Encrypted communication used to be too complicated for mainstream use, but approachable apps like WhatsApp and Signal have become a no-brainer for digital privacy. With all of their security-minded features, like disappearing messages and identity-confirming safety numbers, secure chat apps can rightfully give you peace of mind. You should absolutely use them. As the adage goes, though, there's no such thing as perfect security. And feeling invincible could get you in trouble.

End-to-end encryption transforms messages into unintelligible chunks of data as soon as a user presses send. From there, the message isn't reconstituted into something understandable until it reaches the receiver's device. Along the way, the message is unreadable, protected from prying eyes. It essentially amounts to a bodyguard who picks you up at your house, rides around with you in your car, and walks you to the door of wherever you're going. You're safe during the transport, but your vigilance shouldn't end there.

"These tools are hugely better than traditional email and things like Slack" for security, says Matthew Green, a cryptographer at Johns Hopkins University. "But encryption isn’t magic. You can easily get it wrong. In particular, if you don’t trust the people you’re talking to, you’re screwed."

On one level it's obvious that both you and the person you're chatting with have access to the encrypted conversation—that's the whole point. But it's easy to forget in practice that people you message with could show the chat to someone else, take screenshots, or retain the conversation on their device indefinitely.

Former Trump campaign chair Paul Manafort found this out the hard way recently, when the FBI obtained messages he'd sent over WhatsApp from the people who received them.

'Encryption isn’t magic. You can easily get it wrong. In particular, if you don’t trust the people you’re talking to, you’re screwed.' Matthew Green, Johns Hopkins University

In another current investigation, the FBI was able to access Signal messages sent by former Senate Intelligence Committee aide James Wolfe, and had at least some information about the encrypted messaging habits of New York Times reporter Ali Watkins, after the Justice Department seized her communications records as part of a leak investigation. Though it's unknown how the FBI gained access to these encrypted chats, it wouldn't necessarily have taken a crypto-breaking backdoor if investigators had device access or records from other chat participants.

You also need to keep track of how many devices you've stored your encrypted messages on. If you sync chats between, say, your smartphone and your laptop, or back them up in the cloud, there are potentially more opportunities for the data to be exposed. Some services, like iMessage and WhatsApp, either have cloud backups enabled by default or nudge users toward it to streamline the user experience. Manafort provides a useful illustration once again; investigators accessed his iCloud to access some of the same information informants gave them, as well as to glean new information about his activity. The chats were encrypted in WhatsApp; the backups were not.

"Digital systems strew data all over the place," Green notes. "And providers may keep metadata like who you talked to and when. Encrypted messaging apps are valuable in that they tend to reduce the number of places where your data can live. However, the data is decrypted when it reaches your phone."

That's where operations security comes in, the process of protecting information by looking holistically at all the ways it could be obtained, and defending against each of them. An "opsec fail," as it's known, happens when someone's data leaks because they didn't think of a method an attacker could use to access it, or they didn't carry out the procedure that was meant to protect against that particular theft strategy. Relying solely on these encrypted messaging tools without considering how they work, and without adding other, additional protections, leaves some paths exposed.

"Good opsec will save you from bad crypto, but good crypto won't save you from bad opsec," says Kenn White, director of the Open Crypto Audit Project, referencing a classic warning from security researcher The Grugq. "It's easy for people to be confused."