Privacy fears spark WhatsApp exodus
But are millions of users rushing to rivals with even weaker privacy protection?
But are users rushing to rivals with even weaker privacy protection?
Millions of users have fled Facebook-owned messaging service WhatsApp due to a perfect storm of privacy concerns. However, there are fears that people are joining rivals that have poorer privacy features.
The messaging upheaval was sparked by two issues at WhatsApp – Apple highlighting the amount of data the app collects, combined with a change in WhatsApp terms that many people wrongly construed as plans to share the content of messages with Facebook. WhatsApp built its reputation on end-to-end encryption (E2EE), which meant only the recipient and sender could access the content of messages.
Although WhatsApp won’t be sharing message content with Facebook, it was still a PR disaster for the company, with rival messaging services suddenly shooting up the App Store charts as WhatsApp users sought alternatives.
“This is a privacy movement,” said Jake Moore, a security specialist at security firm ESET. “It won’t happen overnight, but there is finally a movement of people starting to question what they are doing and that’s about time. People are moving to get rid of WhatsApp.”
WhatsApp’s pain was other apps’ gain. Telegram surpassed 500 million users, while Signal saw downloads jump to 18 million a week, up from 285,000, according to the research firm Sensor Tower. Experts believe users want to separate messaging from media platforms and are slowly understanding the need for E2EE.
“We must be moving towards genuine E2EE messaging that’s not owned by one of the big tech companies,” explained Moore. “The fact that, say, Signal is open source increases its credibility because third parties can inspect the entire code to make sure that no parent company is collecting information without permission.”
Safer bet?
However, amid the upheaval, there were concerns that end users could
leave themselves exposed because they conflate independence with increased privacy, when not all of the platforms actually implement E2EE by default.
For example, critics argue that Telegram markets itself as an encrypted platform, but many features aren’t switched on after download and don’t cover all communications. Telegram says on its opening marketing page that it’s “Private – Telegram messages are heavily encrypted and can selfdestruct,” but it doesn’t explain that users need to turn E2EE on and that it doesn’t apply to every type of message sent.
“Telegram is terrible – it’s a cloud-based message repository that allows multiple end points,” said Zak Doffman, CEO of security company Digital Barriers and a commentator on the private messaging industry.
“It was set up to provide the ability for users to get messages wherever they happened to be – a different era. It does have tools for secret discussions, which are end-to-end encrypted, but that will only work from one person to another, so it doesn’t work for groups, or multiple devices and it’s not on by default,” said Doffman. “It’s not like you can switch it on and your entire Telegram is encrypted.”
In a written response, Telegram stated: “Every message on Telegram is sent encrypted. One-on-one cloud chats, group chats and channels use client-server encryption so that they can make use of Telegram’s secure cloud-based nature while end-to-end encrypted Secret Chats allow users an extra layer of security.
“This two-tiered method offers users both security of end-to-end encryption and cloud-based features like instantly-synced cross-device use without needing your phone nearby, access to the complete chat history without storing it all on your phone, massive groups with up to 200,000 members and channels with an unlimited number of subscribers.”
According to Doffman, Facebook Messenger has similar issues in terms of E2EE setup flaws, while Apple’s iMessage is inherently secured with E2EE by default and users would have to fiddle with specific cloud backup options to break E2EE.
Ironically, WhatsApp’s E2EE credentials are better than some of the companies benefiting from the backlash. “Your messages on WhatsApp are end-to-end encrypted as they’re sent, and protected by phone security when they’re received or saved,” Doffman said.
“However, if you use WhatsApp’s option to back up your chat to either Apple or Google clouds, then those backups are not protected by that E2EE, as they could in theory access your key.”
Privacy not anonymity
Encryption might be critical for privacy of communications, but users who want to protect their identity are warned they should remain wary of communication apps that provide no guarantee of anonymity. “They all use your phone number as your identifier, so it’s not anonymous unless you have a burner phone,” said Doffman. “It doesn’t really make you vulnerable other than they can tell you are on Signal.”
However, Doffman cited examples where linking phone numbers to messaging accounts could prove dangerous. “In Hong Kong, there were Telegram issues where state security guys were loading phones up with lots of phone numbers of people they were interested in and then joining Telegram groups so they could de-anonymise people,” he said.
We must be moving towards genuine E2EE messaging that’s not owned by one of the big tech companies