Secure Communication: What Does It Really Mean?

Blog

1 Jun

Author: Luke Smyth

Most people assume their messages are private - but ‘secure’ communications are rarely as secure as they appear. We hear about encryption and high‑profile examples of government ministers and world leaders using private messaging apps like Signal, Telegram and WhatsApp for sensitive conversations. At the same time, platforms evolve, changing policies, introducing new features, or in some cases removing security features altogether.

What does ‘secure communication’ actually mean? Secure from whom or what?

At its core, secure communications are about protecting the way information moves between people. Whether it is a message, a voice call, or a file, the goal is to preserve three things: confidentiality (only the intended recipient can read it), integrity (it hasn’t been altered), and authenticity (it is genuinely from who it claims to be from).

Technologies such as end‑to‑end encryption, HTTPS and VPNs are designed to achieve this while data is “in transit” - travelling from sender to recipient. And that is important. It helps prevent interception by third parties along the way.

However, this is only one part of the journey.

Where secure communications really break down

Every communication begins and ends somewhere - on a device. Your phone, your laptop, your tablet. And in order for you to read a message, it must be decrypted when it arrives.

At that point, its security no longer depends on the encryption that protected it in transit. Instead, it depends on the security of your device, the application you are using and the organisation behind it. This is where many assumptions start to unravel.

Free consumer messaging apps are, ultimately, businesses. They operate on different models: advertising, metadata analysis, ecosystem lock‑in, non-profit, or integration into broader platforms. Even when the content of your messages is encrypted, the surrounding data - who you speak to, how often, where from, on which device, and at what time - can be highly valuable.

So the conversation shifts. It is no longer just about whether a message is encrypted. It becomes about trust:

Do you trust the provider’s business model?

Do their incentives align with your privacy?

How do they protect you when something goes wrong?

  
    
        App
        Country of Origin
        Ownership / Funding Model
        End-to-End Encryption (E2EE)
        Logging / Data Collection
        Key Privacy Notes
      

    
        WhatsApp
        USA
        Meta (public company, ad-supported)
        ✅ Yes
        Medium/High – contacts, device info, IP, usage patterns, metadata
        Strong content encryption but significant data sharing with Meta for profiling/ads
      

        WeChat
        China
        Tencent (public company, ad supported, FinTech services)
        ❌ No
        High – messages, contacts, location, payments, identity data
        Subject to Chinese law; potential government access and surveillance risks
      

        Facebook Messenger
        USA
        Meta (public, ad-supported)
        ⚠️ Partial (optional E2EE in some chats)
        High – extensive metadata, behavioural tracking, long retention
        Significant data sharing with Meta for profiling/ads
      

        Telegram
        UAE (founded in Russia)
        Privately owned (Pavel Durov, premium subscriptions)
        ⚠️ Only in “Secret Chats” (not default)
        High – stores messages, contacts, IP
        Popular for privacy reputation, but default chats are not fully private
      

        Snapchat
        USA
        Snap Inc. (public, ad-supported)
        ⚠️ Partial (only media, not full chats)
        Medium – message content accessible to platform; user activity tracked
        Ephemeral messaging ≠ true privacy; still logs significant user data
      

        Instagram (DMs)
        USA
        Meta (public company, ad-supported)
        ❌ No
        High – extensive profiling, social graph, usage tracking
        Recently removed E2EE and significant data sharing with Meta for profiling/ads
      

        QQ
        China
        Tencent (public company, premium subscriptions)
        ❌ No
        High – messages, contacts, location, payments, identity data
        Subject to Chinese law; potential government access and surveillance risks
      

        Discord
        USA
        Privately owned (premium subscriptions)
        ❌ No
        Medium – collects account, usage and content data for moderation
        Focus on communities; privacy weaker due to lack of encryption
      

        iMessage
        USA
        Apple (public company, hardware-driven revenue)
        ✅ Yes
        Low – limited metadata
        Falls back to SMS (unencrypted) when messaging non-Apple devices
      

        Signal
        USA
        Nonprofit (Signal Foundation, donation-funded)
        ✅ Yes
        Low – phone number, registration date only; no message or metadata storage
        Open source, minimal logging and no ad-driven incentive
      

  

