Looking for a new messenger app to try? Among some of the biggest players, here are the main privacy differences—and one Elon Musk recommends.
Do not waste your time with anything but Signal if your choice of encrypted messaging app is a toss-up between Signal, Telegram, and WhatsApp. This is not about more has cuter features, or is more convenient to use more bells and whistles—this is about pure privacy. Nothing beats Signal if that’s what you’re after.
You probably all know what has happened by now. On Jan. 7, tech billionaire Elon Musk continued his rivalry with Facebook in a tweet heard across the world by calling for individuals to abandon their WhatsApp messenger and use Signal. CEO Jack Dorsey of Twitter retweeted his call. Around the same time, after the Capitol attacks, the right-wing social network Parler went dark, while Facebook and Twitter avoided political boycotters. The perfect storm—since then, the number of new users on Signal and Telegram has risen by tens of millions.
The jolt also reignited protection and privacy scrutiny more generally over messaging apps. There are some commonalities among the three currently dominating download numbers. All three are Play Store and App Store mobile apps that support cross-platform messaging, have group chat functionality, provide multifactor authentication, and can be used to exchange files and images with each other. For texting, voice, and video calls, all have encryption.
In certain parts of their app, Signal, Telegram and WhatsApp all use end-to-end encryption, meaning they should be scrambled and unreadable if an outside party intercepts the messages. It also ensures that when you interact with another private person, the exact content of your messages allegedly will not be accessed by the people working with any of those apps. And when they intercept them, law enforcement, the cell provider, and other snooping agencies are stopped from being able to read the contents of your messages (which happens more often than you might think).
However, the variations in privacy and protection between Signal, Telegram and WhatsApp couldn’t be greater. Here’s what any one of them wants to know about you.
- Does not collect data, only your phone number
- Free, no ads, funded by nonprofit Signal Foundation
- Fully open-source
- Encryption: Signal Protocol
Signal is a standard one-tap installer that can be found in the regular markets, such as the Play Store of Google and the App Store of Apple, and functions much like the usual app for text messaging. It’s an open-source development supported by the non-profit Signal Foundation free of charge and has been famously used by high-profile privacy icons such as Edward Snowden for years.
The key advantage of Signal is that it can send completely encrypted text, video, audio and image messages to either a person or a party, after verifying your phone number and enabling you to independently verify the identity of other Signal users. CNET’s Laura Hautala’s explainer is a life-saver for a deeper dive into the possible pitfalls and drawbacks of encrypted messaging apps.
It’s tough to top Signal’s bid when it comes to privacy. It doesn’t store the data for the user. And it offers you expanded, onscreen privacy options beyond its encryption prowess, including app-specific locks, blank notification pop-ups, face-blurring antisurveillance software, and messages that vanish.
Of course, occasional glitches have shown that the tech is far from bulletproof, but the overall arc of Signal’s credibility and results have kept it at the top of the identity security tools list of any privacy-savvy user. The Guardian, the Washington Post, the New York Times (which also suggests WhatsApp) and the Wall Street Journal all recommend that Signal be used to securely contact their reporters.
For years, Signal’s central privacy problem was not its technology, but its broader acceptance. It’s nice to send an encrypted signal message, but if your receiver doesn’t use the signal, then your privacy might be zero. Think of it as the immunity of the herd provided by vaccination, except for your privacy in messaging.
However, now that the endorsements of Musk and Dorsey have sent a flood of users to get a privacy booster shot, the challenge could be a thing of the past.
- Data linked to you: Name, phone number, contacts, user ID
- Free, forthcoming Ad Platform and premium features, funded mainly by founder
- Only partially open-source
- Encryption: MTProto
Somewhere in the middle of the privacy scale, Telegram falls, and because of its attempts to create a social network-style environment, it stands apart from other messenger apps. Although it does not collect as much information as WhatsApp, it does not provide encrypted group calls such as WhatsApp, nor as much protection for user data and business transparency as Signal. Your name, phone number, contact list, and user ID provide the data obtained by Telegram that could be connected to you.
