As the self-inflicted WhatsApp backlash continues, millions have turned to Signal and Telegram instead. But how much do you know about these rival messengers? Given the headlines, you’d assume they’re both more secure than WhatsApp, right? Actually, wrong. So, if you’re considering a switch, here are three things you need to know.
By now you’ll be all too familiar with the train wreck series of events that has led to millions of WhatsApp users switching to alternatives. First, Apple’s privacy labels highlighted the extensive metadata collected by WhatsApp from its 2 billion users. WhatsApp complained, saying it was unfair that Apple’s own iMessage didn’t have a privacy label—Apple then published exactly that, which made WhatsApp look worse.
That privacy label issue would have been contained, but, in its midst, WhatsApp decided to force a change of terms on all its users. The driver behind this was to facilitate Facebook business customers communicating with and selling to WhatsApp users. No real security or privacy issues. But the change was clumsily worded, which led to it being misreported as WhatsApp sharing private user data with Facebook.
WhatsApp belatedly tried to clarify first the purpose of its metadata collection and then the reasons for its changed terms of service. But the damage had been done. A week later, Signal and Telegram have been the main beneficiaries from WhatsApp’s mishaps. If you’re one of the millions that have already switched or you’re considering doing so, then this might help you decide whether to make a move and to where.
1. Are you really more secure if you switch to Signal or Telegram?
The WhatsApp backlash has focused on its collection of metadata—the who, when and where of a message rather than its content. And while the platform denies sharing anything private or sensitive with Facebook, it still collects too much. What hasn’t been questioned, though, is the security it applies to your messages themselves.
WhatsApp popularized end-to-end encryption, where only the sender and recipients of a message can read its contents, and it deserves great credit for this and for defending the use of such security despite the efforts of lawmakers to mandate backdoors. Yes, there have been examples of WhatsApp’s security being compromised, most famously by alleged Israeli spyware in 2019, but these are endpoint compromises—attacks on phones, not weaknesses in WhatsApp’s own infrastructure.
Signal’s security is better than WhatsApp’s. Both use Signal’s encryption protocol, but whereas Signal’s is fully opensource, meaning it can be examined for vulnerabilities by security researchers, WhatsApp uses its own proprietary deployment. But both are end-to-end encrypted—your content is safe. WhatsApp’s main security weakness is its cloud backup option, which stores your chat history, absent end-to-end encryption in Google’s or Apple’s cloud. Signal does not offer any such option, for security reasons.
The situation with Telegram is very different. Ironically, users moving from WhatsApp to Telegram are making a regressive move from a security standpoint. Telegram does not offer end-to-end encryption by default. There is a “secret chat” option, where one user can message another using end-to-end encryption between the two devices and bypassing Telegram’s cloud, but this does not extend to groups.
The encryption issue makes it difficult to recommend Telegram from a pure security point of view. The lack of default end-to-end encryption “gives users a false sense of privacy,” warns security analyst John Opdenakker. Technically, Telegram can access your messages, which are stored on its servers, backed up to its cloud, and to which it holds the key. MTProto, the encryption protocol used by Telegram, is proprietary and only partly opensource. In reality, you can trust Telegram with your content and there are no serious claims to the contrary, but that’s different from a provider technically unable to access your content, even if they want to.
If security is your concern, then Signal is the best step-up from WhatsApp. Signal has been criticized for its use of phone numbers as its primary ID, albeit it says it doesn’t collect any data linked to the number. Signal has also been criticized for alerting users when one of their phone’s contacts joins up, intended to drive viral growth. Again, it says this is done without compromising security, and the matching of new users to a phone’s contacts is anonymized. You could turn to an even more secure alternative like Threema, which doesn’t require a phone number and so is entirely anonymous, but you’ll find almost none of your contacts on the platform.
Tommy Mysk, one of the researchers who outed the iOS clipboard vulnerability that caused TikTok such bad press, warns that any messenger which broadens its functionality will risk privacy and security as a result. Clearly, this is an issue for WhatsApp now, but for others as well. “Telegram offers features like channels, that are public feeds,” he explains. “Telegram mingles messaging methods that are end-to-end encrypted with others, such as normal chats and channels, that are not. Most people won’t tell the difference, opting for a feature that is less secure.”
Mysk also warns that even Telegram’s end-to-end encryption might have weaknesses compared to the others. “In our research about link previews,” he says, “we found that Telegram generates link previews on its remote servers for both normal and secret chats. Secret chats are end-to-end encrypted and sending links shared in such a private chat to a remote server defies the purpose of end-to-end encryption. Telegram remote servers download up to 20 MB of any link shared in the chat. A message is shown in secret chats when the user types a link for the first time warning that links will be sent to remote servers. This can be disabled in the settings, but only for secret chats.”
2. Goodbye Facebook—but who is behind Signal and Telegram?
We all know the pros and cons of engaging with a Facebook platform, the world’s most data hungry company, but what’s the situation with Telegram and Signal?
Telegram is managed and funded by Russian social media billionaire Pavel Durov, and operates from undisclosed locations. In its early years, the messenger became famous as the platform of choice for dissidents and protesters and, unfortunately, for criminals and extremists, all looking to keep their communications out of the reach of the authorities. Despite its lack of end-to-end encryption by default and the fact it holds decryption keys, Telegram says that to access messages it needs keys from different jurisdictions to frustrate any attempts by law enforcement to access content. This gives a good insight into the original philosophy behind Telegram.
