The new WhatsApp terms and policy are on everyone's lips right now. People move to alternatives like Telegram and Signal. While Telegram is arguably more popular than Signal, it might not be as good as assumed. This article covers the privacy aspects of the messengers.
Now, since Terms of Service are notoriously long, difficult to read and full of legalese, the website tosdr.org ("tosdr" is short for terms of service, didn't read) tries to cut a path across this jungle of text and helps to get better informed about terms of services. They also provide a rating ranging from very good (A) to very bad (E). WhatsApp has scored their worst possible rating "E" on their page.
The official WhatsApp website describes their use of data as follows:
By accepting the new terms and policy, you effectively agree that Facebook and its subsidiaries have access to more of your data. It is important to note that the content itself - your messages and any media you send or receive - can still only be seen by sender and receiver due to the use of end-to-end encryption. This is not really a reason to breathe easy. The reason is the metadata that is generated along the way. To get a good idea of what people are talking about, Facebook or its subsidiaries do not need to be able to read your messages directly. Based on correlated data, companies with access to this data can make very good and sometimes scarily accurate guesses as to who you are corresponding with and what about.
In the wake of all the discussions about privacy and Facebook's voracious appetite for data, you might find yourself wondering whether there is an alternative. Luckily there is. There are several alternatives, in fact, two of which seem to garner more attention than others. So if you are thinking "Telegram or Signal?" - read on.
Signal is a free open source end-to-end encrypted messenger. The source code is available on the project's GitHub page. A desktop client for Windows, Linux and Mac is available, as are clients for Android, iPhone and iPad.
Signal's simple design philosophy without privacy concerning features is something we like. If you like posting status updates and also like to check who and how many people saw it, we have bad news for you - You can't do that with Signal. The tradeoff is verifiable privacy vs. additional features. In the end it comes down to a decision between keeping some "nice to have" comfort features versus giving up on privacy. This call is unfortunately yours alone to make - but as long as you make a conscious and informed decision for either solution, it is valid.
Fun fact #1: WhatsApp's new changes essentially were good advertisements for alternatives like Signal. Signal's verification codes were delayed as so many new people tried to join, according to Signal's tweet:
Verification codes are currently delayed across several providers because so many new people are trying to join Signal right now (we can barely register our excitement). We are working with carriers to resolve this as quickly as possible. Hang in there.
— Signal (@signalapp) January 7, 2021
Fun fact #2: Famous people like Elon Musk tweeting about it surely have helped Signal getting more users too.
— Elon Musk (@elonmusk) January 7, 2021
However, there is an issue that came up more recently with Signal. Critics have pointed out that the domains used by the Signal platform resolve to servers from Google, Amazon, Cloudflare and Microsoft (see this Github page). This could be a red flag for data sensible users: You may get away from Facebook, but instead you are now stuck with Google or Amazon - both do not exactly have a stellar track record when it comes to protecting data. So at first glance you would be replacing one evil with another. But is it that bad?
You have to be aware of the fact that Signal uses the zero-knowledge principle. Data like contacts and messages are sent encrypted through those servers, but only the recipient is able to see the decrypted data. In addition, only the recipient sees the sender.
This means that the servers of Signal see metadata, but can't associate them with senders. The only limit are the IP-addresses, which can be seen by the servers. It remains questionable if it's possible to find the sender based on this info alone (eg. using IP correlation).
Telegram is widely used and is seen by many as a more secure messenger. And in many respects it is. It uses the encryption protocol called "MTProto". However, Telegram is not entirely open source: The backend infrastructure is closed source - a point that might irk some people. The API and the end client is open source. But how good is Telegram, really?
In the default settings, messages are not encrypted and are sent through Telegram's servers.
There is the option in any chat to enable a "Secret chat". If this option is enabled, all communication from that moment on is encrypted using the "MTProto" protocol. We believe that many people have the perception of secure messages, while actually having a lower security with their message content than WhatsApp.
On a positive note, "Secret chats" offer the ability for self-destructing messages. Using this, the chat is encrypted, isn't stored on Telegrams servers and after the predefined time not even available to the users who messaged each other.
Also, there are many interesting public chats and channels to join. The topics are about everything you can think of - Philosophy books, funny videos or the latest movies to watch. After you joined a couple of these chats, you no longer only chat with friends you already know, but with strangers that are interested in the topic you're interested into as well.
In the end, a messenger is chosen by personal preferences. If you're a convenient person that doesn't want the hassle with new things, then WhatsApp is fine for you. For the more security aware people, Telegram is a good step in the right direction, as it offers the option for end-to-end encrypted chats and is not known to share data with Facebook and its subsidiaries.
Ultimately, Signal is the clear winner when it comes to privacy. You can see a handy overview of the most important features below.
Bonus: The great voice quality in a call is also a clear winning point for Signal. According to people we tried this out with, "The audio is so much cleaner and has far fewer drop-outs than what we know from WhatsApp!".
People do not want to blindly hand out their data anymore. For a number of years we have been observing an ever increasing demand for more privacy-oriented messaging solutions, which until recently had yet to gain major traction. The current WhatsApp policy update has added a lot more momentum to this trend. Many of those who work at G DATA have been early adopters and have added alternative mesengers to their roster of communication tools. And in the past few weeks, many have had their messengers flooded with notifications like "Josh joined Telegram!" or "Linda is on Signal!".
This trend also reflects in Signal's download count at the Google Play Store. Before WhatsApp's update, Signal had about 10 million downloads. Only a couple days after the annoucement, this number has skyrocketed to over 50 million downloads. On the Apple App Store, Signal ranks at #2 in downloads, only surpassed by the newly emerged (and strongly hyped) social media platform Clubhouse.
Up to this point, the predominant observation used to be that people did not seem to care enough about privacy. Many people just could not be bothered with changing their comminication platform. We believe that there is a major shift in progress towards more privacy-centered solutions. "But nobody is using it!" is probably the longest-standing argument against changing platforms. But it also becomes a moot point once a critical mass has been reached and peer pressure takes over: When enough friends have switched to an alternative.