!i!i! unsungNovelty

Frequently asked questions about Privacy, Whatsapp, Telegram and Signal

Posted on: 24 January, 2021   15 min(s) read   Tags: privacy /

Table of contents:

This article doesn’t have to be read from start to finish for understanding. Just use the “Table of contents” to go through questions you want to read and if you have any questions, DM me on Twitter @unsungnovelty.

TLDR; Stop using Whatsapp and use Signal if you are serious about privacy and security. If you can’t, use Telegram at the very least.

Privacy

I don’t have anything to hide anyways! So why should I be worried?

“I don’t have anything to hide” is a common argument that I hear everytime I talk to people about privacy. When you are saying you don’t have anything to hide, you’re denying privacy to others and you, for now and for the future. That is not how it should work.

Privacy should be the default option for end users or the general public. Any information about you should only be accessible to others like big corporations only with your consent and you should be able to opt out of it. And law enforcement agencies or governments should be following due deligence if they have to access your data. This is also how it works in the real world, the offline world. But currently on your online world, this is happening the other way around so the end users are powerless and gets exploited.

Read more about the I don’t have anything to hide arguement in https://www.privacytools.io/ and scroll down to the “Privacy? I don’t have anything to hide” section for more explanaiton on the topic.

But what are government or companies like Facebook going to do with my data that is harmful?

Your financial status, gender, race, marital status, health conditions, employment status to list a few are all private data. These are some of the data points that you shouldn’t be sharing with corporates unless absolutely necessary. The corporates share these kind of data with third parties you don’t even know. Currently, you don’t know who all have your data and how it is being used. When Facebook shares it with their third parties, there is nothing stopping them from sharing it to another company or other groups where they can use it for spam, something decieving or even something harmful to you. In India, we are seeing the data handling getting out of hand and having real world consequences! So yes, privacy is important.

What is end to end encryption?

Imagine if Raj and Krish are talking something private. End to end encryption makes sure that the messages they send are not read by anybody along the way to make sure only they two can read it.

End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service.

Whatsapp

Whatsapp is one of the most popular text messenger app and is owned by Facebook. The recent privacy policy change created huge uproar from end users making Whatsapp to delay the policy from taking effect. I will try to answer questions which will hopefully tell you why this is important and why we should stop using Whatsapp.

Whatsapp have decided to not enforce the new privacy policy. Is it true? Should we go back to Whatsapp?

No. Whatsapp is delaying the enforcement of the privacy policy for another 3 months since they saw a huge surge in migration to other services like Signal and Telegram which protects user’s privacy better. There is a reason why the latest policy change will not effect European countries. This policy violates GDPR policies under which Whatsapp has to operate in EU countries. So countries which doesn’t have strict laws protecting user’s privacy will be exploited by companies like Facebook is a clear indication here. There is also a public interest litigation filed against Whatsapp’s privacy policy change in India.

Image of a article title which says EU user's don't have to share data with FB

Whatsapp (Facebook) have promised that they are going to protect our privacy. Why worry then?

Facebook first promised that they are going to operate Whatsapp independently after Facebook’s acquisition and stay privacy focused. But Whatsapp started sharing data with Facebook with 2016’s privacy policy change which was against the promise Facebook made to European Commission during their Whatsapp takeover. And in 2017, European Commission fined €110 million ($122 million) to Facebook for misleading European Union during Whatsapp takeover. And in 2018, Whatsapp co-founder left Whatsapp over privacy concerns and disagreements with Facebook.

And right now as we speak, there are 2 anti-trust lawsuits happening against Facebook from 48 attorney generals from 46 states in the U.S regarding Whatsapp and Instagram’s acquisition. So are you sure you can trust Facebook?

What is the big deal about the change in Whatsapp’s privacy policy?

Whatsapp was bought by Facebook for $19 billion dollars. This change is a prequel to monetising Whatsapp. They are also going to start sharing data with broader Facebook family of companies like Instagram and Facebook itself. While this data doesn’t include conversations since Facebook uses Signal protocol to provide end to end encryption feature, this includes metadata like but not limited to the ones mentioned below:

Data point What FB could do with it
IP Address Which can be used to target you with regional ads based on your location and can be shared to the government.
The way you use the app Behavioural data can be used to improve the app.
Location Targeted ads in your Facebook or Intagram account based on your location.
Contacts Targeted ads for you or your BFF’s and other close people in your circle based on eachothers data.
Information in the about section - Your name etc. Could be used to double down on any missing information of yours.
Display picture (DP) Which alone can be used by Facebook’s facial recognition technology to recognise you.
Phone number The missing data point which FB don’t have about everyone since you can sign into FB and Instagram without providing your phone number.

Oh my god! How can Facebook just suddenly start sharing data?

