Jan 14
Here’s Why Signal Is Better for Your Privacy Than WhatsApp or Telegram
*Note: This article was originally published by the author on January 10, 2021.
Global mass surveillance by governments is all the rage these days in case you’ve been living under a rock somewhere. You, being a private citizen “X” of country “Y” may not wish to be surveilled where and when you can prevent it by using “Z” privacy tool. Now, it’s important to first understand that there are certain aspects of using the internet that is beyond your control. There will be digital breadcrumbs that can be traced back to you, that’s almost guaranteed in all instances. How much so, however, depends on how you use the internet and what privacy tools can do to help obscure your private information and messages.
What is in your control to some extent thanks to modern technology is whether or not anyone else, including your government, can intercept and read your private messages. When it comes to secure messaging apps, there are several different options available. However, in terms of digital privacy, not all of these messaging apps are created equally. This article will look at three of the most popular secure messaging apps: Signal, WhatsApp, and Telegram.
Secure messaging app users should take the time to weigh factors such as who owns and designed the app and how their track record is in terms of security and privacy. As much as security and privacy are separate aspects of technology, privacy is very much dependent on security. Additionally, reading technical security reviews of any app before installing it on your device is recommended.
Most Important Factors to Consider
- Does it have End-to-End Encryption (E2EE)? E2EE is essential for ensuring the privacy of your private messages so that even the app company is not able to read your private messages. Additionally, is the app’s E2EE enabled by default, or is it something that a user is expected to configure themselves?
Also important to mention is the fact that your securely encrypted messages are not encrypted while you’re drafting them on your mobile device or in plain view of someone shoulder surfing you. In fact, until the message is sent and stored in an encrypted format with the phone locked or in some cases turned off completely, law enforcement could seize your phone away from you and access your messages while your phone is an unlocked state and the app is open on your device. This is why implementing full-device encryption and phone/app screen lock settings are important. Apple has done well with this feature and is a privacy selling point for its iPhones. Governments can pay for hacking tools to crack iPhone encryption though. So, if the app has a PIN or password to further protect your private messages, then you should enable it.
- Is the code open-sourced? Open-sourced code provides transparency of what is going on with the code “under-the-hood” of the application.
It provides the opportunity for industry cryptography experts to peer review the code for flaws in how the encryption is securely implemented. This a net win for you the user. Proprietary code doesn’t allow for peer review.
- What private data does the app collect?
This is important because the company could share that data with third-party data brokers (i.e., read the Terms of Service and Privacy Policy carefully), or if there is a data breach, that private data of yours could end up being leaked all over the Web by criminal hackers.
- Where is the app company headquartered?
This is another important factor to consider due to privacy laws in that particular country or region (e.g., the European Union’s General Data Protection Regulation or California’s Consumer Privacy Rights Act ) and the infrastructure jurisdiction location. Will authorities be able to easily request or compel the app company to provide private user data? This depends on what privacy laws exist in that particular location.
- End-to-End Encrypted? Yes, though it’s not enabled by default. When Facebook acquired WhatsApp in 2014, the Signal protocol was already baked into WhatsApp which uses Perfect Forward Secrecy (PFS) for text/voice messages and video calls. After selling WhatsApp to Facebook, co-founder Brian Acton stuck around for a few more years, and then in 2017, he left WhatsApp to create the Signal Foundation and app which also uses the Signal protocol and which is now a WhatsApp competitor.
- Open-Sourced Code? No.
- Private Data Collected? Lots. WhatsApp shares a lot of information with its parent company Facebook. How you use WhatsApp, your app setting configurations, how you interact with other users, length of interactions, info about the other websites and services you use such as messaging, calls made, status, group associations, payment info, profile photos, multiple device characteristics to fingerprint your exact device, precise location data, and other metadata. Scary? You should know that Google does the same.
- Headquarters Location? WhatsApp is owned by Facebook Inc. and consequently is located in Mountain View, California, USA
- Mediums: Android/iOS, Mac or Windows PC
- Cost: Free
- Initial Release Date: February 2009
Pros: It uses the same E2EE as Signal does. WhatsApp also includes a peer-to-peer money transfer feature currently only available in India. Users can manually verify the security of each chat with a 60-digit hash or QR code to ensure the conversation is encrypted with the other party (read: nobody is doing this). Users are able to send voice and video messages, photos, and group chat.
Cons: The obvious Con here, for me at least, to using WhatsApp is that it is owned by Facebook Inc. WhatsApp recently changed its terms of service to force users to share personal data with its parent company Facebook which I think is a dealbreaker for a lot of users. Facebook has a notoriously bad reputation for user privacy. I would sooner use plain text email encrypted with PGP before I used any Facebook app. End of story, moving on.
*Note: Facebook has a major anti-trust lawsuit pending at the time of writing
Telegram
- End-to-End Encrypted? Yes, but not enabled by default and only in Telegram Secret Chats. All messages are encrypted, but only Secret Chat messages are encrypted end-to-end. Telegram uses a custom-built MTProto encryption protocol. Telegram ensures that msg_key is equal to the SHA-256 hash of a fragment of the auth_key concatenated with the decrypted message (including 12…1024 bytes of random padding). The plaintext contains message length, server salt, session_id, and other data not known to the attacker. The AES decryption keys depend both on msg_key, and on auth_key, known only to the parties involved in the exchange.
- Open-Sourced Code? Yes, here.
- Private Data Collected? GDPR-compliant, data such as Name, User ID, Contacts, and Phone Numbers are collected.
- Headquarters Location? Dubai, owned by Telegram Messenger Inc.