App	Country of Origin	Ownership / Funding Model	End-to-End Encryption (E2EE)	Logging / Data Collection	Key Privacy Notes
WhatsApp	USA	Meta (public company, ad-supported)	✅ Yes	Medium/High – contacts, device info, IP, usage patterns, metadata	Strong content encryption but significant data sharing with Meta for profiling/ads
WeChat	China	Tencent (public company, ad supported, FinTech services)	❌ No	High – messages, contacts, location, payments, identity data	Subject to Chinese law; potential government access and surveillance risks
Facebook Messenger	USA	Meta (public, ad-supported)	⚠️ Partial (optional E2EE in some chats)	High – extensive metadata, behavioural tracking, long retention	Significant data sharing with Meta for profiling/ads
Telegram	UAE (founded in Russia)	Privately owned (Pavel Durov, premium subscriptions)	⚠️ Only in “Secret Chats” (not default)	High – stores messages, contacts, IP	Popular for privacy reputation, but default chats are not fully private
Snapchat	USA	Snap Inc. (public, ad-supported)	⚠️ Partial (only media, not full chats)	Medium – message content accessible to platform; user activity tracked	Ephemeral messaging ≠ true privacy; still logs significant user data
Instagram (DMs)	USA	Meta (public company, ad-supported)	❌ No	High – extensive profiling, social graph, usage tracking	Recently removed E2EE and significant data sharing with Meta for profiling/ads
QQ	China	Tencent (public company, premium subscriptions)	❌ No	High – messages, contacts, location, payments, identity data	Subject to Chinese law; potential government access and surveillance risks
Discord	USA	Privately owned (premium subscriptions)	❌ No	Medium – collects account, usage and content data for moderation	Focus on communities; privacy weaker due to lack of encryption
iMessage	USA	Apple (public company, hardware-driven revenue)	✅ Yes	Low – limited metadata	Falls back to SMS (unencrypted) when messaging non-Apple devices
Signal	USA	Nonprofit (Signal Foundation, donation-funded)	✅ Yes	Low – phone number, registration date only; no message or metadata storage	Open source, minimal logging and no ad-driven incentive

The hidden risk of convenience

There is also a more immediate and increasingly exploited vulnerability, one that has little to do with encryption at all.

Modern messaging apps are designed for convenience. You can link your account across multiple devices, allowing you to read messages on your laptop while your phone is elsewhere. It feels seamless and efficient. But that convenience introduces a weakness.

A growing tactic known as ‘ghost pairing’ takes advantage of this feature. In a ghost pairing attack, an attacker persuades or pressures a victim into linking their messaging account to an additional device. This could happen through social engineering, a moment of distraction, or a seemingly innocent request.

Once that pairing is approved, the attacker doesn’t need your phone again. They can receive future messages as they arrive, often without triggering obvious alerts. From the platform’s perspective, the attacker is simply another authorised device.

At this point, encryption becomes irrelevant. The system is working exactly as designed but the attacker has effectively been let in through the front door.

Why this matters more than you think

Messaging apps often hold some of the most sensitive material in your digital life; conversations with advisers, lawyers and colleagues; financial instructions; personal discussions with family; identity documents; even subtle patterns about your movements, decisions and relationships.

This is why secure communications should not be defined by a single feature like encryption. Instead, consider three core pillars: trust, visibility and control.

Trust, in the provider and their incentives

Visibility, over what is happening within your accounts

Control, over who and what has access

In government and intelligence environments, communications are built with security as the foundation - controlled infrastructure, restricted access, tightly managed cryptographic materials and minimal exposure. But these systems are complex and costly, and it would be impractical for everyone to use them. Genuine security is rarely accidental - and it is almost never free.

What you can do today

The good news is that improving your communication security can be achieved with a few considered steps that can make a meaningful difference.

1. Review what you use - and what you use it for

Take stock of the platforms you rely on. Where are you discussing sensitive financial, legal or personal matters? Ask yourself whether the convenience of that platform matches the sensitivity of the conversation.

2. Check for linked devices

Go into your messaging apps today and review connected devices.

In WhatsApp, navigate to “You” (iPhone) or the menu on Android, then “Linked Devices”.

In Signal, go to Settings → Linked Devices.

Remove anything you do not recognise or no longer use. If a device was not linked by you, treat it as suspicious.

3. Reduce exposure through basic hardening

Simple measures go a long way:

Enable app PINs or registration locks where available

Keep your devices updated

Be cautious of unexpected prompts to scan QR codes or approve access

Urgency is often the attacker’s greatest tool - pause before you act.

Securing your digital privacy

It is tempting to believe that using an encrypted app means your communications are secure. But the reality is more nuanced. Encryption alone does not equal security. True protection depends on the strength of your devices, the trustworthiness of your providers and the awareness of the person using them.

When those elements are aligned, your communications are genuinely protected. When they are not, the illusion of privacy can be far more dangerous than having none at all.

At coc00n, we bring clarity to this complexity - so you can communicate with confidence, not assumption. Get in touch to secure your devices and digital privacy.

About the author

Luke Smyth is CTO at coc00n. Prior to coc00n he worked at GCHQ for almost a decade and developed his expertise in government-level system administration, security architecture and software development. Projects included devising cyber security solutions for critical national infrastructure and working with the NHS during COVID. He has authored best practice guidance and white papers on behalf of the National Cyber Security Centre – the UK’s technical authority.

Luke Smyth