It’s Time to Stop Texting

Suppose you had two choices when chatting with your friends. The first will give you a great messaging experience, but you (and those friends) need to sign up for a new app to get it. The second requires no sign-up, but sometimes fails to deliver messages without telling you; send tiny, blurry photos and videos; only works on your phone (not your computer); confuses all your friends and might lose all your messages if you switch phones; limits the length of your messages; makes some of your friends feel inferior to others; and offers no privacy whatsoever.

That choice is real. And if you’re like most people in the US (and millions of others worldwide), you choose that second option every day by using SMS.

No privacy whatsoever — what does that mean? It means that people you don’t know, at multiple companies (mobile phone providers, internet service providers, tech companies, and others) can read all of your messages, without any hacking or special technology. Your chats are there to read, maybe even by accident, like a postcard passing through a post office.

If that still feels abstract, look over your chat history while asking yourself the question, “Am I fine with a bunch of people I don’t know, all of whom have my phone number and some of whom know where I live, reading all of this? Am I comfortable making that choice on behalf of everyone I communicate with?”

If you’re comfortable with all of that — the lack of privacy, the crappy photos, the failed messages, etc. — you can stop reading now. But if it bothers you — if you’d like to learn how and why you’re making that choice, and how to make a better one — read on.

The Short Version

SMS stands for “Short Message Service”; in the US we often call it “texting.” It’s what you get in the Messages app on most Android phones, and the green bubbles on an iPhone. It’s the oldest mobile-messaging service, the most widely-used in the US, and comes with all the drawbacks I listed above (and more). SMS is a mess.

I don’t have much hope for a solution from the mobile carriers, phone manufacturers, and tech companies keeping us in that mess. But we don’t need one: we consumers can solve this for ourselves because we’ve had better options available to us for years. If you’d rather a quick read than a comprehensive understanding, it’s pretty simple:

SMS is a poor way to communicate. Photos and videos are tiny and blurry. Messages get lost. You can’t use it reliably on your computer, or when your phone number changes. It lacks basic features — typing indicators, read receipts, stickers, the ability to edit and delete messages. And it’s the least private mode of communication we have.

SMS is outdated. We’ve had better options for over a decade: dozens of better services with millions of users each. And amazingly, they don’t involve any real trade-offs: once you switch from SMS to almost anything else, everything gets better. [1]

I recommend Signal or Telegram for most people in the US. If you want to maximize safety & security, go with Signal; for greater ease of use, choose Telegram. If a lot of your contacts use WhatsApp, then go with that.

Start small. Switching platforms is a pain, and getting your friends to do it is even harder. I think the advantages are worth the pain in this case, but the pain is real. So make it easier and start small: find one friend who’s willing to experiment. Sign up together for Signal or Telegram, and take it for a spin. And go from there.

That’s it! Or, read on for details. Fear not: it won’t get too technical.

Online Safety: A Crash Course

“At Acme Messaging Co, your privacy is our priority.” Sure, that’s what they all say. But what does it mean? What is privacy? Is it different from security? How much of each do you need? Why should you care?

Security

The more secure your data is, the harder it is for an unauthorized person — someone who isn’t supposed to see it — to do so. It’s that simple. [2]

Encryption

Encryption is critical to security, and is also simple at a high level: to encrypt something is to make it unreadable by anyone who can’t reverse that encryption (decrypt it). If you played with secret codes as a kid — replacing letters with numbers, shifting things forward in the alphabet — you were doing simple encryption.

Somewhat counterintuitively, modern encryption relies on openness: the most secure, trusted encryption schemes are those whose details are available for everyone to see, to audit, and to try to break.

And today’s standard encryption algorithms are well-regarded: if your data uses them and your key (password) is strong [3] and kept secret, your data is very safe — though nothing is guaranteed.

Why does encryption matter? Well, information travels the internet by hopping from device to device. Sometimes it makes a lot of hops. When you message a friend, whatever you send is visible to all the computers it hops through. If it’s unencrypted, an unknown group of people will see, “Hey, I’m out of town but left the door unlocked — can you check on the cat?” (And since some of those people work at your internet provider, they might have your home address.) If it’s encrypted, they’ll see something like, “jzoagzFBPCKfI6xgadBZm5zaCsL1…” — meaningless gibberish unless they have the decryption key.

