApp's web client. 

It has been determined by further technical analysis that attackers can obtain detailed insights about a user's WhatsApp environment by exploiting predictable patterns in the application's encryption key identifiers that give detailed insight into a user's environment. 

Research recently demonstrated the possibility of tracing the primary device of a user, identifying the operating system of each linked device, estimating the relative age of each connected device, and determining whether WhatsApp is accessed through a mobile application or a desktop web client, based on if WhatsApp is accessed through either app. 

A number of conclusions were drawn from the history of deterministic values assigned to certain encryption key IDs that have effectively served as device fingerprints for decades. It is Tal Be'ery, co-founder and chief technology officer of Zengo cryptocurrency wallet, who was one of the researchers leading this research, who, along with other experts, shared their findings with Meta. 

As early reports indicated little response from the company, Be'ery observed later that the company began to mitigate the issue by introducing a randomization system for key ID values, specifically on Android devices, which seemed to have worked. He was able to confirm that these changes represent progress when he used a non-public fingerprinting tool to test the system, even though the technique was only partially effective. 

An article by Be'ery published recently and a demonstration that followed showed that attackers are still able to distinguish Android and iPhone devices based on One-Time Pre-Key identifiers with a high degree of confidence. 

It is cited in the article that the iPhone's initial values are low with gradual increments as opposed to Android's broader, randomized range, which is much larger. However, he acknowledged that Meta had recognized the issue as a legitimate security and privacy concern and welcomed the steps taken to reduce its impact despite these limitations.

It is important to emphasize, therefore, that the study highlights WhatsApp metadata exposed to the outside world is not a theoretical worry, but a real security risk with wide-ranging consequences. When advanced attacks take place, metadata plays a key role in reconnaissance, providing adversaries with the ability to identify targets, differentiate between iOS and Android environments, select compatible exploits, and reduce the number of unsuccessful intrusion attempts, thereby allowing them to succeed with social engineering, spear-phishing, and exploit chain attacks as a whole.

In a large-scale scenario, such data can be fed into OSINT applications and AI-driven profiling tools, which allows for significant cost reduction on the selection of targets while also enhancing the precision of malicious operations when applied at scale. Moreover, researchers warned of the dangers associated with public profiles photos, stating that by being able to tie facial images to phone numbers on a mass scale, specialists might be able to create facial recognition-based reverse phonebook services based on the ability to link facial recognition to phone numbers.

A significant portion of these risks may be magnified for those with a high exposure rate or who are in regulated environments, such as journalists, activists, and professionals who perform sensitive tasks, where metadata correlation may result in physical or personal harm. 

It was learned from the study that millions of accounts are registered in jurisdictions where WhatsApp has been banned officially, raising concerns that using WhatsApp in these regions may have legal and/or persecutorial repercussions. It is important to note that this study highlights the structural problems that WhatsApp's centralized architecture creates, resulting in a single point of failure that affects billions of users, limits independent oversight, and leaves individuals with little control over their data. 

As a result, the research highlights a number of structural issues inherent in WhatsApp’s centralized architecture. A number of researchers recommend that users should take practical steps in order to reduce exposure until deeper structural safeguards are implemented or alternative platforms are adopted. 

Some of those steps include restricting profile photo visibility, minimizing personal details in public fields, avoiding identifiable images when appropriate, reviewing connected devices, limiting data synchronization, and utilizing more privacy-preserving messaging services for sensitive communication, just to name a few.

In sum, the findings of the research suggest that there is a widening gap between the protections users expect from encrypted messaging platforms and the less visible risks related to metadata leaks. It is evident from Meta’s recent mitigation efforts that the issue has been acknowledged, but that the persistance of device fingerprinting techniques illustrates that large and globally scaled systems can be difficult to completely eradicate side-channel signals. 

The fact remains that even limited metadata leakage on a platform that functions as a primary communication channel for governments, businesses, and civil society organizations alike may have outsized consequences if it is aggregated or exploited by capable adversaries. 

