WhatsApp is Compromised: A guideline for your migration to far more trusted messaging apps
Updated: Apr 12, 2021
April 8, 2021: If you felt safe using WhatsApp in the past, think again. With technology giant Facebook’s plans to fully integrate WhatsApp, Instagram, and Messenger comes an entirely new level of opportunity for Facebook to intercept and abuse the data of billions of users unlike ever before. The merger and integration of these technology giants is intended to create ‘the best messaging experiences’ for the billions of users around the world who currently (and unfortunately) use and rely on Facebook-owned apps. Bear in mind, all the features of the Facebook ecosystem come with all this tech giant’s “baggage” and unethical business practices – dirty baggage and business practices that have now been 'inherited' by WhatsApp users.
News that WhatsApp has been ‘sharing’ large amounts of highly personal data with Facebook since 2016 has led a large number of unhappy (and savvy) users to look for alternative messaging apps that genuinely respect their privacy and security. A speedy migration away from Facebook-WhatsApp has never been more important.
Drawing from expert insights at Proton, an analysis of alternatives to WhatsApp (and therefore independence from Facebook) is required. End-to-end encryption (E2EE) should be seen as a core requirement for any ‘messenger’ app that claims to be both secure and private. In simple terms, this means that all messages are encrypted on your device and can only be decrypted on the device of the recipient. WhatsApp uses end-to-end encryption, so the actual messages are secure within that platform. However, this feature will not stop Facebook from abusing metadata capture: where metadata is the information about whom you communicate with, from where, at what time, how often, and from which device.
Another critical consideration with messaging applications and their level of security is whether or not the apps are engineered using Open-source code and software. By publishing an app’s code publicly, anyone can examine it to ensure the app is doing what it is supposed to be doing. A messaging app’s use of Open-source in its design and application is considered one of the best indicators that an app can actually be ‘trusted’.
As savvy messaging app users seek alternatives to the Facebook-WhatsApp-Instagram ‘data robber barons’, Extremely American (aided by the expert input from Proton of Switzerland) are pleased to provide a thorough list of alternatives along with Pro’s & Con’s provided for each option. The list below is limited to only those alternative messenger apps that leverage both Open-source messaging and end-to-end encryption (E2EE). Please also note that the list below is placed in random order. For a shortlist of the top alternatives in rank order, please refer to the following EA article for additional insights: www.extremelyamerican.com/post/eight-alternatives-to-the-technology-oligarchs
The call-to-action is three-fold: (1) research alternatives to Facebook & WhatsApp, (2) select an alternative messaging app and create an account, and (3) cancel your Facebook-WhatsApp- Instagram accounts and remove the apps from all your devices. The list below will offer convenient reference points to consider for each alternative messaging app available (Information details sourced from: ProtonMail – April 2021).
· Exceptionally good encryption
· Almost no metadata kept
· Protocol independently audited
· Seamless to use on Android
· Disappearing messages
· E2EE text, voice, and video group chat
· Requires a valid phone number to register
· Hosted on Amazon Web Services (AWS)
The Signal messaging protocol is an end-to-end messaging protocol developed by the Signal Foundation, a non-profit organization founded by cryptographer and privacy activist Moxie Marlinspike. The Signal Protocol is Open-source, has been professionally audited for security vulnerabilities, and is widely admired for its cryptographic strength.
Because of the quality of the Signal protocol, it is used by a variety of third-party messaging apps to provide secure end-to-end encryption for messages. These include WhatsApp, Facebook Messenger, and Skype, Unlike WhatsApp and other third-party apps that implement the Signal protocol, however, the Signal app from the Signal Foundation is 100% Open-source.
Crucially, considering recent heightened awareness about WhatsApp’s privacy policies, the Signal app and Signal Foundation keep almost no metadata related to the app’s usage. Only “the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.” This is a claim that has been proven in court.
The app itself has not been audited, however, and some security concerns exist around Signal’s reliance on Intel Software Guard Extensions (SGX). In theory, this could result in users’ metadata and data (but not messages) being compromised at the server level. This is a particular concern because Signal uses AWS to host its infrastructure, which is subject to legal demand from the US government.
