U.S. cybersecurity officials are advising people to use encryption in their communications after a hacking campaign exposed the communications of an unknown number of Americans, according to a report from the Associated Press.

The report said the campaign originated in China and that federal cybersecurity authorities released an extensive list of security recommendations for U.S. telecom companies that were targeted, including Verizon and AT&T.

Among the items in the recommendations, the report cited a consumer-facing standard: “Ensure that traffic is end-to-end encrypted to the maximum extent possible.”

End-to-end encryption, also called E2EE, scrambles messages so that only the sender and the recipient can read them, the report said. It added that if others intercept a message, they would see garbled text that cannot be unscrambled without the key.

The report also described why end-to-end encryption has been controversial with law enforcement: officials had resisted the technology because it would prevent companies from examining messages and would make it harder to respond to law enforcement requests for data.

The Associated Press report said officials found that hackers targeted the metadata of a large number of customers—information including the dates, times and recipients of calls and texts—and also obtained text content for a much smaller number of victims. It then laid out ways consumers can use encrypted options, beginning with texting.

For iPhone users, the report said iMessage-to-iMessage text exchanges are encrypted end-to-end, and that blue text bubbles indicate the message is an encrypted iMessage. For Android users, it said end-to-end encryption applies when texts are sent through Google Messages to someone else using Android, with a lock shown next to the timestamp to indicate encryption is on.

The report said there is a weakness when iPhone and Android users text each other: messages are encrypted only using Rich Communication Services, an industry standard that replaces older SMS and MMS standards. It cited Apple’s note that RCS messages “aren’t end-to-end encrypted, which means they’re not protected from a third party reading them while they’re sent between devices,” and cited Samsung’s footnote that “Encryption only available for Android to Android communication.”

To reduce the risk of that gap, experts recommended using encrypted messaging apps. The report said Signal applies end-to-end encryption to all messages and voice calls, and that the nonprofit behind the app promises never to sell, rent, or lease customer data while making its source code publicly available for auditing “for security and correctness.”

The report said Signal’s encryption protocol has also been integrated into WhatsApp, and that Facebook Messenger uses end-to-end encryption as the default mode. It said Telegram, by contrast, does not enable end-to-end encryption by default, requiring users to switch on an option, and it said the end-to-end encryption does not work with group chats. It also said experts warned people against using Telegram for private communications, noting that only its opt-in “secret chat” feature is encrypted end-to-end.

The Associated Press report said Telegram has a reputation for being a haven for scammers and criminal activity, pointing to Pavel Durov’s arrest in France as a highlighted example. For calls, it said Signal and WhatsApp can be used for voice calls and that both apps encrypt calls with the same technology used to encrypt messages. It added that iPhone users can use FaceTime and Android owners can use Google Fi for end-to-end encrypted calling.

The report said the “catch” is that the person on the other end also needs to have the relevant app installed. It also said WhatsApp and Signal users can customize privacy preferences, including hiding IP addresses during calls to prevent someone from guessing a user’s general location.

License: CC0 (public domain). Main Street Independent: /methodology.