It is also important to recognize that encryption alone is not sufficient to guarantee privacy when the surrounding technical and architectural decisions allow the inference of contextual information. 

WhatsApp’s experience serves as a reminder that, as regulators, researchers, and users increasingly scrutinize the security boundaries of dominant messaging services, it is imperative that strong cryptography be used to protect billions of users as well as continuous transparency and rigorous oversight. Metadata needs to be treated as a first-class security concern, rather than something that can't be avoided.
Read more »
VPN security
Chat Control Regulation Client Side Scanning cybersecurity risks Data protection Encryption Backdoors End To End Encryption Online Surveillance Privacy VPN security

Chat Control Faces Resistance from VPN Industry Over Privacy Concerns


 

The European Union is poised at a decisive crossroads when it comes to shaping the future of digital privacy and is rapidly approaching a landmark ruling which will profoundly alter the way citizens communicate online. 

A final vote on October 14 is expected to take place on September 12, 2025, as Member States will be required to state their position on the proposed Child Sexual Abuse Regulation — commonly referred to as "Chat Control" — in advance of its final vote. Designed to combat the spread of child abuse content, the regulation would place an onus on the providers of messaging services such as WhatsApp, Signal, and iMessage to scan every private message sent between users, even those messages protected from being read by third parties. 

The supporters of the legislation argue that it is a necessary step for ensuring the safety of children, but critics argue that it would effectively legalise mass surveillance, thereby denying citizens access to secure communication and exposing their personal data to the possibility of being misused by government agents or exploited by malicious actors. 

Many observers warn that this vote will set a precedent that could have profound implications for the privacy and democratic freedoms of the continent as a whole if its outcome were to turn out favorably. 

The proposal is called “Chat Control” by its critics, since it requires all messaging platforms operating in Europe to actively scan user conversations, including those that are protected by end-to-end encryption, in search of child sexual abuse material that is well-known and previously unknown. 

In their opinion, such obligations threaten to undermine the very foundations of secure digital communication, creating the possibility of unprecedented levels of monitoring and abuse, which advocates argue could undermine the very foundations of secure digital communication.

The VPN Trust Initiative (VTI), an organisation which represents a group of major VPN providers, has been pushing back strongly against the draft regulation, stating that any attempt to weaken encryption would erode the very basis of the Internet's security. VTI co-chair, Emilija Beranskait, emphasised that "encryption either protects everybody or it doesn't," imploring governments to preserve strong encryption as a cornerstone of privacy, trust, and democratic values, urging them to adopt stronger encryption. 

According to NordVPN's privacy advocate, Laura Tyrylyte, while client-side scanning is indeed a safety and security concern, it is not an acceptable compromise between an organisation's safety and security, contending that solutions must not be compromised in the interest of addressing a single issue alone. 

Moreover, NymVPN's CEO, Harry Halpin, condemned the proposal as “a major step backwards for privacy” and warned that, once normalised, such surveillance tools could be used against journalists, activists, or political opponents. In addition, experts have raised significant technical concerns with the introduction of mandatory scanning mechanisms, stating that such mechanisms will fundamentally undermine the technology underlying online security. 

Moreover, they are concerned that client-side scanning infrastructure could be repurposed so that surveillance is widened far beyond what it was originally intended to do, which runs counter to the European Union's own commitments under initiatives such as the Cyber Resilience Act and efforts to prepare for quantum cryptography in the future. 

However, a deeply divided political debate is ongoing in the EU. Eight member states have formally opposed the proposal, including Germany and Luxembourg, while fifteen others, including France, Italy, and Spain, are still in favour of the proposal. 

There is still some uncertainty regarding the outcome of the October vote because only Estonia, Greece, and Romania have not decided. In addition to the pressure being put on the EU Council, more than 500 cryptography experts and researchers have signed an open letter urging it to reconsider the risks associated with introducing what they consider a dangerous precedent for the future of the digital world in Europe. 