Encrypted Messaging

Most messaging uses some encryption, but different services have different approaches. The most secure services (e.g., WhatsApp and Signal) use end-to-end encryption (E2EE). Only you and your correspondents have the decryption keys; even the messaging service itself doesn’t have them. So if they get hacked, or a nefarious employee wants to see your data, or a government demands it…tough luck. They simply don’t have the ability.

Other services (e.g., Telegram and Facebook Messenger) encrypt your messages in transit. That is, they’re encrypted whenever they’re not on your device or a device belonging to the messaging service — it’s the situation I described above with information hopping around the internet.

Why doesn’t everyone use end-to-end encryption (E2EE)? Well, there are trade-offs. If you lose your password, an E2EE service can’t recover your messages for you (because to do so, they’d need the ability to decrypt them on their own). A service that can access your messages might offer more sophisticated search, or use your messages to personalize advertisements, or provide related content for you.

However, there’s no reason whatsoever not to encrypt your data in transit. It’s all down side with no up side.

SMS does not encrypt your messages. Not even in transit.

Privacy

Privacy combines policy and security to define the reality of who does what with your data. (Recall that security prevents unauthorized access to your data; it doesn’t define who’s authorized in the first place.) So a privacy policy might say, “Only the employees of Acme Messaging Co have access to your data.” Acme’s security ensures non-employees can’t get their hands on your data (or doesn’t). And the result is your actual level of privacy.

If Acme has top-notch security but the privacy policy says they’ll sell your messages to anyone for $5, you don’t have much privacy. Conversely, if Acme says nobody will ever look at your data but it’s stored, unencrypted, on a computer they leave on their front porch…well, actually at that point rain becomes a real issue.

Regardless of their policies, companies are beholden to the laws of the countries in which they operate, and governments have the ability to demand data for various reasons. If a company can read your data, they can turn it over to other parties; if it’s been deleted or uses E2EE, they can’t.

Privacy vs. Law & Order

Governments sometimes oppose strong security, and E2EE in particular. Last month the FBI, in response to Apple’s addition of E2EE to iCloud, said it “ hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism.”

Which is true! It’s easier to track down and prosecute criminals given access to their data, at least in theory. But you can’t have it both ways: on a purely technical level you can’t say, “Let’s encrypt data so only its owner can see it…and also law enforcement when the owner is a criminal.” If somebody else has access to your data, somebody else has access to your data. And while a system of due process can limit abuse, we’ve seen repeatedly that abuse will occur, often in ways that hurt the least powerful among us.

The Electronic Frontier Foundation, siding with Apple, writes, “Encryption is one of the most important tools we have for maintaining privacy and security online…[Apple users] will be protected even if there is a data breach in the cloud, a government demand, or a breach from within Apple (such as a rogue employee).”

So is E2EE good? Ultimately, I think so. That’s especially true because of the third-party nature of the problem. If the police want to search my house, they have to show up with a warrant. If some law-enforcement agency, somewhere in the world, wants to search my iCloud data, their attempt to get it will be electronic, and may not involve me at all.([5])

Who Needs Privacy?

And then there’s the classic argument, “If you’re not doing anything wrong, then you have nothing to hide.” But of course plenty of good people have reason to hide: the dissident in a repressive regime, sure, but also the woman in fleeing an abusive husband, my Dad asking me for his email password that he lost, and me texting the cat-sitter about when we’ll be out of town.

Beyond that, there’s something squishier. If I text my wife saying, “Last night was fun. Thinking of you,” I guess it’s fine if the FBI sees it…but I’d just as soon they didn’t. And I’d also rather avoid some tech worker treating the thread as their own personal Netflix [4]. It’s creepy, and if I can’t quite describe the creepiness in rational terms, maybe I shouldn’t have to.

Voice vs. Data

The internet is amazing, and not just because of the cat videos. There are raccoon videos, too.

