by Romain Aubert
Why I told my friends to stop using WhatsApp and Telegram
Even with end-to-end encryption Big Brother is still in your phone: metadata
This morning I told my friends to stop using WhatsApp and sent them an invitation to switch to the Signal messaging app.
Encryption Protocols: The Signal Protocol VS Telegram’s MTProto
You may not realize it, but you’re probably already using the Signal Protocol — along with more than 1 billion people every day.
The Signal Protocol is used by WhatsApp, Facebook Messenger, Google Allo and Signal’s own messaging app.
But what is the Signal Protocol?
The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for instant messaging conversations. — Wikipedia
End-to-end encryption ensures that your message is turned into a secret message by its original sender, then only decoded by its final recipient.
That’s what WhatsApp started to use a few months ago when they displayed this message in your conversation:
The Signal Protocol was built by Open Whisper System, a nonprofit group that was founded in 2013 by former Twitter head of security Moxie Marlinspike. Back in 2011 the 140-character messaging platform acquired Marlinspike first secure messaging company Whisper System.
Open Whisper System focuses on the development of the Signal Protocol and also maintains a messaging application called Signal. The nonprofit is funded through a combination of donations and grants.
In October 2016, the Signal protocol was reviewed by an international team of security researchers and got glowing reviews.
Reading the above, you might think you are fine since WhatsApp, Facebook Messenger, and Google Allo also use the Signal Protocol.
Well, you’re not.
Facebook Messenger and Google Allo don’t enable end-to-end encryption by default. Facebook Messenger users have to enable “Secret Conversations” and Google Allo users have to enable Incognito Mode.
Telegram, the 100-million-user app made by social network VK’s founder Pavel Durov, uses its own encryption protocol: MTProto. Telegram was the subject to some minor controversies over its encryption protocol. Then in 2015, a security researcher published a research paper detailing theoretical weaknesses* in MTProto. This paper was refuted by Telegram in a blog where they clarified why MTProto is safe.
Then we have WhatsApp and Signal — the only two applications to use the Signal Protocol by default for all messages sent*.
You may be asking — why not stick with WhatsApp then?
The reason lies in WhatsApp’s collection of metadata.
Data collection and metadata
Metadata and data collection have often been at the center of debates, with parties often claiming some statements along the line of:
We can’t listen/read the content of your communication because we use end-to-end encryption, we can only collect metadata.
Metadata has often been a blurry term. For your convenience, below is a clarified definition of metadata:
They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.
Now that you know what metadata is, let me reiterate: using end-to-end encryption does not prevent messaging services from collecting metadata.
Let’s see what these guys are collecting:
What’s interesting is that WhatsApp doesn’t store your messages on its servers. Instead, your messages are stored on your phone — then ultimately on the servers where you back up your phone. For example, if you use an iPhone, all your WhatsApp messages are stored in iCloud, if you use it as a backup.
As for the information WhatsApp collects about when, where, and with whom you communicate, it’s a lot more vague. Here’s what they say:
Usage and Log Information. We collect service-related, diagnostic, and performance information. This includes information about your activity (such as how you use our Services, how you interact with others using our Services, and the like), log files, and diagnostic, crash, website, and performance logs and reports.
WhatsApp also collects device-specific information when you install, access, or use their service — such as the model of your phone, its operating system, and information from your browser, IP address, and mobile network — including your phone number.
And if they can’t collect that information through your phone, they’ll obtain it when people message you, since WhatsApp also has access to your friends’ activity data.
Besides the unencrypted backups, other concerns were outlined by the Electronic Frontier Foundation over key change notification, WhatsApp’s web app, and its sharing of data with Facebook, who acquired WhatsApp in 2014.
Speaking of Facebook…
MIT Technology Review wrote:
Facebook is collecting the most extensive data set ever assembled on human social behavior.
I don’t need to break down what data Facebook collects. Facebook is your friend, so they made it very simple for you to understand just how close of a friend they are:
Google Allo has been widely criticized by security experts.
Not only can Google actually read every message you say, they will store all conversations.
It is that simple.
Here’s Edward Snowden’s tongue-in-cheek advertisement for Allo:
Messages, photos, videos, and documents are encrypted and stored on Telegram’s servers (except for the Secret Chat messages, which aren’t stored on Telegram’s servers). Like WhatsApp and Facebook, Telegram accesses and stores your contact list on its server. This is how they’re are able to send you a notification when someone new from you contact list joins Telegram.
The only data Signal retains is the phone number you register with and when you last logged into their server.
That is it.
It doesn’t even record the hour, minute, or second — only the day.
If you’re feeling mischievous, Signal even has disappearing messages.
And Signal is free. Really free. Meaning that they aren’t trying to turn your eyeballs into a product for advertisers like Facebook or Google want to do with their messaging apps. You can donate to Signal here.
By the way, Signal code is free and open-source, available on GitHub for you to check.
Why should you care about your privacy?
You might be tempted to say something like:
Who cares? I have nothing to hide.
If you don’t think privacy is all that important:
- Watch Glenn Greenwald’s TED talk on why privacy matters.
- Read Quincy Larson’s article about how to encrypt your life in less than an hour.
- And here’s more on why encryption is a human right by Electronic Frontier Foundation’s Amul Kalia.
Edit 24/01/2017: *previously we stated that “[Telegram’s] encryption protocol [was] not secure”. Telegram Messenger brought some clarification by publishing a blog post commenting on the finding of J. Jakobsen.
If this blog post was useful to you, please click that little green heart below. That would be great. Thank you.
Article also available in French, Italian, German, Spanish and Turkish.
This article was also published in Dutch in the Belgium newspaper Knack.