It has been suggested that under the Danish-led proposal, messaging platforms such as WhatsApp, Signal, and ProtonMail would have to scan private communications without discrimination. In their current form, the proposal would violate end-to-end encryption in an irreparable way, according to experts. 

A direct analysis of links, photos, and videos is part of the system that will run directly on the users' devices before messages are encrypted. 

Only government and military accounts are exempt from this analysis, with the draft regulation last circulated to EU delegations on July 24, 2025, claiming to safeguard encryption. Still, privacy specialists are of the opinion that true security cannot be maintained using client-side scanning. 

Laura Tyrylyte, NordVPN's privacy advocate, observed that "Chat Control's client-side scanning provisions create a false choice between security and safety." The solution to one problem, even a serious one like child safety, cannot be at the expense of creating systemic vulnerabilities that are more dangerous to everyone." 

Several other industry leaders expressed similar concerns as well, including Harry Halpin, CEO of NymVPN, who condemned the measure as “a significant step backwards for privacy.” He explained that the indiscriminate scans of private communications are disproportionate in nature, creating a backdoor that could be exploited if it is normalised. 

There is a risk that such infrastructure could easily be redirected towards attacking journalists, political opponents, or activists while also exposing ordinary citizens to hostile cyberattacks. In Halpin's view and the opinion of others, it is more effective to carry out targeted, warrant-based investigations, to take down illegal material swiftly, and to use properly resourced specialist teams rather than universal surveillance as a means of detecting illegal activity. 

However, despite the simple concessions made in the latest draft, such as restricting the detection to visual contents and excluding audio and text, the scientific community has remained steadfast in its criticism regardless of the concessions made. 

The researchers point out that there are four critical flaws to the system: the inability to scan billions of messages accurately; the inevitable weakening of encryption through the monitoring of devices on-device; the high risk that surveillance can expand beyond its stated purpose due to "function creep"; and the danger that mass monitoring in the name of child protection will erode democratic norms. 

While the EU has promised oversight and consent mechanisms, cryptography experts claim that secure and reliable client-side scanning cannot be performed at scale, despite promises of EU oversight and consent mechanisms. This proposal, therefore, is technically flawed as well as politically perilous. 

VPN providers are also signalling that they will not stand on the sidelines if the regulation is passed. Several leading companies, including Mullvad, a popular privacy-focused service, have expressed concern about the possibility of withdrawing from the European market altogether if the proposed legislation is passed. 

If this happens, millions of users will be impacted, and innovation in this field may be curtailed. Similar advocacy groups, including Privacy Guides, have sounded the alarm in the past weeks, warning that the new regulations threaten to undermine the privacy of all citizens, not only those suspected of wrongdoing, and they urge all citizens to take notice before the September 12 deadline. 

A growing number of social media platforms are also being criticised, and voices like Telegram founder Pavel Durov have pointed out that comparable laws have failed in the past, as determined offenders have simply moved to smaller applications or VPNs to avoid these weaker protections, which leaves ordinary users to bear the brunt. 

The debate carries significant economic weight. The Security.org website indicates that more than 75 million Americans already use VPN services to keep their privacy online. As Chat Control advances, this demand is expected to grow rapidly in Europe. As per Future Market Insights, by 2035, the VPN industry is expected to grow to a value of $481.5 billion; however, experts caution that heavy regulation may fragment the market and stifle technological development.

Denmark has continued to lobby for the proposal despite mounting opposition from civil society groups, technology companies, and several member states as the EU Council prepares to vote on October 14, as tensions are increasing. In recent weeks, citizens have taken to online platforms such as X to voice their concerns about the proposed legislation, warning that Europeans would not have fundamentally secure digital privacy. 

Analysts point out that in order to adapt to this changing environment, VPN providers may need to use quantum-resistant technologies faster or explore decentralised models, as highlighted in recent forward-looking studies, which point to the existential stakes of the industry. 