Also, it’s a globally-networked collection of computers that can all talk to each other and, critically, that all speak the same language. If I build an internet messaging service, any device on the internet can talk to it.

Early mobile phones didn’t have the internet. They connected to cell towers operated by telecommunication companies that handled one thing: calls. There was no facility for non-call data, so you couldn’t build an app that used a phone’s connection.

In the early 2000s, phones started adding internet “data” connections alongside the preexisting “voice” connection. Initially, it was limited; but when Apple launched the iPhone in 2007, it moved smartphones into the mainstream — phones with big screens and keyboards that treated the internet as integral rather than an afterthought.

So today most phones are smartphones, with both voice and data. And actually since we all have data connections, you don’t really need the voice connection anymore: video-chat apps like FaceTime, Zoom, and Google Meet — along with most messaging apps — provide calls using the data connection at higher quality than the voice one offers.

SMS

In the 1980s, some clever engineers figured out a way — today we’d call it a hack — to transmit short text messages over a voice connection. It became widely available to consumers in the early 1990s as SMS.

Every mobile phone can do SMS. Computers can’t, because they don’t have voice connections. It’s possible to set things up so you can access your SMS from your computer, but what’s happening behind the scenes is your phone is sending and receiving those messages, then relaying them to your computer.

SMS was clever and wonderful when it debuted. It’s reasonable to suggest it revolutionized how we communicate. But over the last 15 years, third-party, internet-based messengers have superseded SMS as highly capable mobile communication tools. What makes SMS less capable?

It’s not secure. All that nuance around encryption isn’t even useful here, because SMS is completely unencrypted. Your mobile provider can see your messages. Your friends’ mobile providers can see your messages. Some unspecified set of middlemen can see your messages. They don’t have to try; they just have to look at them. SMS is the least private form of communication available today [5].

It’s not reliable. For instance, messages sometimes fail to deliver; and when they do, there’s no notion of confirmation or error-reporting — they just go down a black hole, with neither sender nor recipient knowing anything went wrong.

It’s tied to your phone. Not just your phone number; your actual physical phone, and more specifically the little SIM card you get from your carrier. If you travel internationally, have multiple phones, or have friends who do those things, this is a real problem! Because the minute you switch phones or SIMs, you stop receiving SMSes (and again, people who text you won’t know the message has failed). There’s no notion of “updating your number” because there’s no “you” with SMS: different phone numbers are effectively different people.

And SMS doesn’t work on things that aren’t phones. Apple has mitigated this with its “SMS forwarding” feature, but it’s not ideal. Mostly, your SMSes are on your phone and that’s where they are.

Photos & videos are terrible. You know that amazing photo you texted your family from your trip to Hawaii, with the palm trees and the ocean in the distance and you looking tan and happy with a mai tai in your hand? Your Mom has an iPhone so she loved it. Your brother has an Android, so he saw a blue-green blob with a couple tan blobs in the middle.

It’s stuck in 1990. Want bold and italics? Nope. To thumbs-up a message? Nope. To edit a typo? Nope. To delete an angry text you wish you hadn’t sent? Nope. To write more than 160 characters? Sorry. And these things won’t change because they can’t change.

So, why is SMS still ubiquitous?

To begin with, it’s only ubiquitous in the United States. Here, the cost of SMS went to zero fast enough that people just kept using it. In the rest of the world, carriers continued to charge for it, allowing players like WhatsApp to win as free alternatives.

But in the US, SMS was free, and inertia is powerful, and here we are.

iMessage

If you have an iPhone, you use iMessage. Any time you text with another Apple user — any time you see a blue bubble in Messages — that’s an iMessage.

As a service in its own right, iMessage is terrific. It’s easy to use, end-to-end encrypted, syncs your message history across all your devices (with E2EE), works both with phone numbers and email addresses, and can handle multiple addresses for a single person. If Apple released iMessage for Android and Windows/web — or, say, partnered with Google to do so — it would be my sole recommendation.

