Why I told my friends to stop using WhatsApp and Telegram
A comparison of messaging apps privacy features
This morning I told my friends to stop using WhatsApp and Telegram and sent them an invitation to switch to the Signal messaging app.
Here’s why.
Encryption Protocols: The Signal Protocol VS Telegram’s MProto
You may not realize it, but you’re probably already using the Signal Protocol — along with more than 1 billion people every day.
The Signal Protocol is used by WhatsApp, Facebook Messenger, Google Allo and Signal’s own messaging app.
But what is the Signal Protocol?
The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for instant messaging conversations. — Wikipedia
End-to-end encryption ensures that your message is turned into a secret message by its original sender, then only decoded only by its final recipient.
That’s what WhatsApp started to use a few months ago when they displayed this message in your conversation:
The Signal Protocol was built by Open Whisper System, a nonprofit group that was founded in 2013 by former Twitter head of security Moxie Marlinspike after the 140-character messaging platform acquired Open Whisper’s first secure messaging company.
The Open Whisper System focuses on the development of the Signal Protocol and also maintains a messaging application called Signal. The nonprofit is funded through a combination of donations and grants.
In October 2016, the Signal protocol was reviewed by an international team of security researchers and got glowing reviews.
Reading the above, you might think you are fine since WhatsApp, Facebook Messenger, and Google Allo also use the Signal Protocol.
Well, you’re not.
Facebook Messenger and Google Allo don’t enable end-to-end encryption by default. Facebook Messenger users have to enable “Secret Conversations” and Google Allo users have to enable Incognito Mode.
Telegram, the 100-million-user app made by social network VK’s founder Pavel Durov, uses its own encryption protocol: MProto. Telegram was the subject to a lot of controversies over its encryption protocol. Then in 2015, a security researcher published a paper revealing several major exploits in MProto and concluded that Telegram shouldn’t have tried to roll their own encryption.
So this leaves us with WhatsApp and Signal — the only two applications to use the Signal Protocol by default for all messages sent.
You may be asking — why not stick with WhatsApp then?
The reason lies in WhatsApp’s collection of metadata.
Data collection and metadata
Metadata and data collection have often been at the center of debates, with parties often claiming some statements along the line of:
We can’t listen/read the content of your communication because we use end-to-end encryption, we can only collect metadata.
Metadata has often been a blurry term. For your convenience, below is a clarified definition of metadata:
If you’re still unclear about what metadata is, read the post from EFF by Kurt Opsahl. He gives examples of what companies or governments know when they collect metadata:
They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.
Now that you know what metadata is, let me reiterate: using end-to-end encryption does not prevent messaging services from collecting metadata.
Let’s see what these guys are collecting:
WhatsApp’s FAQ states that its app has access to all the phone numbers in your address book, and that it collects a myriad of information about you.
What’s interesting is that WhatsApp doesn’t store your messages on its servers. Instead, your messages are stored on your phone — then ultimately on the servers where you back up your phone. For example, if you use an iPhone, all your WhatsApp messages are stored in iCloud.
As for the information WhatsApp collects about when, where, and with whom you communicate, it’s a lot more vague. Here’s what they say:
Usage and Log Information. We collect service-related, diagnostic, and performance information. This includes information about your activity (such as how you use our Services, how you interact with others using our Services, and the like), log files, and diagnostic, crash, website, and performance logs and reports.
WhatsApp also collects device-specific information when you install, access, or use their service — such as the model of your phone, its operating system, and information from your browser, IP address, and mobile network — including your phone number.
And if they can’t collect that information through your phone, they’ll obtain it when people message you, since WhatsApp also has access to your friends’ activity data.
Besides the unencrypted backups, other concerns were outlined by the Electronic Frontier Foundation over key change notification, WhatsApp’s web app, and its sharing of data with Facebook, who acquired WhatsApp in 2014.
Speaking of Facebook…
Facebook Messenger
MIT Technology Review wrote:
Facebook is collecting the most extensive data set ever assembled on human social behavior.
I don’t need to break down what data Facebook collects. Facebook is your friend, so they made it very simple for you to understand just how close of a friend they are:
Google Allo
Google Allo has been widely criticized by security experts.
Not only can Google actually read every message you say, they will store all conversations.
It is that simple.
Here’s Edward Snowden’s tongue-in-cheek advertisement for Allo:
Telegram
Telegram is a tricky one since as I mentioned its encryption protocol is not secure. But let’s set that aside and look at what they collect from you.
Messages, photos, videos, and documents are encrypted and stored on Telegram’s servers (except for the Secret Chat messages, which aren’t stored on Telegram’s servers). Like WhatsApp and Facebook, Telegram accesses and stores your contact list on its server. This is how they’re are able to send you a notification when someone new from you contact list joins Telegram. Nice of them, right?
Signal
The only only data Signal retains is the phone number you register with and when you last logged into their server.
That is it.
It doesn’t even record the hour, minute, or second — only the day.
If you’re feeling mischievous, Signal even has disappearing messages.
And Signal is free. Really free. Meaning that they aren’t trying to turn your eyeballs into a product for advertisers like Facebook, Telegram, or Google want to do with their messaging apps. You can donate to Signal here.
By the way, Signal code is free and open-source, available on GitHub for you to check.
Why should you care about your privacy?
You might be tempted to say something like:
Who cares? I have nothing to hide.
If you don’t think privacy is all that important:
- watch to Glenn Greenwald’s TED talk on why privacy matters.
- read Quincy Larson’s article about how to encrypt your life in less than an hour.
- Read Fábio Esteves’s post to understand why you should care.
- And heres’s more on why encryption is a human right by Electronic Frontier Foundation’s Amul Kalia.
If this blog post was useful to you, please click that little green heart below. That would be great. Thank you.
Feel free to reach out to me on Twitter if you want to chat about or for a coffee if you pass by Hong Kong.