The reality is, they have been doing this since 2016 when Whatsapp changed their privacy policy. They have been sharing the metadata listed above since then. But the difference was that the existing users were able to opt-out of the privacy policy meaning it will not share the data with Facebook. But any users who’ve joined Whatsapp post 2016 have been sharing these data already without being given an option to opt-out. That is why Facebook was fined by EU for an amount of 110 million Euros ($122 million) back in 2017.

So my data is already with Whatsapp. What is the point of me moving from Whatsapp to a privacy friendly option now?

Do not see the data sharing/transfer between a service (like Whatsapp) and you as a one time transaction. Your data is an every growing set of informations. You will meet new people, your contacts will grow and the information about you will grow with it. Just like getting covid19 infected, your privacy also depends not only just you, but also everybody around you. When you protect your privacy, you are protecting everybody around you too. So make the change, choose privacy for you and others around you by using services like Signal.

Whatsapp conversations are end to end encrypted right? Doesn’t that mean at least my chats are secure?

While conversations can’t be shared as it is end to end encrypted (e2ee), the metadata like the above listed ones are more than enough to identify that you are chatting with a particular person at a particular time exposing yourself to privacy risks. The data like the above is what Facebook is aiming for when they say they are sharing the data with Facebook. This can be particularly dangerous when these data can be accessed from Facebook by governments or third parties around the world to name a few scenarios.

Another thing is, end to end encryption only means your data is safe during transfer from you to your sender - during the transit. You Whatsapp chats, messages and other media are stored in your phone unencrypted and hence not safe.

My phone is safe. So Whatsapp’s unencrypted data should be safe in my phone right?

Hopefully. But that is a big hope. Many of us have enabled Whatsapp backups in our phones and they are not encrypted. This means if anybody’s iCloud or Google Account gets breached, your entire whatsapp history including the chats and other medias are exposed. Also, a government could just request access to your Google account. Whatsapp chats and other data could be accessed and Facebook wouldn’t even know about it, even if they were to try and let you know.

I will just disable the backup on my phone. I am secure now right?

Great! But what about all the people who have chatted with you so far? How many of them have their backup disabled? Do you know that? Because that is another copy of your chat with them, exposed!

Telegram

Telegram is another popular alternative for Whatsapp. A good thing about Telegram is that they already have a hude user base meaning it is an easy choice without having to compromise on people when moving away from Whatsapp. While Telegram is better than Whatsapp, it might not be as secure or privacy oriented as we think it is.

Telegram is end to end encrypted right? So why not move to Telegram from Whatsapp?

No. While Telegram is better than using Whatsapp, Telegram doesn’t have end to end encryption enabled by default. Telegram just have a feature to enable end to end encryption and it is called secret chats. You have to initiate a separate secret chat with the person you want to talk to if you want to use the end to end encryption feature. This means the normal group chats and private chats are not private nor end to end encrypted. This makes it less secure compared to by default end to end encrypted services like Signal. Telegram has my benefit of doubt with respect to their ethics and morales as shown during Hong Kong protests and their stint with Iran. But they are far from being the privacy and secure text messenger application we want it to be.

Isn’t Telegram 100% open source?

While the Telegram clients (Official Telegram Apps for Android and iOS or the Telegram Desktop app for Linux and Windows) are open source, the server side of Telegram which does the encryption part is proprietary. There is still a grey area when it comes to Telegram and their home grown encryption protocol called MProto which is developed by Nikolai Derov who is the brother of the Telegram founder Pavel Durov. Because a golden rule of cryptography is to never roll your own crypto. Which is exactly what Telegram has done here.

Image of Brad pit in fight club saying first rule of crypto is to never roll your own crypto.

Is there any other concerns about Telegram?

Security reasearchers and cryptographers have raised concerns about the credibility of security in Telegram app because they rolled out their own crypto protocol. Here are some issues to be skeptical about when using Telegram:

  • Telegram team or anyone who have access (if the Telgram servers get breached) to their server can read your normal chats and group messages since only secret chats are end to end encrypted. This is also how they moderate spam and issues, by reading messages of groups or anything that gets reported by Telegram users.
  • They collect a lot of metadata like your contacts, display pic, email if 2 factor authentication is enabled with your email, IP address etc just to name a few too.
  • Using Telegram’s nearby people feature could expose user’s precise location issue.
  • Telegram’s CEO Pavel Durov recently announced that they will be trying to fund Telegram by providing ads. While I personally trust Telegram based on the past incidents. Their system is capable of providing targeted personalised ads. Only time will tell whether they will or will not do this.

Some good reads on the security and privacy of Telegram messenger:

Should I use Telegram?