- Mediums: Android, iOS, iPad, PC/Mac/Linux, macOS
- Cost: Free for now for regular users and ad-free, but new business features will come at a price to be determined. Telegram also plans to implement its own Ad Platform for public one-to-many channels that will allow Telegram to fund infrastructure costs and pay employee salaries.
- Initial Release Date: August 14, 2013
Pros: Users can set messages to self-destruct (auto-delete), share videos, documents, and participate in group chats with up to 200,000 users. Telegram is confident in their encryption security model enough that they are offering a challenge reward of $300,000 to whoever is able to first break their encryption model. To date, no one has been able to claim the reward.
Cons: Telegram contains a feature called “People Nearby” that exposed the exact GPS locations of other Telegram users and even group chats according to a recent report from security researcher Ahmed Hassan who was able to exploit the feature to triangulate the exact home addresses of other users (Anderson, 2021). Telegram says the feature is disabled by default and that some users choose to share their location data. Maybe it’s just me but when I think about a secure messaging app, the last thing in the world I want is my home address exposed due to an insecure feature within the app.
Additionally, Telegram has been criticized by cryptography experts for its security model which is not very secure. Telegram permanently stores all contacts, messages, and media with their decryption keys on its servers by default. This is not how end-to-end encryption works.
Signal
- End-to-End Encrypted? Yes, by default with the Signal protocol which uses Perfect Forward Secrecy (PFS) for text/voice messages and video calls.
- Open-Sourced Code? Yes under the GPLv3 license.
- Private Data Collected? A phone number for verification purposes only.
- Headquarters Location? Signal Foundation is located in Mountain View, California, USA
- Mediums: Android/iOS
- Cost: Free
- Initial Release Date: July 29, 2014
Pros: Signal is a 501(c)(3) nonprofit that has been approved for use by the US Senate for politicians and their staffers, the European Union (EU) has directed its staff to use it, and it has also been widely touted by top privacy experts like Bruce Schneier, and Matt Green, multiple journalists, and billionaires such as Elon Musk. All of these people have a vested interest in keeping their communications private, as much if not more than you and I. Signal is funded entirely through grants and donations which is important to note because that means they don’t have any incentive to sell your private information to advertisers and third-party data brokers. The Signal protocol was independently audited in 2016 (Long, 2020) and is fully GDPR-compliant which means it should also be compliant with the CPRA also.
Users can configure Signal for disappearing messages (e.g., self-destructing) as well. Signal states that it only logs the minimum amount of data necessary which does not include IP addresses. With Signal, users get a very high level of privacy and security in a secure messaging app that is virtually unparalleled anywhere else at this time. There is a reason authoritarian governments and regimes ban these types of secure messaging apps and even democratic governments want encryption backdoors created for law enforcement and intelligence agencies. It’s because they can’t snoop on the people using them. Let that sink in for a minute.
Dark Mode theme is an option, need I say more?
Cons: Signal doesn’t support two-factor authentication (2FA) and users have to provide their phone number to sign up, unlike the Swiss-based Threema secure messaging app. Not necessarily a “Con” per se, but users have to configure for how long they want Signal to store their encrypted messages on their device under the “Storage” settings. Users may select between options of 1 month (30 days), 6 months, 1 year, or Forever.
Users must also go into the app’s “Privacy” settings and enable “Screen lock,” or “Registration Lock” which requires a 4-digit PIN to unlock and re-register the same phone number on another device. Additionally, despite the Signal Foundation having its infrastructure jurisdiction located in the U.S., the E2EE mitigates the snooping risk to a large extent and places the burden of proof on LEO/IC agencies to extract stored messages from a user’s mobile device.
Mark Williams created a secure messaging app comparison spreadsheet hosted online that he updates frequently (2020) and which answers many more questions about how private a particular secure messaging app really is. The amount of information he covers in the spreadsheet is tremendous but is well outside of the scope of this article as I intend to focus on what I consider to be the three most popular apps: WhatsApp, Telegram, and Signal. I highly encourage readers to visit his site (linked below) to see the great work he’s put into this project.
In conclusion, despite their differences between these three popular secure messaging apps, the main point I want you to walk away with is that you should at least choose a secure messaging app that uses end-to-end encryption. The technology exists and you should absolutely take advantage of it wherever and with whoever is willing to also use the app because remember that in order for an app’s E2EE to work properly, both parties messaging need to have it installed and be using it to keep out prying eyes. Choose an app that is highly rated by privacy and security experts.
My hope is that this short rundown will help you to decide which secure messaging app is the best option for your needs or at least help to reaffirm the choices you have already made. Keep in mind that no app or technology service is ever going to be 100% secure or private. That doesn’t mean we should compromise on all aspects of security and privacy but it does mean that we should temper our user expectations somewhat reasonably. Consider yourself forewarned and mitigate risk whenever possible by limiting what sensitive info you put into it any app, not just secure messaging apps. As for my personal vote, I use Signal and I believe it is the best secure messaging app available at the time of writing.
*The author is an independent security researcher and is not affiliated with Signal or any other secure messaging app developer
Additional Resources:
References:
Anderson, T. (2021, January 5). Bug? No, Telegram exposing its users’ precise location is a feature working as ‘expected’. Retrieved from https://www.theregister.com/2021/01/05/telegram_location_people_nearby/
Long, H. (2020, September 14). Signal Messenger Review. Retrieved from https://restoreprivacy.com/secure-encrypted-messaging-apps/signal/
Williams, M. (2020, December). Secure Messaging Apps Comparison. Retrieved from https://www.securemessagingapps.com/
