Why is this important?

Facebook’s 2023 change to make one-on-one conversations encrypted by default was an important improvement to the privacy of millions of users. But it’s time to extend that privacy to group conversations.

When the new default setting was originally launched, a blog post on the company’s site noted that, “While we are globally launching default E2EE for personal one-to-one messages on Messenger, we are still in the testing phase for group messaging and some other products, like Instagram Direct Messages.”

We’ve since seen (optional) encrypted chats launch on Instagram—it’s a big lift, but it’s time to finish the job and release encrypted chats for group messages on Facebook Messenger.

This is important not just because group conversations deserve the same protections as private messages, it also matters because it’s just plain confusing for everyone using Facebook to communicate. When one type of message is private and the other isn’t, even in the same Messenger interface, it’s easy to mistake which is which.

If you think this is a feature worth having, you should submit a feature request directly to Facebook. Choose the “Messenger” option in the “Product or Feature” dropdown, and let Facebook know how much you’d like encrypted group chats.

Why is this important?

While apps like Signal are a great way to communicate privately, most people still use the default app on their phone to chat with at least some of their contacts. For many people, this also means communicating across platforms, with Apple users chatting with Android users.

Both Apple and Google have made it so that by default, conversations inside their own platforms (Google Messages to Google Messages, and Apple Messages to Apple Messages) are end-to-end encrypted, but between the platforms is not (Apple Messages to Google Messages). This makes it very hard for most people to understand which of their conversations are private and which potentially are not. Even if you’re tapped into the nuance of this system, it’s very easy to slip up.

Just take a moment and try to describe this to your friends, where you need a set of caveats: Apple’s Messages is end-to-end encrypted, but only if everyone in the chat has an iPhone, and Google Messages is end-to-end encrypted, but only if everyone in the conversation is updated to a specific version of Android, their phone supports RCS, and you see a lock symbol in the conversation.

Enter the RCS standard. The RCS standard replaces SMS, the protocol behind basic everyday text messages, and MMS, the protocol for sending pictures in text messages. The RCS standard is being worked on by the same standards body (GSMA) that wrote the standard for SMS and many other core mobile functions. It has been in the works since 2007 and supported by Google since 2019.

In 2024, Apple finally joined Google in supporting RCS, which is why you may have noticed your cross-platform messages with friends and family suddenly supported images that didn’t look like they were sent over a 28.8K modem to a Geocities page.

Now, both companies need to support interoperable end-to-end encryption. This isn’t a pipe dream. Apple has said it’s working on end-to-end encryption for RCS, and Google confirmed it was too. We’ve seen signs of progress. End-to-end encryption is part of the RCS Universal Profile 3.0, which Google is currently testing in beta in its Messages app.

It’s important the two companies take the time to get end-to-end encryption right, but it’s very easy to see how a privacy-focused feature like this might get delayed in favor of shinier big bullet point items like AI. But they should not let RCS encryption fall by the wayside.

If you think this is a feature worth having, you should submit a feature request directly to Apple. Choose the “Feature Request” option in the “Feedback type” dropdown, and then remind Apple that you’re still waiting for RCS encryption. Unfortunately, Google doesn’t offer any way to submit feedback.

Why is this important?

Direct messages are an important part of just about every social network, but as we’ve seen with Meta and Twitter previously, getting companies to support end-to-end encryption is a long and arduous process. Thankfully, Bluesky recognized the need for truly private messages early in its life.

In 2024, Bluesky stated that, “We intend to iterate and fully support E2EE DMs as part of atproto itself, without a centralized service, and will take the time to get the user experience, security, and privacy polished.” Then, a year later in its 2025 roadmap, the company reiterated, “Looking forward, we continue to have plans to implement on-protocol DMs and E2EE group chat.”

As more people open Bluesky accounts, the more important it becomes to get this sort of privacy and safety feature in place. There are certainly complications with implementing something like end-to-end encryption with Bluesky’s protocol, but third-parties are trying anyway, and clearly Bluesky itself thinks it’s possible.

If you think this is a feature worth having, you should submit a feature request directly to Bluesky. Choose the “Product Feedback/Suggestions” option in the “Category” dropdown, and let Bluesky know you’d really like those encrypted DMs.

Why is this important?

Glance through any news coverage of Telegram and you’ll almost certainly come across an outlet or two referring to it as an encrypted chat platform. This happens because Telegram supports end-to-end encryption with private one-on-one chats, but it’s not turned on by default. The company also tends to present itself as a secure messenger, despite changing little since criticisms started mounting against it way back in 2016.

Not enabling encrypted chats by default leads to a false sense of privacy on a platform used by millions of people around the world. Enabling the encrypted chat option isn’t super obvious, either, and requires you to hop into the settings for each individual person to enable it. Worse, those chats are limited to each device, so if you move between devices you’ll need to start all over. That’s not a great user experience, and even setting that aside, cryptographers have also questioned the effectiveness of Telegram’s homebrewed cryptography.

In defense of not making end-to-end encryption the default, the company stated in 2017 that it was because of concerns around backups. But in the years since then, the state of the art in usable encrypted backups has improved significantly. There’s no longer any reason to use backups as an excuse when other messaging platforms like WhatsApp and Signal have found ways to thread that needle.

It is well past the time for Telegram to implement end-to-end encryption in its one-on-one chats by default, and to roll that out along with a sufficiently detailed technical paper that explains exactly how it all works, just like every other respected secure chat app.

If you think Telegram should encrypt DMs by default, upvote this post.

Why is this important?

Backups can be a loophole for law enforcement to gain access to otherwise encrypted conversations. In this case, if a backup is not end-to-end encrypted, WhatsApp itself, in collusion with backup providers like Apple and Google, could potentially access the contents of messages.