However, one central fear remains across all debates: once surveillance infrastructure is embedded in the environment, its scope is unlikely to be limited to combating child abuse. In their view, it could create a framework for broad and permanent monitoring, reshaping the global norms of digital privacy in a way that undermines both the rights of users and technological innovation in the process. 

A key question to be answered before the EU's vote on October 14 is whether it can successfully balance child protection with its longstanding commitments to privacy and digital rights while maintaining a sense of security. 

It is noted that decisions made in Brussels will have a global impact, potentially setting global standards for how governments deal with encryption, surveillance, and online safety, as experts warn. For legislators, the challenge is to devise effective solutions that protect vulnerable groups without dismantling the secure infrastructures that rely on modern communication, commerce and civic participation. 

One possible path forward, according to observers, could be bolstering cross-border investigative collaboration, strengthening rapid takedown protocols for harmful material, and building specialised law enforcement units which are equipped with advanced tools that are able to target perpetrators rather than citizens collectively, to achieve a better outcome. 

In addition to the fact that private measures would prove better at combating criminal networks, privacy advocates argue that they would also preserve the trust and innovation that Europe has championed for decades, as well as the sense of security that Europe has promoted for decades. 

There will be a clear indication of the EU's global leadership position in safeguarding both child safety and civil liberties through this decision, or whether it will serve as a model for other nations to emulate in terms of surveillance frameworks to maintain secure neighbourhoods.
Read more »
End To End Encryption
cloud storage cloud storage services Cyber Security Data Storage Data Synchronization E2EE End To End Encryption

Security Risks Discovered in Popular End-to-End Encrypted Cloud Storage Platforms

 

Recent cryptographic analysis by researchers at ETH Zurich has uncovered significant security vulnerabilities in five major end-to-end encrypted (E2EE) cloud storage platforms: Sync, pCloud, Icedrive, Seafile, and Tresorit. These platforms are collectively used by over 22 million people and are marketed as providing secure data storage. However, the study revealed that each of these platforms has exploitable flaws that could allow malicious actors to gain access to sensitive user data, manipulate files, or inject harmful data. The research was conducted under the assumption that a malicious attacker could control a server with full ability to read, modify, and inject data. 

This is a plausible scenario in the case of sophisticated hackers or nation-state actors. The researchers found that while these platforms promise airtight security and privacy through their E2EE models, their real-world implementation may fall short of these claims. Sync, for instance, exhibited critical vulnerabilities due to unauthenticated key material, which allows attackers to introduce their own encryption keys and compromise data. It was found that shared files could be decrypted, and passwords were inadvertently exposed to the server, compromising confidentiality. Attackers could also rename files, move them undetected, and inject folders into user storage. pCloud’s flaws were similar, with attackers able to overwrite private keys, effectively forcing encryption using attacker-controlled keys. 

This, coupled with public keys that were unauthenticated, granted attackers access to encrypted files. Attackers could also alter metadata, such as file size, reorder file chunks, or even inject files. Icedrive was shown to be vulnerable to file tampering due to its use of unauthenticated CBC encryption. Attackers could modify the contents of files, truncate file names, and manipulate file chunks, all without detection. Seafile also presented several serious vulnerabilities, including susceptibility to protocol downgrade attacks, which made brute-forcing passwords easier. The encryption used by Seafile was not authenticated, enabling file tampering and manipulation of file chunks. As with other platforms, attackers could inject files or folders into a user’s storage space. 

Tresorit fared slightly better than its peers, but still had issues with public key authentication, where attackers could potentially replace server-controlled certificates to gain access to shared files. While Tresorit’s flaws didn’t allow direct data manipulation, some metadata was still vulnerable to tampering. The vulnerabilities discovered by the ETH Zurich researchers call into question the marketing promises made by these platforms, which often advertise their services as providing the highest level of security and privacy through end-to-end encryption. In light of these findings, users are advised to exercise caution when trusting these platforms with sensitive data, particularly in cases where the server is compromised.  