But even inside Apple’s ecosystem, iMessage suffers because it’s intertwined with SMS. This is one of those classic “it just works” Apple moments, in all the good ways and all the bad ones: iMessage is layered on top of SMS so you can text anyone and it just works…except when it really doesn’t.

Here’s what happens under the hood: before sending a message, Apple looks up whether the recipient has an Apple device. If yes, it sends an iMessage (blue bubble). If not, it sends an SMS (green bubble). (If yes but something goes wrong, e.g., a poor data connection, Apple “falls back” to SMS — unless you disable SMS fallback, which I recommend.)

This is great: you can message anyone, anywhere, without thinking about it too much, and the message will travel over the best service available. But it’s dangerous, too, because it encourages you to conflate two very different scenarios, and at times you won’t realize which is happening until after the message is sent.

Also, sometimes iMessage just doesn’t work — it seems to inherit some of SMS’s phone-number-related issues.

So in the end, I’m reluctant to recommend iMessage despite how good it is in so many ways.

Green Bubbles, Blue Bubbles

One final note: You’ve probably seen some of the controversy around green and blue bubbles. The narrative: Apple uses the green bubbles as a PR tactic to make Android users seem inferior.

I can’t say Apple doesn’t enjoy that dynamic. But by now, you know there’s a lot more to the green vs. blue bubbles than perception. The difference in color represents a very real difference in functionality, technology, and privacy [6][7].

RCS: A Little Better

You may have heard of RCS: a new standard that Google and mobile carriers are pushing as a successor to SMS. It’s often described as their answer to iMessage.

RCS does improve upon SMS, but it also retains SMS’s most fundamental flaw while simultaneously introducing some of iMessage’s issues [8].

RCS perpetuates SMS’s dependence on the mobile carrier and device: it’s not just an internet-based thing. If you want to build an RCS app, you must rely on RCS functionality provided by the mobile carrier (or become a mobile carrier yourself).

It’s also worth noting that while you can encrypt RCS, it’s not required by the standard and only some implementations support it. So when you send an RCS message, it may or may not be encrypted. I suppose this could be solved by introducing green bubbles?

That said, if you’re an Android user, and your carrier and handset support RCS (which some don’t), there’s no reason not to use it — but note that with Google’s Messages app, it’s disabled by default. (And as behavioral-science studies have shown, that’s a great way to ensure 80% of people don’t use it.) To enable it, go into the app’s settings and turn on Chat Features [9]. Once you’ve done so, remember that — much like iMessage — you’ll only get the benefits of RCS with contacts who also have it.

Recommendations

You don’t have to use SMS. There are dozens of internet-based messaging apps that work well across iPhone, iPad, Android, Windows, Mac, web, and sometimes Linux. And you don’t have to wade through all of them to pick one: just take one of my two recommendations.

Both my recommendations are encrypted in transit and at rest. So the question is: are you comfortable with the idea that your messaging provider (and anyone to whom they grant access) has the capacity to read your messages? If not — if you want end-to-end encryption and can deal with some minor inconvenience to get it — I recommend Signal. Otherwise, go for Telegram.

Signal

Signal is the most usable E2EE messenger, and the most respected by security-conscious folks. Its entire codebase is open-source, so anyone can audit it for security flaws (and reputable organizations have done so). Signal is run by a non-profit whose main focus is privacy.

Signal: Pros

  • Extremely well-respected for security & privacy.
  • Available on every major platform: iPhone, iPad, Android, Mac, Windows, Linux
  • Pretty easy to use.

Signal: Cons

  • Limited syncing of message history between devices. With many messengers, when you sign in on a new device you’ll see all your past chats with everyone. With Signal, you don’t — you just get everything from the moment of sign-in onward. If reliable access to all your old messages is critical to you, Signal (or another E2EE messenger) may not be the right answer. I’m hopeful Signal addresses this at some point. In the meantime, it’s the main reason I’m still on Telegram.
  • Sign-in on multiple devices is a little awkward and finicky.
  • It lacks a few nice-to-have features: you can’t edit a message after sending it, and the available stickers are pretty rough.
  • It can be a bit buggy in my experience.