Thankfully, WhatsApp doesn’t enable backups by default, and the company offers end-to-end encrypted backups as an option, so you can protect against that loophole. But for a more complete protection, everyone you talk to in the app needs to do the same with their backups. This is why we’d much rather see end-to-end encrypted backups be the default, so it takes the guesswork out of knowing if you’re only doing half the work to protect your conversations.

WhatsApp recently released an update that allows you to use a passkey to encrypt your backup, which simplifies the process and makes it so you don’t have to manually save a 64-digit encryption key. This makes it much easier for people to do without the risk of losing access to that backup for good. Now’s the time to ditch the unencrypted backup option entirely.

Why is this important?

Ring buddying up with law enforcement has long been a problem, and one we even thought might be solved when there was a brief moment when the company seemed interested in pulling back from these sorts of partnerships. But the mask is off and that time has ended. Back are plans to make it easier for police to request footage from users, and to allow users to consent to letting police livestream directly from their device. There’s only one real way for owners of Ring cameras to throw a rock into the gears of this system: end-to-end encrypting the video, which Ring offers, but doesn’t turn on by default.

In fact, Ring makes it comically difficult to turn on end-to-end encryption. It currently takes 16 steps and disables twenty features. But once turned on, you, the owner of a Ring camera, are the only person in charge of that video footage, meaning it’s up to you whether or not you’re comfortable sharing it.

Considering how much Ring is leaning into law enforcement partnerships and AI features, it’s clearly going to be a tall order to turn end-to-end encrypted video on by default, but that doesn’t change the fact that it should do so. Users deserve to have full control of who can access their video feeds and what recordings get shared, full stop.

If you think Ring should use end-to-end encryption by default, upvote this post.

Why is this important?

Google Authenticator is one of the most well-known two-factor authentication apps, but for years it lacked one feature that could potentially leave you locked out of your accounts: cloud-based backups. Without backups, if your device is lost, stolen, or damaged, it becomes very difficult, if not impossible to get into some online accounts.

Google finally added backups in a 2023 update, but it didn’t offer a way to enable end-to-end encryption on those backups, something most of its competitors offer. Without end-to-end encryption, if Google suffers any sort of data breach, or if someone gains access to your Google account, they may be able to access those two-factor authentication codes, which can defeat the purpose of using two-factor authentication in the first place.

The response to the lack of end-to-end encryption was loud enough that the company said it would work on adding the feature in the future. Two years later, we’re still waiting. It’s well past the time to release this.

Why is this important?

Our phones contain just about everything there is to know about us, from the messages we send and the photos we take to the notes, drawings, and to-do lists that pepper our day-to-day life. But while you can encrypt the contents of your phone easily enough by using a strong passcode, data doesn’t typically stay on your phone, it’s usually backed up online too. That backed up data should have the same protections we expect from the device itself.

Apple took its first stab at solving this problem with its Advanced Data Protection feature. The idea is simple: you can now enable end-to-end encryption of data that was previously only encrypted in transit and on Apple’s servers, meaning that Apple itself could access the data. In other words, you can now control the encryption keys and Apple will not be able to access any of this data.

The most notable and important information included here is your phone backup, which typically includes the contents of your messages. With Advanced Data Protection enabled, your backups and most important files get that end-to-end encryption benefit, better securing your files against mass surveillance, rogue Apple employees, or potential data leaks. This feature is strong enough that the U.K. government demanded Apple create a backdoor, which the company refused to do.

In Android’s case, how data gets handled is murky, at best. According to its documentation, “Some of your data is end to end encrypted with your device’s screen lock PIN, pattern, or password.” What data? Who knows! The company doesn’t bother to get into the details. But if you use an Android phone, you likely store all sorts of sensitive data, including notes, journal entries, voice recordings, app data, photos, and more, alongside backups of your conversations on chat apps. Android device owners deserve the same level of protection Apple device owners have. At minimum, we’d love to see a chart like Apple’s explaining the level of encryption available for different data types.

Apple figured this out years ago, but we’re still waiting for its main competition, Google, to offer something even remotely similar.

Why is this important?

Google and Apple keep cramming new AI features into their phones and other devices, and neither company offers clear ways to control which apps those AI systems can and cannot access.

AI features can create a variety of potential privacy problems, but one of the most important aspects to get right is how those tools interact with secure messaging apps, like Signal or WhatsApp. There’s confusion around how operating system-based AI tools like Apple Intelligence and Google Gemini handle information, whether it’s kept local or sent to a server, and what that information gets used for. This makes it far more difficult to lock down your privacy than it should be. Both Apple and Google consider their respective “private processing” features, where data is processed in the cloud for AI features without the company being able to access it easily, private enough that they do not need to disclose that information. But both companies built their systems on top of secure enclaves, which have proven to be less secure than end-to-end encryption time and time again. So while these systems make it much harder for the companies to access that data, it’s nowhere near a perfect protection. We haven’t seen serious issues with these AI features yet, but it’s not hard to picture how their potential future access to more apps and services, including secure messaging apps, could lead to privacy leaks. Instead of waiting for that to happen, we should get user controls now.

Google, Apple, and other device makers should add an operating system-level AI permission, just like they do for other potentially invasive privacy features, like location sharing, to their phones and tablets. You should be able to tell the operating system’s AI to not access an app, even if that comes at the “cost” of missing out on some features. The setting should be straightforward and easy to understand in ways the Gemini and Apple Intelligence controls currently are not.

If you think this is a feature worth having, you should submit a feature request directly to Apple. Choose the “Feature Request” option in the “Feedback type” dropdown, and then let Apple know you’d like a way to block Apple Intelligence from accessing certain apps. Unfortunately, Google doesn’t offer any way to submit feedback.