Not if you really care about privacy or security. Ideally you should use Signal which is end to end encrypted by default. But Telegram is definitely better than using Whatsapp. So if you can’t or don’t want to use Signal and you can use Telegram, I would recommend Telegram over Whatsapp. With Telegram refusing to share data with Russia and Hong Kong among possible other scenarios, I feel they do have some level of trust and their mind in the right place. If you are going to stick to Telegram, use the secret chat feature which is end to end encrypted.

Signal

Signal is a privacy oriented text messenger developed by a non-profit and is open source. It uses end to end encryption by default for all their chats, calls and media without storing any data on you. Signal should be used for private conversations if you regard privacy and security.

What is so great about Signal and how can we be sure that Signal won’t sell our data?

The Signal Foundation which helps develop Signal is also a 501(c)(3) nonprofit organisation meaning it is not in the business of making money. Signal is an open source application and uses the Signal protocol (formerly known as TextSecure protocol) to provide end to end encryption by default. Apart from Signal requiring your mobile number to register, they don’t need any other data for you to start using it. Which means they don’t have any data to sell. Signal also doesn’t even store your contacts anywhere or share it with your contacts. Signal protocol which is used to provide end to end encryption is not only open source but also used by Whatsapp and Skype to provide end to end encryption for their apps which in itself should tell you one or two things about the credibility of Signal.

If Signal is run by a non profit organisation, how can they sustain themselves with big players like Whatsapp and Telegram around?

Signal is funded by donations from people like you and me. So head over to https://signal.org/donate/ to donate and support Signal’s development. Also, Signal foundation founded in 2018 by Moxie Marlinspike and Brian Acton (co-founder of Whatsapp) is currently well funded with ~$100 million dollar in loan which is only due by 2068. So yes, Signal can stand up to big players like Whatsapp and Telegram. But let me remind you again to read the Donor FAQ if you have questions and donate!

OK. I am intruiged. But still not convinced about moving to Signal.

Screenshots of Tweets from Elon Musk, Jack Dorsey and Edward Snowden recommending to use Signal text messenger.

Don’t just listen to me. Signal is recommended by people like Tesla/SpaceX CEO Elon Musk, Twitter CEO Jack Dorsey, whistleblower Edward Snowden and cryptographers like Bruce Schneier to name a few. It is also used by journalists, U.S government officials and EU commission staff members. These should be good enough reasons to use Signal for your daily use.

So everything is perfect on the Signal land? One app to save us all?

I wouldn’t say that. There are 2 main issues which I feel are concerning in Signal.

  • Signal still needs a phone number to register which is a personal identifier. But Signal is already working on a possible solution for this by introducing Signal pins.
  • Signal notifies you if your contacts have joined Signal. There is no opt-out of this feature and this is enabled by default. Even if disable it, the other person will be alerted even if you don’t want them to know. This is unncessary and dangerous if they are bullies, abusers or stalkers.

How do I use Signal app more effectively?

Just installing and using Signal provides you with a good amount of privacy way better than Whatsapp or Telegram. But if you are serious about privacy, you can do a lot more for your privacy in Signal.

  • Enable these features from Settings → privacy → Screen lock, Incognito keyboard, Set a PIN, enable registration lock which all would provide more protection and privacy.
  • Also verify safety number for extra security if you want to make sure you are messaging the right person and that the security isn’t compromised somehow.
Screenshot of Signal's privacy settings that is a good idea to enable.

You can follow the Signal, the secure messaging app: A guide for beginners by Freedom of Press Foundation for a better understanding.

I know this already! But… my work depends on Whatsapp (Facebook products). Or my friends are all on Whatsapp. What can I do?

I agree that these are all genuine reasons. Work is important, so is friends whom all you want to talk to. But this again depends on whether you really care about privacy or not. Because nothing is stopping you from moving personal or important/sensitive conversations to a privacy friendly service like Signal. There are genuine reasons to do so too. And move people slowly to the privacy alternative you want to use with them. Play the long game.

Something is better than nothing. So it doesn’t matter if you move to a privacy alternative today, tomorrow, a month after or an year after! Whenever you move, you are giving less data to these companies and that is good. Just because you can’t move now doesn’t mean it is all over!

Like I said here, do not see the data sharing/transfer between a service (like Whatsapp) and you as a one time transaction. You data is an ever growing entity. The less you give away, the better.

To sum it up

When it comes to Whatsapp neither the technical implementation nor the company is trusted by people. But with Telegram, while a lot of people are skeptical about their technical implementation, Telegram - the company is trusted by a lot of people based on their actions so far. And then there is Signal which is trusted based on their technical implementation and also as an entity. They do this by making things verifiable and with their actions. And this increases the trust. So always choose privacy and use Signal or at very least Telegram. Just not Whatsapp!


Found this interesting or found some errors? DM me @unsungnovelty.