Unlike WhatsApp, Signal is designed to replace your phone’s regular SMS messenger app on Android (not iOS). Texts exchanged to other Signal users are end-to-end encrypted, but texts to non-Signal users are not. Signal will warn you when messages are sent unencrypted.
This makes Signal very transparent in use, but the fact that users must register with a valid phone number to match contacts is also the main source of criticism the app receives. It should be noted, though, that contacts are stored locally only and cannot be accessed by the Signal Foundation.
In addition to messages, Signal supports disappearing messages, E2EE group voice chats, and now group video chats between up to eight users. Signal is a non-profit organization that relies on donations to operate.
· Channels for broadcasting messages
· Bots for managing groups
· Sync across multiple devices (not E2EE)
· Polls, stickers, sharing live location, identity management
· E2EE 1-1 text, voice, and video chat
· Encryption concerns
· Only Secret Chats are E2EE
· Group chats (text or voice) are not E2EE
· Collects lots of metadata
· No group video chats
· Requires a valid phone number to register
· Headquartered in the UAE, which is not known for human rights or privacy from the government (despite having some strong privacy laws)
With over 500 million users, Telegram is an extremely popular WhatsApp alternative. A big part of this popularity is the widespread perception that Telegram is highly secure, a perception only heightened by several governments, notably Indonesia, Russia, and Iran, trying to block or ban the app.
There are, however, some big caveats regarding the security that Telegram offers its users. Regular default “Cloud-based messages,” that can be accessed on any of a user’s devices, are encrypted in transit and when stored on Telegram’s servers, but they are not end-to-end encrypted. Only client-to-client “secret chats” are end-to-end encrypted. Secret Chats are not available for groups or channels.
The open source in-house MTProto encryption used to secure communications in Telegram (whether E2EE or otherwise) has come under criticism from security experts, although the new version (MTProto 2.0) has been formally verified to be cryptographically sound. The Telegram API and all Telegram apps are open source, but its server-side backend is not.
Another issue is that Telegram may collect a great deal of metadata from users: “We may collect metadata such as your IP address, devices and Telegram apps you’ve used, history of username changes, etc.”
On the other hand, Telegram has built its own secure cloud infrastructure, distributed across the globe. The encryption keys used to secure the Telegram Cloud are split in pieces and never stored in the same place as the information they protect.
Security considerations aside, a key feature that contributes to Telegram’s popularity (especially in repressive countries such as Iran, where it enjoys over 40 million users despite government attempts to regulate use of the service) is support for “channels.” Users can create and post to channels that any number of other users can subscribe to.
Public channels can be created using an alias and a URL that anyone can subscribe to, making Telegram a powerful tool for organizing resistance and disseminating information in repressive countries.
Other features that help make Telegram popular include polls, stickers, sharing live locations in chats, and an online authorization and identity management system for those who need to prove their identity. A ‘bots’ feature assists managing groups and channels.
It also features one-to-one voice and video chats that are fully end-to-end encrypted, although group voice chats are not. Group video calls are not supported.
Telegram is funded by public donations (notably from its own founder, Pavel Durov), although it is anticipated that in-app monetization features will be introduced in the future.
· No phone number or email required to sign up
· Almost no metadata kept
· Independently audited
· Swiss-based with own servers
· GDPR compliant
· E2EE group text and voice chat
· Group polling and distribution lists (Android only)
· Not free
· Relatively small userbase
· No group video calls
Like Proton, Threema is based in Switzerland, a country with strong data privacy laws and independent from the United States and European Union. It also owns its own server infrastructure located in Switzerland.
An email address or phone number is not required to register an account, and it is possible to purchase Threema for Android anonymously using Bitcoin. Threema claims this allows you to text and make calls anonymously, and it goes to great lengths to ensure that minimal metadata is collected.
The fact that the app is not free is likely to be a pain point for some, but at around US$3 (one-time purchase), it is unlikely to break the bank for most. This may contribute, however, to one of the biggest downsides with Threema: that its userbase is relatively small.
The Android app features distribution lists that allow you to send messages to multiple separate recipients. In addition to fully E2EE group text and voice calls, Threema offers a group polling feature. E2EE video calls are supported, but not for groups.
· Built for ephemeral messaging
· Anti-censorship feature
· E2EE group text and voice chat
· No phone number or email needed for signup