Notable E2EE Alternatives

  • WhatsApp is less polished than Signal, lacks an iPad app, and is awkward to use at times. It’s also more widely-adopted than Signal — it’s the de facto standard for texting in much of the world. It’s owned by Meta (a.k.a. Facebook), and shares some data with the larger company, which may bother some (but note that it doesn’t share the content of your messages—its use of E2EE precludes that). If you’re starting from zero, I prefer Signal; but if your friends are already on WhatsApp, that might be the way to go.
  • LINE is to Japan, Taiwan, and Thailand what WhatsApp is to Europe and Latin America. If you have a lot of contacts using it already, it’s probably a solid option.

Telegram

I’d love for Signal to be my sole recommendation. But today, all of the E2EE messengers are a little lacking when it comes to user experience. And while in-transit encryption should be non-negotiable, it’s reasonable for some of us to think about sacrificing E2EE in exchange for ease of use.

If you’d consider that trade, my recommendation is Telegram. ​​It’s easy to use, with a straightforward experience and a simple cross-device login system. It has the central message archive Signal lacks, so wherever you log in you always have all your messages. And it’s encrypted both in transit and at rest (while stored on Telegram’s servers).

Telegram: Pros

  • Easy to set up and use.
  • All the usual bells and whistles in a clean, enjoyable experience.
  • Apps for iPhone, iPad, Android, Mac, Windows, Linux.
  • Messages are stored centrally with Telegram, so you always have all your chats on all your devices.
  • Although your phone number is your primary login, you don’t have to give it out to connect with people: you can create a separate username. This is beneficial if you want to message with people but don’t want them to have your number [10].

Telegram: Cons

  • No end-to-end encryption by default, though you can enable it for specific threads.
  • Stickers are a little weird at times.

Notable Alternatives

  • Facebook Messenger is similar to Telegram and more widely-adopted. The experience is busier but still straightforward. Messages are not encrypted at rest, making unwanted access to your data theoretically easier than with Telegram. And the lack of E2EE means that unlike WhatsApp, there’s at least an opportunity for Messenger to share your messages with the broader Facebook/Meta organization. It also requires a Facebook account, which can be a sticking point for some.
  • Slack and Discord are aimed at teams, but nice if you’re trying to message with a community. This is a scenario for which a different feature set is appropriate, so I’m not going to get into too much detail except to say they’re right for some (and I use them regularly).

I’ve been using Telegram with friends & family for about five years and we’re happy with it — starting with the fact that less technically-inclined folks were able to set it up. Given the lack of end-to-end encryption, I turn to other options when I need to send especially sensitive or private information.

When I chose Telegram, Signal was far less mature, and the world seemed a little safer too. These days, I find myself reevaluating. But at a minimum, it’s worth remembering we’re in far, far better shape than we would be with SMS.

Conclusions

I hope this has been useful — thanks for reading to the end. For all the detail and complexity, this is all pretty simple on a practical level:

SMS is bad. There’s no technological reason to use it, and virtually any alternative is strictly better. For most people in the US, I recommend Signal or Telegram. To pick one you’ll need to navigate a few trade-offs. And you’ll need to convince some friends to join you. Again, I know that’s challenging but I truly believe it’s worth it, and you can mitigate the pain by starting small.

The Future

Messaging continues to evolve, not least of all in response to shifting attitudes about online safety:

  • Matrix may be emerging as an alternative to Signal with a more permissive open-source license, which makes it more attractive to companies who want to build on top of it [11].
  • Google has probably launched and killed three or four messaging apps in the time it took you to read this article, all of them named “Chat”. Still, if they ever get their messaging act together, they could be a powerful force for good.
  • The trade-offs among messaging apps keep getting smaller. Signal’s user experience improves. WhatsApp is promising broader device support. Apple has shown that end-to-end encryption isn’t incompatible with a message archive. And there are always new startups with their own take on all of this.

If your response to that is, “So I have to switch now, and then go through it again later?” Not necessarily. Remember: anything is better than SMS, and chances are that whatever you choose now will get better with time.

