ElevenPaths 17 February, 2021
In the world of smartphones, 2021 began with a piece of news that has left no one indifferent: the update of WhatsApp’s terms and conditions of use. This measure, which was set by Facebook to come into force on 8 February but has finally been delayed to 15 May, has generated a great deal of controversy on social networks given the impact it has had on users’ privacy.
As a consequence, migration to other messaging applications has increased significantly, as can be seen in the graphic below:
Given the situation, in this article we will look at the main differences in terms of security and privacy that exist between the green app, Telegram and Signal. We have discarded applications such as iMessage or Google Messages because they are exclusively for iPhone and Android users, respectively, and other less relevant minority applications for this comparison.
WhatsApp has more than 2 billion users worldwide. It uses end-to-end encryption in all its chats, both individual and group. This cryptographic system protects messages so that only the sender and receiver can read them and no one else, not even the application itself. The cryptographic algorithms used are Curve25519/AES-256/HMAC-SHA256.
It is noteworthy the large amount of data associated with your account that it requests: phone number, user ID, contacts, email, device ID, approximate location, advertising data, purchase history and payment information, product interaction, bug and performance reports, and customer support. The metadata it collects are IP addresses, contacts, network operators, dates of use, location, phone model and device ID.
WhatsApp has some privacy options such as hiding your username, login time, profile picture, information and status and has two-step verification and fingerprint unlock option.
Telegram
Telegram is WhatsApp’s main competitor due to the similarity of its functionalities. It currently has more than 500 million users around the world. This application also uses end-to-end encryption for its communications, but not in all its chats, only in secret chats. Standard chats use server-client encryption, although it is very robust. In Telegram’s secret chats, the end-to-end encryption layer is added.
The encryption algorithms are RSA 2048/AES 256/SHA-256 (SHA-1 has been removed for its insecurity). Telegram is an open-source app and anyone can review its source code, protocol and API.
The app asks for considerably less data associated with your account than WhatsApp does: phone number, user ID, phone contacts and your account name. In terms of metadata, it collects IP addresses, contacts and devices.
Telegram contains two-step verification (2FA), fingerprint unlocking, incognito keyboard and in secret chats there are additional functions such as blocking screenshots or the possibility of self-destructing your messages after they have been sent. In addition, if the account is abandoned, it self-destructs, automatically deleting all the information contained on Telegram’s servers. The app allows you to set an empty username so as not to reveal your identity. In the same way, the phone number is not visible unless you allow it.
Telegram has bots, a functionality that allows the automation of a multitude of tasks within the application, for example, spam filtering, phishing detection, etc.
Signal
Signal has gone from 10 million to 50 million downloads in just a few days. This is a much more modest number than the two previous apps and its functionalities are more limited (although it has recently replicated several of WhatsApp’s), but the relevance of privacy in public opinion is making it gain popularity among users.
The end-to-end encryption used in all communications is the same as WhatsApp’s (or rather the opposite, as WhatsApp uses the Signal protocol developed by Open Whisper Systems), with the same encryption algorithms: Curve25519/AES-256/HMAC-SHA256. Signal is also open-source so that the developer community can contribute to improving its code.
Signal also includes two-step verification. Your username and profile picture are visible to your contacts, not configurable. Other key features include the ability to enable confidential sender to send messages without sharing your profile, temporary messages and screenshot blocking (like Telegram) or redirect calls through Signal’s servers to keep your IP hidden.
The only information this app asks for is your phone number. That’s right, a phone number is enough to create a Signal account. Also, the only metadata it stores is the date of the last connection.
Let us recap what we have seen in this following table:
As it can be seen, there are alternatives with less impact on users’ privacy. However, the strong network of users that WhatsApp has built up thanks to its popularity may raise the question: how will I be able to talk to my contacts if they are still using WhatsApp? This question, along with the small differences between the apps’ functionalities, implies a decision that only users can make.
