|||

Why I told my friends to stop using WhatsApp and Telegram

This blog post was translated in:


Even with end-to-end encryption Big Brother is still in your phone - culprit: metadata.

This morning I told my friends to stop using WhatsApp and sent them an invitation to switch to Signal messaging app.

Here’s why.

Encryption Protocols: The Signal Protocol VS Telegram’s MTProto

You may not realize it, but you’re probably already using the Signal Protocol — along with more than 1 billion people every day.

The Signal Protocol is used by WhatsApp, Facebook Messenger, Google Allo and Signal’s own messaging app.

But what is the Signal Protocol?

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for instant messaging conversations. — Wikipedia

End-to-end encryption ensures that your message is turned into a secret message by its original sender, then only decoded by its final recipient.

That’s what WhatsApp started to use a few months ago when they displayed this message in your conversation:

WhatsApp encryption announcement messageWhatsApp encryption announcement message

The Signal Protocol was built by Open Whisper System, a nonprofit group that was founded in 2013 by former Twitter head of security Moxie Marlinspike. Back in 2011 the 140-character messaging platform acquired Marlinspike first secure messaging company Whisper System.

Open Whisper System focuses on the development of the Signal Protocol and also maintains a messaging application called Signal. The nonprofit is funded through a combination of donations and grants.

In October 2016, the Signal protocol was reviewed by an international team of security researchers and got glowing reviews1.

Reading the above, you might think you are fine since WhatsApp, Facebook Messenger, and Google Allo also use the Signal Protocol.

Well, you’re not.

Facebook Messenger and Google Allo don’t enable end-to-end encryption by default. Facebook Messenger users have to enable Secret Conversations” and Google Allo users have to enable Incognito Mode.

Telegram, the 100-million-user app made by social network VKs founder Pavel Durov, uses its own encryption protocol: MTProto. Telegram was the subject to some minor controversies over its encryption protocol. Then in 2015, a security researcher published a research paper detailing theoretical weaknesses* in MTProto. This paper was refuted by Telegram in a blog where they clarified why MTProto is safe.

Then we have WhatsApp and Signal — the only two applications to use the Signal Protocol by default for all messages sent*.

You may be asking — why not stick with WhatsApp then?

The reason lies in WhatsApp’s collection of metadata.

Data collection and metadata

Metadata and data collection have often been at the center of debates, with parties often claiming some statements along the line of:

We can’t listen/read the content of your communication because we use end-to-end encryption, we can only collect metadata.

Metadata has often been a blurry term. For your convenience, below is a clarified definition of metadata:

definition of metadata by edward snowdendefinition of metadata by edward snowden

If you’re still unclear about what metadata is, Kurt Opsahl from the Electronic Frontier Foundation gives examples of what companies or governments know when they collect metadata2:

They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.

They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.

They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.”

Now that you know what metadata is, let me reiterate: using end-to-end encryption does not prevent messaging services from collecting metadata.

Let’s see what these guys are collecting:

WhatsApp

WhatsApp’s FAQ states3 that its app has access to all the phone numbers in your address book, and that it collects 4 a myriad of information about you.

What’s interesting is that WhatsApp doesn’t store your messages on its servers. Instead, your messages are stored on your phone — then ultimately on the servers where you back up your phone. For example, if you use an iPhone, all your WhatsApp messages are stored in iCloud, if you use it as a backup.

As for the information WhatsApp collects about when, where, and with whom you communicate, it’s a lot more vague. Here’s what they say:

Usage and Log Information. We collect service-related, diagnostic, and performance information. This includes information about your activity (such as how you use our Services, how you interact with others using our Services, and the like), log files, and diagnostic, crash, website, and performance logs and reports.

WhatsApp also collects device-specific information when you install, access, or use their service — such as the model of your phone, its operating system, and information from your browser, IP address, and mobile network — including your phone number.

And if they can’t collect that information through your phone, they’ll obtain it when people message you, since WhatsApp also has access to your friends’ activity data.

Besides the unencrypted backups, other concerns were outlined by the Electronic Frontier Foundation over key change notification, WhatsApp’s web app, and its sharing of data with Facebook, who acquired WhatsApp in 2014.

Speaking of Facebook…

Facebook Messenger

MIT Technology Review wrote:

Facebook is collecting the most extensive data set ever assembled on human social behavior.”5

I don’t need to break down what data Facebook collects. Facebook is your friend, so they made it very simple for you to understand just how close of a friend they are:

facebook data collection policyfacebook data collection policy

Google Allo

Google Allo has been widely criticized6 by security experts.