Why am I qualified to write all of this? Well, to begin with I did a lot of fact-checking. Beyond that, I’ve been in tech for 25 years and, in that time, have designed and built multiple messaging apps. I designed Yahoo! Messenger for iPhone, one of the first messaging apps for that platform. I led the design team for Gmail and worked on Facebook Messenger. My first startup, Emu, was a messaging app. My second startup, Miter, was not a messaging app but sometimes acted suspiciously like one. Am I obsessed with communication software? Well…maybe. I’m fascinated by the intersection of people, communities, and technology — and nowhere is that more palpable than in communication.

Footnotes

  1. While there aren’t drawbacks to any major messaging service vs. SMS, the act of switching isn’t entirely free of hurdles. It’s not something you can do on your own. You won’t convince everyone, so unless you refuse to SMS at all, you’ll still have conversations there — meaning increased fragmentation of your communication. For many of us, though, communication is already fragmented — between messaging services, between messaging and email, between traditional communication tools and social networks.
  2. Wikipedia has a more robust definition of security, but I think it’s compatible with mine.
  3. What makes a password strong? The most important thing is its length. All those annoying password rules (capital letters, uppercase, symbols) are actually unnecessary. So, scandium thrift queue batch is a better password than xQ%phU59 because it’s longer. It also needs to be hard to guess — that longer password is only secure if the words have no meaning to me and no relationship with each other. To be fair, a lot of password prompts won’t accept a password like that, but they might if, say, you turn it into Scandium-thrift-queue-batch4.
  4. I’m not saying this is common, but it does happen from time to time. And for all the bad press Big Tech gets, this is one reason your data might be in better hands with a big company — they have to hold themselves to a higher standard for data security.
  5. Some would name email as the least-private form of communication, but I’m confident in giving that title to SMS. At least some emails are encrypted. Most email activity is encrypted in transit. And Gmail is moving toward end-to-end encryption within its ecosystem. That said, some email is completely unencrypted some of the time, so look out. (Disclosure: I worked on Gmail in 2015–2016 and, while there, was part of some efforts to increase email encryption.)
  6. Yes, Apple could implement RCS (see next section), but they’d still need green bubbles when it falls back to SMS. Yes, they could build iMessage for Android but there’s little incentive to do so, and they’d still need green bubbles when it falls back to SMS. The solution here isn’t to get rid of green bubbles; it’s to abandon SMS.
  7. I think there’s an opportunity for Google and Apple to do a deal bringing iMessage to Android and Chrome. Whether they’re incentivized to do so I don’t know, but there’s at least partial precedent: Google pays Apple a lot of money to be the default search engine in Safari.
  8. It was oddly difficult to find clear, authoritative information on how RCS works, or how it’s dependent on the carrier and handset. I read a lot of articles and even skimmed the 389-page RCS specification, and while I still can’t tell you how it works, I’m at least confident in what I’m saying here.
  9. Why is RCS disabled by default if it’s better? Why does Google call it Chat Features when that’s really confusing in an app that does chat and already has features? Or when they have a separate app called Chat that doesn’t have anything to do with RCS? These are small parts of the ongoing mystery that is Google’s messaging strategy. And their inability to come up with a coherent one over fifteen years saddens me: of all the tech companies, they seem best-positioned to build and standardize a great, universal messaging system. Instead, they’re pushing a new version of the problematic old thing, and I don’t understand why.
  10. With a little effort, you can use Telegram, Signal, or WhatsApp without giving out your real phone number. First, sign up for a number with Google Voice; then use that number to sign up for the messaging service. (Telegram just announced a way to do something similar within their app, but it’s not available in the US yet.)
  11. The world of open-source licenses is complicated and includes several competing ideologies. “Open source” simply means that a company with a software product makes the source code (that is, the “recipe” for building the product) available to anyone. Armed with the source code for Signal, I can build Signal’s app on my own computer, make changes to it, use it, and distribute it. But in Signal’s case, I’m required by their license to publish any source-code modifications I makecode. In Matrix’s case, I’m not. That approach is appealing if you want to make money off your software, since in Signal’s case you’re required to let someone else give it away.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store