The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings in April 2024, while Tresorit was informed in late September 2024. Responses from the vendors varied. Icedrive declined to address the issues, Sync is fast-tracking fixes, and Tresorit is working on future improvements to further safeguard user data. Seafile has promised to patch specific vulnerabilities, while pCloud had not responded as of October 2024. While no evidence suggests that these vulnerabilities have been exploited, the flaws are nonetheless concerning for users who rely on these platforms for storing sensitive data. 

The findings also emphasize the need for ongoing scrutiny and improvement of encryption protocols and security features in cloud storage solutions, as even end-to-end encryption does not guarantee absolute protection without proper implementation. As more people rely on cloud storage for personal and professional use, these discoveries are a reminder of the importance of choosing platforms that prioritize transparent, verifiable security measures.
Read more »
Telegram Messenger
App privacy Cyber Security data security End To End Encryption Messaging Apps Secure Messenger Telegram Telegram Messenger

Examining Telegram’s Encryption Flaws: Security Risks and Privacy Concerns

 

Telegram is often perceived as a secure messaging app, but this perception is flawed. Unlike WhatsApp, Telegram doesn’t have end-to-end encryption by default. While Secret Chats offer end-to-end encryption, this feature must be activated by users and does not apply to group chats or the desktop versions. However, it must be noted that all chats on Telegram are encrypted in transit and at rest.

Additionally, Telegram’s apps are open source, and its encryption protocols are fully documented, allowing independent researchers to verify their integrity and implementation. To date, no vulnerabilities in Telegram’s encryption have been identified. This leaves room for potential vulnerabilities, including access by admins, authorities, and hackers. While Telegram is widely used for its innovative features like chat organization and community management, its encryption methods raise red flags among security experts. The platform encrypts data in transit, preventing message interception. 

However, the majority of conversations on Telegram are not end-to-end encrypted, meaning administrators could access them if required by law enforcement. This poses risks for users discussing sensitive topics or sharing confidential information. Further, Telegram is the only messenger to offer verifiable builds on both iOS and Android, enabling researchers to confirm that the apps on app stores are built from the published source code. 
Moreover, Telegram’s encryption methods are seen as complex and opaque. For example, the optional Secret Chats use a proprietary encryption algorithm, which is difficult to verify and may include hidden vulnerabilities. Cryptography professionals have criticized this, noting that unless an encryption system is open-source, it cannot be thoroughly vetted for weaknesses or backdoors. One of the significant drawbacks of Telegram’s security is its inapplicability to group chats. Group conversations cannot be encrypted, which increases the risk of unauthorized access to user messages. 

For those needing strong privacy for sensitive communications, this is a serious limitation. Given that other popular messaging platforms like Signal and WhatsApp offer end-to-end encryption by default, users of Telegram may want to reconsider using the app for private or sensitive discussions. Signal, for instance, uses the highly respected Signal Protocol, which has been audited and proven to be robust. Telegram, by comparison, leaves users with limited protection due to its closed-source encryption. Despite these concerns, Telegram remains a popular app due to its versatile features, making it more than just a messaging platform. Telegram’s organizational tools, community management features, and ability to broadcast information have made it a favorite among certain groups, especially those sharing tech news or international updates. 

However, for those who prioritize security, Telegram’s limited encryption may not be sufficient, making apps like Signal or even WhatsApp a safer option for encrypted messaging. While Telegram has many innovative features, its encryption limitations leave it far from being the most secure messaging app.
Read more »
User Security
Data Privacy End To End Encryption Mobile Security SMS Attack User Security

Here's Why You Should Stop Using SMS Messaging

 

Cybersecurity is more critical than ever in today's digital world. However, one commonly employed but often missed area of weakness could be something you use every day. Since Nokia made the technology available to the public in 1993, Short Message Service, or SMS messaging, has been the major way people have texted. You might be surprised to hear that it's one of the riskiest methods of mobile communication given that it's typically included by default on most mobile devices. 