Signal was founded by a security researcher who uses the name Moxie Marlinspike for his public profile. Until 2018, the platform was fairly niche and unless you worked in some form of security field, it was unlikely to be found on your phone. But then Brian Acton, one of WhatsApp’s founders, left Facebook and ploughed $50 million into Signal to help take it mainstream. Prior to Acton’s involvement, Signal was fairly clunky to use, you really needed to want its enhanced security. But that has all now changed, as my colleague Kate O’Flaherty explains, its user interface and features rival WhatsApp, all the way to group calls and stickers. It is now the nearest thing to the original spirit of WhatsApp, before Facebook flexed its ownership muscles.
Telegram is privately owned and there’s some talk of a possible IPO to continue to fund its growth, while Signal operates as a non-profit foundation. Both platforms now face questions as to how they will fund their accelerating growth. Running a global messenger with tens of millions of users (Signal) or hundreds of millions of users (Telegram) is not cheap. Right now, funding comes from the platforms’ billionaire backers and donations, but it’s unclear if that will keep pace with growth.
Telegram has been fairly public about the challenge, suggesting it might charge users for premium services as well as that potential IPO. The Signal Foundation is funded by donations and the investment from executive chairman Brian Acton, it’s unclear what will happen if its growth continues to spiral, whether those donations will be enough.
3. Are Signal and Telegram really better for you than WhatsApp?
Yes… and no. It is undoubtedly true that Facebook’s focus on data collection and processing is at odds with the principles of secure, private messaging. It also seems clear that the direction of travel for WhatsApp is now toward commercial services, shopping and payments. More worryingly, Facebook’s long-term plans also call for the eventual integration of WhatsApp’s underlying platform with Facebook Messenger and Instagram—this is not good news for WhatsApp users.
WhatsApp also has ongoing functionality weaknesses. The continued lack of genuine multi-device options being the main one. Both Telegram and Signal offer significantly better options that WhatsApp, with full iPad and desktop apps.
But a messaging platform is only as useful as its userbase. This has always been Signal’s challenge, now finally being resolved. “When I look through my contacts,” ESET’s Jake Moore tells me, “it seems Signal is winning the race against Telegram so far. And I think that may continue due to its default end-to-end encryption on offer—a must for any messaging service in my opinion.”
But, for the time being, apart from Apple’s iMessage which is limited to its own users, only Telegram really competes with WhatsApp userbase-wise, with around 500 million using the platform. That said, looking at the security and transparency comparisons, the only reason I can see for a user to switch from WhatsApp to Telegram is if they feel the need to escape Facebook. That lack of end-to-end encryption is a deal breaker for me—Moore is right, that level of protection is a must.
Moore also points out that Signal’s non-profit status “is refreshing when comparing with big tech, which are effectively data mining firms now.” He warns that with any tech platform, “it would be very dangerous to predict that this data will always be under lock and key where in stark contrast, Signal doesn’t even link such data to us so it can officially say that there is not a risk of a breach in years to come.”
Almost everyone working in cybersecurity or information security has now been inundated for a week with messages from people asking if WhatsApp is still safe to use, if they need to move to Signal or Telegram—many of those people will have only moved from SMS to WhatsApp in the last few years.
This is worrying. If the headlines and the social media buzz undermines confidence in WhatsApp’s security, then we enter dangerous territory. Moving to Telegram or Signal is fine, but what about the likes of Android Messages or generic SMS, or any of the other non-encrypted apps that offer messaging capabilities.
It is critical to emphasize that WhatsApp’s security is fine, you don’t need to move away from the platform. Don’t stop using it until you’re very sure you want to move and where. There’s no reason to rush to #DeleteWhatsApp.
“Signal seems to be smashing growth numbers due to the self-inflicted WhatsApp/ Facebook marketing problem,” says Cyjax CISO Ian Thornton-Trump. “Telegram has a brand reputation problem as it’s been singled out—rightly or wrongly—by law enforcement as being favoured by criminals. This brings us to the crux of the secure messaging issue—you can have privacy or you can have control over then messaging apps content, but you can’t have both.”
Earlier this month, I published an article comparing Signal’s, WhatsApp’s and iMessage’s privacy labels. It drew significant attention to the differences. At the time I was asked repeatedly to show the chart with Telegram included. Here it is now.
“We’re excited that we are having conversations about online privacy and digital safety and people are turning to Signal as the answer to those questions,” Brian Acton told TechCrunch as the WhatsApp backlash caused Signal installs to soar. But in Acton’s view this won’t be a “winner take-all scenario.” In reality, people will continue to use WhatsApp alongside one of these more secure alternatives. “I have no desire to do all the things that WhatsApp does,” he explained. “Otherwise, you’re locked into something where you have no choice.”
And that is a good summary of where we are now. Take your time, don’t rush to change platforms or move messages or delete any apps. Nothing material has changed. It’s good to try alternatives, and then to decide which is right for you before you do anything more drastic.
All Rights Reserved for Zak Doffman