Privacy: Hey there! I am not using WhatsApp.

02/05/2021
G DATA Blog

The new WhatsApp terms and policy are on everyone's lips right now. People move to alternatives like Telegram and Signal. While Telegram is arguably more popular than Signal, it might not be as good as assumed. This article covers the privacy aspects of the messengers.

WhatsApp's new terms and policy

Before the latest update, users had the option to choose not to have data shared with Facebook. This time, users do not get a choice in the matter. The latest update to the Terms of Service aims to achieve a better integration of other services offered by Facebook. The new privacy policy becomes effective on February 8, 2021. If by that date a user doesn't choose to accept, the access to the App is lost.
Now, since Terms of Service are notoriously long, difficult to read and full of legalese, the website tosdr.org ("tosdr" is short for terms of service, didn't read) tries to cut a path across this jungle of text and helps to get better informed about terms of services. They also provide a rating ranging from very good (A) to very bad (E). WhatsApp has scored their worst possible rating "E" on their page.

The official WhatsApp website describes their use of data as follows:

"WhatsApp currently shares certain categories of information with Facebook Companies. The information we share with the other Facebook Companies includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent." - Taken from WhatsApp's FAQ page

Ramifications and exceptions

By accepting the new terms and policy, you effectively agree that Facebook and its subsidiaries have access to more of your data. It is  important to note that the content itself - your messages and any media you send or receive - can still only be seen by sender and receiver due to the use of end-to-end encryption. This is not really a reason to breathe easy. The reason is the metadata that is generated along the way. To get a good idea of what people are talking about, Facebook or its subsidiaries do not need to be able to read your messages directly. Based on correlated data, companies with access to this data can make very good and sometimes scarily accurate guesses as to who you are corresponding with and what about.

There are some exceptions: WhatsApp users located in Europe and the UK won't see any changes to the use of their data (yet).A spokesperson for WhatsApp stated: "There are no changes to WhatsApp’s data sharing practices in the European region (including UK) arising from the updated Terms of Service and Privacy Policy". (source) While this means that data sharing didn't get worse, it also means that it didn't get any better.

In the wake of all the discussions about privacy and Facebook's voracious appetite for data, you might find yourself wondering whether there is an alternative. Luckily there is. There are several alternatives, in fact, two of which seem to garner more attention than others. So if you are thinking "Telegram or Signal?" -  read on.

Signal: The simple and private alternative for WhatsApp

Signal is a free open source end-to-end encrypted messenger. The source code is available on the project's GitHub page. A desktop client for Windows, Linux and Mac is available, as are clients for Android, iPhone and iPad.

Signal's simple design philosophy without privacy concerning features is something we like. If you like posting status updates and also like to check who and how many people saw it, we have bad news for you - You can't do that with Signal. The tradeoff is verifiable privacy vs. additional features. In the end it comes down to a decision between keeping some "nice to have" comfort features versus giving up on privacy. This call is unfortunately yours alone to make - but as long as you make a conscious and informed decision for either solution, it is valid.


Fun fact #1: WhatsApp's new changes essentially were good advertisements for alternatives like Signal. Signal's verification codes were delayed as so many new people tried to join, according to Signal's tweet:

Fun fact #2: Famous people like Elon Musk tweeting about it surely have helped Signal getting more users too.
 


However, there is an issue that came up more recently with Signal. Critics have pointed out that the domains used by the Signal platform resolve to servers from Google, Amazon, Cloudflare and Microsoft (see this  Github page). This could be a red flag for data sensible users: You may get away from Facebook, but instead you are now stuck with Google or Amazon - both do not exactly have a stellar track record when it comes to protecting data. So at first glance you would be replacing one evil with another. But is it that bad?

You have to be aware of the fact that Signal uses the zero-knowledge principle. Data like contacts and messages are sent encrypted through those servers, but only the recipient is able to see the decrypted data. In addition, only the recipient sees the sender.

This means that the servers of Signal see metadata, but can't associate them with senders. The only limit are the IP-addresses, which can be seen by the servers. It remains questionable if it's possible to find the sender based on this info alone (eg. using IP correlation).

Telegram: The player between WhatsApp and Signal

Telegram is widely used and is seen by many as a more secure messenger. And in many respects it is. It uses the encryption protocol called "MTProto". However, Telegram is not entirely open source: The backend infrastructure is closed source - a point that might irk some people. The API and the end client is open source. But how good is Telegram, really?

In the default settings, messages are not encrypted and are sent through Telegram's servers.
There is the option in any chat to enable a "Secret chat". If this option is enabled, all communication from that moment on is encrypted using the "MTProto" protocol. We believe that many people have the perception of secure messages, while actually having a lower security with their message content than WhatsApp.

On a positive note, "Secret chats" offer the ability for self-destructing messages. Using this, the chat is encrypted, isn't stored on Telegrams servers and after the predefined time not even available to the users who messaged each other.

Also, there are many interesting public chats and channels to join. The topics are about everything you can think of - Philosophy books, funny videos or the latest movies to watch. After you joined a couple of these chats, you no longer only chat with friends you already know, but with strangers that are interested in the topic you're interested into as well.

Overview

In the end, a messenger is chosen by personal preferences. If you're a convenient person that doesn't want the hassle with new things, then WhatsApp is fine for you. For the more security aware people, Telegram is a good step in the right direction, as it offers the option for end-to-end encrypted chats and is not known to share data with Facebook and its subsidiaries.

Ultimately, Signal is the clear winner when it comes to privacy. You can see a handy overview of the most important features below.

Bonus: The great voice quality in a call is also a clear winning point for Signal. According to people we tried this out with, "The audio is so much cleaner and has far fewer drop-outs than what we know from WhatsApp!".

Outlook

People do not want to blindly hand out their data anymore. For a number of years we have been observing an ever increasing demand for more privacy-oriented messaging solutions, which until recently had yet to gain major traction. The current WhatsApp policy update has added a lot more momentum to this trend. Many of those who work at G DATA have been early adopters and have added alternative mesengers to their roster of communication tools. And in the past few weeks, many have had their messengers flooded with notifications like "Josh joined Telegram!" or "Linda is on Signal!".

This trend also reflects in Signal's download count at the Google Play Store. Before WhatsApp's update, Signal had about 10 million downloads. Only a couple days after the annoucement, this number has skyrocketed to over 50 million downloads. On the Apple App Store, Signal ranks at #2 in downloads, only surpassed by the newly emerged (and strongly hyped) social media platform Clubhouse.

Up to this point, the predominant observation used to be that people did not seem to care enough about privacy. Many people just could not be bothered with changing their comminication platform. We believe that there is a major shift in progress towards more privacy-centered solutions. "But nobody is using it!" is probably the longest-standing argument against changing platforms. But it also becomes a moot point once a critical mass has been reached and peer pressure takes over: When enough friends have switched to an alternative.