Imagine you exchanged romantic text messages with someone you were seeing. Now imagine you are on trial for fraud and a former Walgreens executive reads a private message you received out loud in a court of law, in a dispassionate monotone: “love you, too.”
That’s the situation Elizabeth Holmes, founder of Theranos and current defendant, found herself in last month. Hundreds of text messages between Holmes and former Theranos President and Chief Operating Officer Sunny Balwani have been entered into evidence by prosecutors, detailing years of their professional and romantic relationship. Many of the messages will be used by prosecutors to try to prove that Holmes is guilty of wire fraud, but it’s the personal back-and-forth that may cause alarm (and secondhand embarrassment) for regular people.
If her “on route to dentist my king” or “handling quick email then home to my tiger” could end up logged in a spreadsheet and is viewable by anyone, what about our most personal moments?
Secure messaging is essential for people like political dissidents, whistleblowers and journalists talking to sources. But a conversation doesn’t need to fall into the hands of a government to be damaging, and you don’t need to be sharing anything high-profile to be at risk. In addition to being subpoenaed by law enforcement, private chats can be shared without consent in social groups, on social media, with reporters or end up in civil trials.
At the heart of the viral New York Times “Who Is The Bad Art Friend?” story is gossipy group chats and emails that were obtained in legal discovery. In India, Bollywood stars were caught up in a drug scandal in which law enforcement officials used WhatsApp messages as evidence. Sen. Ted Cruz’s plans to flee his home state of Texas during a power outage and travel to Cancún, Mexico, were infamously made public when a member of his wife’s group chat leaked parts of a conversation. And then of course there are expensive hacking tools that can be used by governments or private entities to access data on your phone.
Everyone can have a text message they’re not proud of, a conversation that’s too personal for the general public, or be targeted for attending a protest. While these precautions can help, they won’t make you 100% safe.
“Nothing makes you a ghost,” says Alexis Hancock, director of engineering at the nonprofit digital rights group the Electronic Frontier Foundation.
Understand where the leaks happen
The Balwani and Holmes messages were primarily sent using Apple’s iMessage, the default end-to-end encrypted chat tool for Apple devices. End-to-end encryption is considered the standard for secure messaging but there are a few ways these chats could have ended up in court that everyone should be aware of for themselves.
If someone has access to the smartphone itself and a way to unlock it, they can see all the messages on your various chat apps. Sometimes law enforcement can force a person to unlock their phone. Since chats need at least two people, the other person might simply hand over the conversation. And if there are backups of the chats stored someplace where a third-party has access, either directly or with an encryption key, it could end up in the hands of law enforcement or hackers.
Turn off cloud backups
While iMessage chats are end-to-end encrypted, things are a little different if you have iCloud backups turned on. The system automatically saves all your messages to the cloud so you can carry them over if you set up a new device. They are still encrypted here, but Apple has a key and law enforcement can make a request to obtain access directly through the company.
If you’re concerned, turn off iCloud backups for messages and delete any past backups. Same goes for any cloud-based backups where you can’t own the encryption key. If you keep them on, you can still try to prevent sensitive messages from ending up saved to your account. Immediately delete anything after it’s been seen, and since iCloud only backs up about once a day, it should not end up saved (the other person still has it, however).
You can set your own message history to delete automatically after 30 days or one year. Go to Settings / Messages / Message History.
Use a tool like Signal to auto-delete messages
Signal is a popular secure messaging tool that uses end-to-end encryption and is designed to keep the minimum amount of metadata about your communications. But one of the most helpful features is its Disappearing Messages setting. You can set messages to seconds, hours or days after sending them. There’s always going to be a window of time when they could be seen long enough for a screenshot or quick copy-paste, but this decreases any trail if accessed further down the line.
Other apps offer ephemeral messaging or social media options, but that doesn’t always mean it’s deleted forever. For example, Instagram Stories can be saved even after they’re no longer public.
Don’t put it in a DM
The phrase “sliding into your DMs” is actually terrible advice. Sexual and romantic conversations are popular in the direct messaging tools built into popular social media apps like Instagram and Twitter, but they’re uniquely vulnerable.
If anyone hacks into your account they can see your DMs. That happened in 2020 when a Florida teenager hacked a number of high-profile Twitter accounts in 2020 including those of Elon Musk and Bill Gates. These chat tools are also rarely end-to-end encrypted and companies like Twitter lack an easy option for deleting all past chats. If you’re going to have an intimate or saucy chat, do so with an on-device tool like Apple iMessages, Signal or WhatsApp.
“Whatever you say on Twitter in DMs between people, imagine you were tweeting,” Hancock said.
Keep it secure to keep it private
A key part of keeping your banter private is making sure your accounts and devices are secure. On any social media site or other online tool, use multi-factor authentication. That ensures that anyone trying to access your accounts will need more than just your password, such as a code sent directly to your smartphone.
On your devices themselves, make sure to have them all locked down with passcodes or passwords. Most modern smartphones also offer face identification (a camera confirms your face and unlocks the device) and fingerprint detection as options for unlocking, but don’t use these if you have any concerns about police accessing your device, say at a protest.
Finally, update all of your software as soon as they are available. Often these can contain patches for exploits that could be used by third parties.
Beware the group chat (and people in general)
The weakest link is often not a piece of technology or passcode, but a regular human being. That’s right, we are kind of the worst. No matter what settings you have turned on, if the other person screenshots your messages they can live on forever.
Hancock says that if someone is coerced to share, say by law enforcement, there’s no need to break end-to-end encryption. This risk of a leak is amplified in group chats, as Cruz found out, because there are simply more people and a higher probability that at least one of them does not like you. The bigger the chat, the higher the risk.
Other places to definitely not say things you shouldn’t say
Slack is a workplace chat tool that soared in popularity during the pandemic. Your account is owned and run by your employer, who can access your direct messages or venting group chats at any point in time. If the company is involved in a lawsuit, they could end up as evidence even if your tasteless joke was only tangentially related to something.
Maybe just say it in person. Or not at all.
At this point you have probably figured out that no chat is perfectly safe. Even if you are just saying a few unkind things about your neighbor’s hedges in WhatsApp, it’s best to operate under the assumption that someone could pass it along, even as old fashioned in-person gossip.