However, if you intend to stay safe and private, you should avoid using it. Here are five of the reasons why. 

Lacklustre end-to-end encryption

SMS is not encrypted from beginning to end. SMS messages, in reality, are frequently sent as plain text. This means that there are no safeguards in place and that anyone with the necessary knowledge can intercept an SMS. If your mobile provider employs encryption, it is most likely a poor and outdated method that is only used during transit. 

SMS relies on obsolete technology 

SMS technology is based on a set of signalling protocols known as Signalling System No. 7 (SS7), which was established in the 1970s. It is out of date and highly insecure, making it exposed to different forms of cyberattacks. As Ars Technica reported at the time, in 2017, a hacker gang used an SS7 security hole to circumvent two-factor authentication and drained people's bank accounts. Similar attacks have taken place several times over the years. 

The government can read your SMS texts 

Why haven't the security flaws in SS7 been fixed? One probable explanation is that regulators are uninterested in doing so since governments all across the world eavesdrop on their citizens. Whether or not this is the true reason, it is undeniable that your government could read your SMS texts if it so desired. Law enforcement in the United States does not even require a warrant to examine correspondence older than 180 days.Congressional Representative Ted Lieu presented legislation to stop this in 2022, but it was unsuccessful. 

Messages stored by your carrier 

SMS texts are saved by carriers for a set period of time (the length varies depending on the carrier). Metadata, which is information on the data itself, is kept much longer. If you aren't concerned about police enforcement reading your texts, you should be aware that your mobile provider can as well. While it is true that laws, regulations, and internal rules restrict mobile providers from spying on users, unauthorised access and breaches do occur. 

SMS message cannot be unsent 

Unsending an SMS message is not possible. If the recipient receives it, it will remain on their phone indefinitely unless they delete it manually. It's one thing to send a terrible and embarrassing SMS, but what if the recipient's phone has been hacked or otherwise compromised? And what if you revealed personal information in an SMS that you should not have revealed? This is probably not a scenario you want to think about. 

Switch from SMS to a secure messaging app 

SMS should not be used by anyone who is concerned about their personal cybersecurity and wishes to safeguard their privacy. The difficulty is that it provides a level of ease that alternatives simply cannot equal, at least for the time being. However, in most cases, that is not a sufficient justification to employ it. 

Secure, end-to-end encrypted messaging apps outperform SMS in practically every other way. And, if you have no other choice, use SMS wisely. Do not share information that you would not want a third party to have access to, and remember to take additional security steps.
Read more »
UK Home Secretary
Cyber Security Data Privacy End To End Encryption Tech Giant UK Home Secretary

UK Home Secretary Clashes with Meta Over Data Privacy

 

Suella Braverman, the UK Home Secretary, wants to "work constructively" with Meta on the company's plans to implement end-to-end encrypted (E2EE) messaging in Instagram and Facebook by the end of the year, which she thinks will provide a "safe haven" for paedophiles and harm children. 

Meta said it will continue to share relevant details with law enforcement and child abuse charities. Braverman has written to tech giant to voice her worries. 

A number of charities and technology professionals have signed the letter, which begs the firm to disclose more details on how it will keep consumers safe. 

Braverman told Times Radio earlier this week that E2EE might lead to platforms being "safe havens for paedophiles."

"Meta has failed to provide assurances that they will keep their platforms safe from sickening abusers," Braverman added, urging parents to "take seriously the threat that Meta is posing to our children. It also must develop appropriate safeguards to sit alongside their plans for end-to-end encryption.” 

Braverman stated that the government will use the powers given to it by the new Online Safety Bill legislation, which allows telecoms regulator Ofcom to compel tech companies to violate E2EE and hand over information linked to probable abuse cases if necessary. 

It is currently unclear whether this is possibly feasible without incorporating back-door access to such systems, which, according to tech companies, creates security and privacy issues. 

Meta stated that it has a "clear and thorough approach to safety" that focuses on "sharing relevant information with the National Centre for Missing and Exploited Children and law enforcement agencies." 

