This summer, Apple’s more than 500 million users received an urgent message on their phones urging them to update to the new operating system.
But this wasn’t just a routine update. The new operating system contained an urgent fix for a major security vulnerability that Apple previously no idea existed.
A few weeks earlier, a human rights activist in the United Arab Emirates named Ahmed Mansoor received a suspicious text message.
He didn’t open it–he sent the messages to Citizen Lab, a technology laboratory at the University of Toronto, which discovered that if he had opened the link, i would have led to zero-day exploits that would have allowed hackers to secretly surveil Mansoor. His phone’s camera, microphone, phone calls, emails and text messages would have all been completely hijacked.
But it wasn’t just Mansoor who was at risk. With that kind of zero-day on the loose, every one of Apple’s users was susceptible. Citizen Lab informed Apple about the vulnerability as soon as they discovered it, and Apple released a “patch” to fix it 10 days later. Any iPhone updated since September 1 is automatically protected.
Mansoor’s case was unusually high profile. In the shadowy world of government hacking, many victims are unaware that they are targets. And unlike Mansoor, who had contacts at Citizen Lab and knew to be wary of suspicious links, many potential victims may not know how to protect themselves.
That’s why tech companies are working hard to protect their customers from attackers – whether they are snooping governments or criminals looking to steal personal information.
Apple’s Tim Cook has also been a huge security advocate, going head-to-head with the US government in defense of encryption that would protect users’ emails, messages, photographs and other personal information.
But it’s not just Apple that’s been outspoken about protecting its customers from digital threats. Here are some ways that other major companies are weaving in security to their platforms:
Google’s Nation-State Hacker Notifications
Since 2012, Google has warned users of nation-sponsored hacking attempts. While Google has not publicly released the number of warnings it issued to potentially at-risk users, these warnings made headlines when the press itself was targeted. In late November, American writers including New York Times columnist Paul Krugman and New York Magazine reporter Jonathan Chait reported receiving warnings that Google had potentially detected government-backed attackers.
https://twitter.com/juliaioffe/status/801435745760186368?ref_src=twsrc%5Etfw (Caption: Julia Ioffe, a journalist who has contributed to Politico and Foreign Policy, tweets out her alert.)
It’s not just Americans the tech giant is protecting: In mid-October, more than a dozen Russian activists and journalists also said they got missives from Google warning about breach attempts. As part of the warning, Google prompted the potentially targeted users to set up a security key or install a password alert.
Julie Brill, currently a co-head of Hogan Lovells’ Privacy and Cybersecurity practice and a former Commissioner of the Federal Trade Commission, said these kinds of warnings about direct threats from companies are more effective than general advice about online security – especially if there’s a high profile account that may be at risk.
“As breach notifications continue to go out to consumers, there is heightened concern,” said Brill, who currently co-runs Hogan Lovells’ Privacy and Cybersecurity practice. “I think now if you layer on top of that the kinds of things people hear about hacking into email accounts, including the account of the head of one major political campaign, it’s become quite clear to me that consumers’ awareness of the issue has dramatically increased.”
Facebook: Giving customers the option to encrypt data
As of October, all Facebook Messenger users have the option to use “secret conversations” This allows them to send messages that are encrypted from one device to another, so no device other than the one used to send the message and the one authorized to receive it can access the data.
The company however did not choose to make end-to-end encryption the default. Part of this appears to be for convenience: it cannot work when users want to switch devices. Facebook on your computer, for instance, would not be able to see messages sent from Facebook on your phone. It would also complicate other Facebook messenger features like gifs, videos, and payment systems that rely on the open internet. Facebook is not publicly releasing data about how many users have taken advantage of secret conversations.
The entire Facebook site can also be accessed in secret via the Tor browser, which helps users stay anonymous by routing their web traffic across multiple servers. In the last two years, Facebook allowed users to connect to Tor through its its Android app. An iPhone app has not yet been approved. The Tor option is growing in popularity: in mid-2015, about half of one million people accessed Facebook over Tor over a 30-day period. One year later, that number had grown to more than one million, according to a Facebook post from Alec Muffett, a software engineer for security infrastructure at Facebook.
Whatsapp: Encrypting communications by default
Facebook’s acquisition, Whatsapp, however, has taken stronger steps towards secrecy. The messaging app, which Facebook bought in 2014, made the move this year to encrypt all its messages from end-to-end by default – and explicitly warns users if their messages are not encrypted.
While many experts view the move as making Whatsapp the most secure mainstream messaging platform, their approach has since gotten the company into some legal trouble–in Brazil, authorities temporarily shut it down after Whatsapp failing to hand over information requested in a criminal investigation.
One caveat to the idea that this communication is unbreakable: the app sometimes shares user information like phone numbers with Facebook, its parent company. Backups of the conversations are also unencrypted, so some messages could end up backed up – and left unprotected.
Some consumers may take comfort in the fact that major tech companies owning the responsibility to protect their users instead of the other way around. But for the users that would like to take control of their own security, there is a wide array of options for secure messaging apps, email services and browsers outside the mainstream of large technology companies.
Encrypted search engines:
DuckDuckGo, a search engine that does not profile users or personalize search results to their users. There are nearly 11 million searches per day on the site.
Startpage, a search engine that uses Google search results but allows users to open all search results via proxy, is another option. Startpage and its European counterpart Ixquick were the first privacy-focused search engines, and began in 2006. They now receive more than 4.5 million searches per day
For encrypted email systems:
Kolab Now is a Switzerland-based groupware service and web-based email.
NeoMailbox is another Swiss email service that provides IP anonymity, spam and virus protection and disposable addresses hosted at a personalized Swiss domain name.
CounterMail is a Sweden-based end-to-end encrypted email service.
Tor Mail is an anonymous email provider based on the Tor network (which is required to use this email service).
Other end-to-end encrypted messaging services:
Signal, a service that says it does not have access to the contents of messages sent over its servers. Signal has earned praise from anti-surveillance activists Edward Snowden and Laura Poitras.
Cyber Dust, another option, also automatically deletes messages from user phones as soon as they are read. Wickr has a similar timed feature.
Adium, another end-to-end encrypted messaging program, allows for encrypted chats across multiple networks for Mac users. It has been installed hundreds of thousands of times.
And if you want to encrypt your browser yourself, you can install Tor, which keeps users anonymous by requiring https and using hidden relay servers.
Dragon also has domain and URL filtering systems, and is set up as a more secure version of Chrome or Firefox.