Not only can Google actually read every message you say, they will store all conversations.

It is that simple.

Here’s Edward Snowden’s tongue-in-cheek advertisement for Allo:

snowden strongly advised against using Google’s Allosnowden strongly advised against using Google’s Allo

Telegram

Messages, photos, videos, and documents are encrypted and stored7 on Telegram’s servers (except for the Secret Chat messages, which aren’t stored on Telegram’s servers). Like WhatsApp and Facebook, Telegram accesses and stores your contact list on its server. This is how they’re are able to send you a notification when someone new from you contact list joins Telegram.

Signal

The only data Signal retains8 is the phone number you register with and when you last logged into their server.

That is it.

It doesn’t even record the hour, minute, or second — only the day.

If you’re feeling mischievous, Signal even has disappearing messages.

And Signal is free. Really free. Meaning that they aren’t trying to turn your eyeballs into a product for advertisers like Facebook or Google want to do with their messaging apps. You can donate to Signal here.

By the way, Signal code is free and open-source, available for you to check 9.

Why should you care about your privacy?

You might be tempted to say something like:

Who cares? I have nothing to hide.”

If you think you have nothing to hide, try one thing: share the password of your mailbox with your friends.

Also: read what’s the difference between privacy and secrecy?” (coming soon - subscribe to RSS or the mailing list to get an update)

Edit 24/01/2017: previously we stated that [Telegram’s] encryption protocol [was] not secure”. Telegram brought some clarification by publishing a blog post commenting on the finding of J. Jakobsen.10

This blog post was edited by FreeCodecamp.


Hey, I’m writing a book to explain how platforms and applications get away with what they promise they will do (and don’t do); and what impact your usage has on your well-being. You can sign up here to get an email when the book is out.


  1. https://www.cyberscoop.com/signal-security-audit-encryption-facebook-messenger-whatsapp/↩︎

  2. https://www.eff.org/deeplinks/2013/06/why-metadata-matters↩︎

  3. https://faq.whatsapp.com/en/general/20971813↩︎

  4. https://www.whatsapp.com/legal/#privacy-policy-information-we-collect↩︎

  5. https://www.technologyreview.com/s/428150/what-facebook-knows/↩︎

  6. www.independent.co.uk/life-style/gadgets-and-tech/news/google-allo-should-be-deleted-and-never-used-says-edward-snowden-a7320861.html↩︎

  7. https://telegram.org/privacy#2-storing-data↩︎

  8. https://signal.org/legal/↩︎

  9. https://github.com/signalapp↩︎

  10. https://telegra.ph/mtproto-security-01-17↩︎

Up next Pourquoi j’ai conseillé à mes amis de supprimer WhatsApp et Telegram WhatsApp chose convenience over privacy, here’s how you can fix this
Latest posts Update: added EtherCal (web-based spreadsheet), Etherpad (web-based word processor), Framadate (polls), Drop (file transfer) to list.romainaubert.com Mac Terminal commands to prevent Mac from sleeping Mac Terminal command-line interface (CLI) cheatsheet A roadmap to reclaiming my attention, relationships, intimacy and privacy Bypass cookie banners by toggling “reader view” in your browser Book review - alone together: why we expect more from technology and less from each other - by sherry turkle Update: added 2 Android OS, 2 phones, a search engine, a map app, 2 blog CMS, and a tool to delete Tweets to list.romainaubert.com Should people negotiate financial income from the use of their personal data? Peer-to-peer/decentralized network architectures and information commons as an alternative to a centralized internet Yelp is screwing over restaurants by replacing their phone numbers on listings and routing customers’ calls thru a referral marketing business. how to ditch Facebook, Twitter, Google News, Instagram, and LinkedIn — and still follow news, people and organizations you like Tour of Queyras (GR58), 140 km, 7,000m elevation, 7 days Facebook’s “privacy notifications” and “co creation strategies” to protect people’s privacy Privacy-friendly and open source alternatives to Google’s products Privacy 101: simple steps to protect your privacy online Bongo 9. twtxt Asynchronous communication for open source projects git - remote: Invalid username or password. fatal: Authentication failed for [remote’s URL] product development resources 10 Days in Silence: Vipassana Meditation Book review - un peuple de promeneur - alexandre romanès Book review - journey under the midnight sun (白夜行, byakuyakō) - keigo higashino Book review - how to fail at everything and still win big - scott adams Book review - the remains of the day - kazuo ishiguro Book review - man’s search for meaning - viktor e. frankl Book review - cosmos - michel onfray We don’t care about personas “Building a more private web” by Google — comment on Reddit Replacing Facebook with newsletters Now