January 9, 2017

Why I told my friends to stop using WhatsApp and Telegram

Edit 2022: this blog post no longer reflects my views. I deleted Signal, also a walled garden.

Even with end-to-end encryption Big Brother is still in your phone - culprit: metadata.

This morning I told my friends to stop using WhatsApp and sent them an invitation to switch to Signal messaging app.

Here’s why.

Encryption Protocols: The Signal Protocol VS Telegram’s MTProto

You may not realize it, but you’re probably already using the Signal Protocol — along with more than 1 billion people every day.

The Signal Protocol is used by WhatsApp, Facebook Messenger, Google Allo and Signal’s own messaging app.

But what is the Signal Protocol?

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for instant messaging conversations. — Wikipedia

End-to-end encryption ensures that your message is turned into a secret message by its original sender, then only decoded by its final recipient.

That’s what WhatsApp started to use a few months ago when they displayed this message in your conversation:

WhatsApp encryption announcement messageWhatsApp encryption announcement message

The Signal Protocol was built by Open Whisper System, a nonprofit group that was founded in 2013 by former Twitter head of security Moxie Marlinspike. Back in 2011 the 140-character messaging platform acquired Marlinspike first secure messaging company Whisper System.

Open Whisper System focuses on the development of the Signal Protocol and also maintains a messaging application called Signal. The nonprofit is funded through a combination of donations and grants.

In October 2016, the Signal protocol was reviewed by an international team of security researchers and got glowing reviews1.

Reading the above, you might think you are fine since WhatsApp, Facebook Messenger, and Google Allo also use the Signal Protocol.

Well, you’re not.

Facebook Messenger and Google Allo don’t enable end-to-end encryption by default. Facebook Messenger users have to enable Secret Conversations” and Google Allo users have to enable Incognito Mode.

Telegram, the 100-million-user app made by social network VKs founder Pavel Durov, uses its own encryption protocol: MTProto. Telegram was the subject to some minor controversies over its encryption protocol. Then in 2015, a security researcher published a research paper detailing theoretical weaknesses* in MTProto. This paper was refuted by Telegram in a blog where they clarified why MTProto is safe.

Then we have WhatsApp and Signal — the only two applications to use the Signal Protocol by default for all messages sent.

You may be asking — why not stick with WhatsApp then?

The reason lies in WhatsApp’s collection of metadata.

Data collection and metadata

Metadata and data collection have often been at the center of debates, with parties often claiming some statements along the line of:

We can’t listen/read the content of your communication because we use end-to-end encryption, we can only collect metadata.

Metadata has often been a blurry term. For your convenience, below is a clarified definition of metadata:

definition of metadata by edward snowdendefinition of metadata by edward snowden

If you’re still unclear about what metadata is, Kurt Opsahl from the Electronic Frontier Foundation gives examples of what companies or governments know when they collect metadata2:

They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.

They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.

They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.”

Now that you know what metadata is, let me reiterate: using end-to-end encryption does not prevent messaging services from collecting metadata.

Let’s see what these guys are collecting:

WhatsApp

WhatsApp’s FAQ states3 that its app has access to all the phone numbers in your address book, and that it collects 4 a myriad of information about you.

What’s interesting is that WhatsApp doesn’t store your messages on its servers. Instead, your messages are stored on your phone — then ultimately on the servers where you back up your phone. For example, if you use an iPhone, all your WhatsApp messages are stored in iCloud, if you use it as a backup.

As for the information WhatsApp collects about when, where, and with whom you communicate, it’s a lot more vague. Here’s what they say:

Usage and Log Information. We collect service-related, diagnostic, and performance information. This includes information about your activity (such as how you use our Services, how you interact with others using our Services, and the like), log files, and diagnostic, crash, website, and performance logs and reports.

WhatsApp also collects device-specific information when you install, access, or use their service — such as the model of your phone, its operating system, and information from your browser, IP address, and mobile network — including your phone number.

And if they can’t collect that information through your phone, they’ll obtain it when people message you, since WhatsApp also has access to your friends’ activity data.

Besides the unencrypted backups, other concerns were outlined by the Electronic Frontier Foundation over key change notification, WhatsApp’s web app, and its sharing of data with Facebook, who acquired WhatsApp in 2014.

Speaking of Facebook…

Facebook Messenger

MIT Technology Review wrote:

Facebook is collecting the most extensive data set ever assembled on human social behavior.”5

I don’t need to break down what data Facebook collects. Facebook is your friend, so they made it very simple for you to understand just how close of a friend they are:

facebook data collection policyfacebook data collection policy

Google Allo

Google Allo has been widely criticized6 by security experts.

Not only can Google actually read every message you say, they will store all conversations.

It is that simple.

Here’s Edward Snowden’s tongue-in-cheek advertisement for Allo:

snowden strongly advised against using Google’s Allosnowden strongly advised against using Google’s Allo

Telegram

Messages, photos, videos, and documents are encrypted and stored7 on Telegram’s servers (except for the Secret Chat messages, which aren’t stored on Telegram’s servers). Like WhatsApp and Facebook, Telegram accesses and stores your contact list on its server. This is how they’re are able to send you a notification when someone new from you contact list joins Telegram.

Signal

Edit June 2022: I no longer use Signal. I deleted my account, mainly because it is a walled garden.

The only data Signal retains8 is the phone number you register with and when you last logged into their server.

That is it.

It doesn’t even record the hour, minute, or second — only the day.

If you’re feeling mischievous, Signal even has disappearing messages.

And Signal is free. Really free. Meaning that they aren’t trying to turn your eyeballs into a product for advertisers like Facebook or Google want to do with their messaging apps. You can donate to Signal here.

By the way, Signal code is free and open-source, available for you to check 9.

Why should you care about your privacy?

You might be tempted to say something like:

Who cares? I have nothing to hide.”

If you think you have nothing to hide, try one thing: share the password of your mailbox with your friends.


This blog post was translated in:

Originally published by FreeCodecamp.

Edit 24/01/2017: previously we stated that [Telegram’s] encryption protocol [was] not secure”. Telegram brought some clarification by publishing a blog post commenting on the finding of J. Jakobsen.10


  1. Signal’s protocol gets glowing reviews in first security audit, Cyberscoop↩︎

  2. Why Metadata Matters, EFF↩︎

  3. WhatsApp’s FAQ↩︎

  4. WhatsApp’s privacy policy↩︎

  5. What Facebook Knows, MIT Technology Review↩︎

  6. Google Allo should be deleted and never used, says Edward Snowden, The Independent↩︎

  7. Telegram’s privacy policy↩︎

  8. Signal’s privacy policy↩︎

  9. Signal’s repository↩︎

  10. https://telegra.ph/mtproto-security-01-17↩︎


blog post personal computing

No affiliate links, no analytics, no tracking, no cookies. This work © 2016-2024 by yctct is licensed under CC BY-ND 4.0 .   about me   contact me   all entries & tags   FAQ   GPG public key

GPG fingerprint: 2E0F FB60 7FEF 11D0 FB45 4DDC E979 E52A 7036 7A88