Braverman's intervention comes a day after the Online Safety Bill was given final approval by parliament and will now receive royal assent before becoming law. Tech firms such as Meta have decried the bill's threat to E2EE, with WhatsApp threatening to leave the UK if it becomes law. 

The government appeared to make a partial retreat earlier this month, stating it would only employ these powers as a "last resort" and when a technology that permits information to be extracted in a secure manner is established. 

Prime Minister Rishi Sunak stated his support for the measure earlier this year, in April. "I think everyone wants to make sure their privacy is protected online," Sunak said. "But people also want to know that law enforcement agencies can keep them safe and have reasonable ways to do so, and that's what we're trying to do with the Online Safety Bill." 

Meta said in August that by the end of the year, it would be implementing E2EE on private communications across all of its platforms.
Read more »
User Safety
Cyber Security data security End To End Encryption Mail Servers ransomware attacks User Safety

Cloud Email Services Strengthen Encryption to Ward Off Hackers

 

The use of end-to-end encryption for email and other cloud services is expanding. This comes as no surprise given that email is one of the top two cyberattack vectors. 

Mail servers made up 28% of all affected hardware, according to Verizon's annual 2022 Data Breach Investigations Report, and 35% of ransomware activities involved email. In its 2022 report, the EU Agency for Cybersecurity noted that ransomware is responsible for 10 terabytes of data theft each month, with 60% of businesses likely having paid a ransom. An updated Gartner study from 2021 found that 40% of ransomware attacks begin with email.

To address these issues, Google, Microsoft, and Proton, whose Proton Mail service was a pioneer in secure email, expanded their end-to-end encryption offerings. 

Google revealed a beta of client-side encryption services for Gmail on the web in a blog post last month. Up until January 20, 2023, customers of Google Workspace Enterprise Plus, Education Plus, and Education Standard may apply for the beta.

The tech giant stated that client-side encryption "helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs," noting that it encrypts all data at rest and in transit in Google Workspace between its facilities. 

Moreover, it claims that Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar already support client-side encryption. Users simply need to click the lock icon and choose the option for additional encryption, according to Google, in order to add client-side encryption to any message. Writing and including attachments work as expected.

Microsoft, which last updated its message encryption in 2019, declared in April of last year that updates to Windows 11 would include security patches to address phishing and malware threats. 

If so, Microsoft will probably also include end-to-end encryption since Office 365 Message Encryption currently uses Transport Layer Security encryption. Despite the fact that this service, according to the provider, enables users to encrypt and rights-protect messages intended for internal and external recipients using Office 365, non-Office 365 email applications, and web-based email services like Gmail.com and Outlook.com, it does not shield users from phishing or malware attacks as well as E2EE. 

Google's announcement came after that of Proton, a platform for encrypted cloud storage that was introduced in 2013 by CEO Andy Yen in Geneva, Switzerland. With a focus on mobile devices, the company increased its encryption offerings last fall. These new additions included secure cloud storage and a secure calendar feature, both of which have apps for iOS and Android devices. 

Users can safely upload, save, and share files to and from their phone using Proton Drive, a free encrypted cloud service that was made available in late September and made its iOS and Android debuts in December. 

The three main functions of Proton Drive are as follows:

  • Any uploaded file on the user's device is encrypted before it is stored on Proton servers. 
  • Metadata such as file and folder names, file extensions, file sizes, and thumbnails are encrypted. 
  • File expiration and viewing passwords are included, allowing for secure sharing with non-Proton users.

Proton said that since the beta launch of Proton Drive last September, with over 500,000 users participating, it has seen an average of one million files uploaded per day, roughly half of which are photos.

Additionally, it offers two paid levels of service for its encrypted drive, Drive Plus with 200GB storage for $4.99/month or $47.88/year and Proton Unlimited with 500GB for $11.99/month or $119.88/year, all of which are available to individual users.
Read more »
Subscribe to: Posts (Atom)