Your IP address is also obtained by Telegram, something else the Signal does not do. And unlike Signal and WhatsApp, by default, one-to-one messages from Telegram are not encrypted. Instead, in the app’s settings, you have to turn them on. Telegram community messages will not be encrypted either. Researchers found that while some of the MTProto encryption schemes of Telegram was open-source, some parts were not, so what happens to your texts once they are on Telegram’s servers is not entirely clear.
The Telegram has had many infringements. In March 2020, some 42 million Telegram user IDs and phone numbers were revealed, assumed to be the work of government officials in Iran. After 15 million Iranian users were revealed in 2016, it will be the second massive breach linked to Iran. During the Hong Kong demonstrations, Chinese authorities exploited a Telegram flaw in 2019. Then there was the deep-fake bot on Telegram that was enabled to create women’s forged nudes from normal images. Most recently, the GPS-enabled functionality that helps you to locate someone near you has created clear privacy concerns.
After this recent user spike, I reached out to Telegram to find out if there were any big security plans in the works for the app and what its security goals were. When I hear back, I’ll update this post.
- Data linked to you: Too much to list (see below)
- Free; business versions available for free, funded by Facebook
- Not open-source, except for encryption
- Encryption: Signal Protocol
Let’s be clear: There’s a distinction between privacy and security. Security is about protecting your data from unauthorized access, and privacy is about protecting your identity, no matter who has access to that information.
WhatsApp’s encryption is the same on the security front as Signal’s, and that encryption is secure. But one of the few open-source components of WhatsApp is this encryption protocol, so we’re being asked to trust WhatsApp more than Signal. Much like Telegram has, WhatsApp’s actual app and other infrastructures have also encountered hacks.
In January 2020, via a WhatsApp video call, Jeff Bezos’ phone was famously hacked. In December of the same year, Texas’ attorney general alleged that Facebook and Google reached a back-room agreement to expose WhatsApp message material, although it has not been confirmed. With its apps, a spyware vendor exploited a WhatsApp vulnerability to hack 1,400 smartphones, resulting in a Facebook lawsuit. The unencrypted cloud-based backup feature of WhatsApp has long been considered a security risk by privacy experts and was one way the FBI gathered information regarding Paul Manafort’s infamous political fixer. In addition, over the years, WhatsApp has also been recognized as a refuge for scam artists and malware providers.
It’s not the security factor that worries me about WhatsApp as much as the privacy, considering the hacks. I am not eager for Facebook to have another piece of software installed on my phone from which it can extract even more behavioral information with a nice interface and more protection than your usual messenger via an easy-to-use app.
If WhatsApp claims that the content of the encrypted messages you send to another WhatsApp user can not be accessed, what it does not say is that there is a laundry list of other data it gathers that could be connected to your identity: your unique system ID, use and advertisement details, purchase history and financial information, physical location, phone number, contact information, and that of your list. The list continues. That’s much more than a signal or a telegram.
A WhatsApp representative pointed out that it restricts what it does with this user information when I asked the company why users should settle for less data protection, and that the collection of data only extends to certain users. For example, only for those WhatsApp users in Brazil, where the service is available, will the collection of financial transaction data be important.
“We do not share your contacts with Facebook, and we cannot see your shared location,” the WhatsApp spokesperson told CNET.
“While most people use WhatsApp just to chat with friends and family, we’ve also begun to offer the ability for people to chat with businesses to get help or make a purchase, with health authorities to get information about COVID, with domestic violence support agencies, and with fact-checkers to provide people with the ability to get accurate information,” the spokesperson said. “As we’ve expanded our services, we continue to protect people’s messages and limit the information we collect.”
Is it more convenient for WhatsApp than Signal and Telegram? Yeah. Yes. Are they prettier? Sure. Oh, sure. Are they just as safe? Until we see more of its source code, we won’t know. But are they more private? Not when it comes to how much knowledge it receives in contrast. I’m sticking with Signal for true privacy and I suggest that you do the same.