WhatsApp’s recent PR disaster has seen tens of millions flock to other platforms. Millions more are now planning to do the same, after a backlash over data sharing with Facebook. But beware—not all messengers are the same and you could be taking a more ‘dangerous’ risk than you realize. So, what should you do now?
“Using WhatsApp is dangerous,” Telegram’s founder Pavel Durov warned last January, citing cyberattacks against WhatsApp running on phones belonging to key targets, including Jeff Bezos. A year on and Durov is now celebrating “the largest digital migration in human history,” writing that “in the first week of January, Telegram surpassed 500 million monthly active users—25 million new users joined Telegram in the last 72 hours alone.”
In his warning, Durov cited a WhatsApp vulnerability in its handling of video files as well as alleged nation state attacks like the one targeting Bezos. Durov claimed that “backdoors are usually camouflaged as ‘accidental’ security flaws—in the last year alone, 12 such flaws have been found in WhatsApp.” Durov also (correctly) pointed out the risks for users who back up their WhatsApp chat histories to public clouds and questioned WhatsApp’s fabled security. “How can anybody be sure that the encryption WhatsApp claims to use is the one actually implemented in their apps?”
WhatsApp is now fighting back to fix the self-inflicted wound from a forced terms of service change coming just after Apple’s privacy labels exposed its extensive data collection. It was a haphazard PR nightmare for the company. And while it has backtracked on its take it or leave (it) before February 8 ultimatum, there’s no contrition yet over the extent of the data collection itself. One can’t help but think WhatsApp will need to do more, as its competitors welcome enough fleeing WhatsApp users to push their backends to the limit.
The two WhatsApp competitors that have benefited most from its stumble are Signal and Telegram. But they are very different to one another, and the WhatsApp versus Telegram versus Signal debate has exposed just how unaware most users are of those critical differences. Worse, many of the articles explaining WhatsApp’s issues and the alternatives do not clear up any of that confusion. This puts you at risk.
The surge of new users to Telegram is perhaps the most interesting aspect of the WhatsApp exodus. Let’s be very clear—while Signal is a more secure WhatsApp lookalike, Telegram is nothing of the sort. It is a completely different platform, designed for a completely different purpose. And while Durov says “I consider Telegram Secret Chats to be significantly more secure than any competing means of communication,” the fact remains that Telegram is not end-to-end encrypted by default, and those secret chats work between just two devices—they do not extend to groups, and they need to be manually selected.
Telegram has been described as part social media and part messenger. It is a cloud-based platform that was designed to deliver messages “seamlessly across any number of your phones, tablets or computers.” The initial use case for Telegram supported dissidents and protest groups. By hosting messages outside the state’s reach, any device could be used to access the repository. And while your data might be outside the reach of the authorities, it is technically accessible by Telegram and its employees.
Telegram operates huge groups and channels, as such it hosts content in the same way as Facebook and Twitter, pushed out to subscribing members. This functionality led to Telegram’s reputation being tainted through the platform’s alleged use by criminals, terrorists and hate groups. Just this week, it has been sued “for failing to crack down on violent extremist conversation in the aftermath of the attack on the U.S. Capitol.”
“Chat apps that offer functionality beyond messaging often compromise privacy in favor of extra features,” warns security researcher Tommy Mysk. “Telegram offers a feature like channels, that are public feeds. This makes Telegram more of an alternative to Twitter than Signal. Telegram mingles messaging methods that are end-to-end encrypted with others, such as normal chats and channels, that are not. A lay person won’t tell the difference and might end up opting for a feature that is less secure.”
With the exception of its limited secret chats, Telegram doesn’t encrypt messages all the way from you to your contacts, instead it encrypts messages between your device and its cloud, and again between its cloud and your contacts. You can use multiple devices to access your cloud-based messaging repository, and Telegram holds the keys to all that encryption.
In contrast, both Signal and WhatsApp do encrypt end-to-end by default. And while Durov is right, WhatsApp does not make its encryption open-source, it is based on Signal’s own protocol, which is fully open-source. There have never been any credible claims of vulnerabilities in this encrypted message transport itself, only with compromised endpoints—i.e., hitting phones with malware.
“When you throw nation state level capabilities and the ability to attack endpoints,” Cyjax CISO Ian Thornton-Trump says, “all bets are off and the conversation (at least one side of it) is as vulnerable as if was just clear text.”
But it turns out that while alleged Israeli spyware attacks and various technical vulnerabilities were not able to shake the confidence of WhatsApp’s vast user base, the combination of Apple’s privacy labels and a change to its terms of service, misreported as WhatsApp shares your data with Facebook, caused a backlash. Facebook has always been WhatsApp’s Achilles heel, and this has been a risk since 2014.
There are legitimate reasons for users to want to switch from WhatsApp to alternatives—the platform does collect too much data, it does share some of that data with Facebook, it is developing commercial offerings while unable to offer multi-device functionality and fully secure cloud backups. And, most of all, because of the planned integration with Facebook Messenger and Instagram.
But the one reason not to move from WhatsApp is over concerns with its message security. WhatsApp takes credit for universalizing access to end-to-end encryption, and while any platform of its scale will be subject to sophisticated nation state attacks—just look at Apple, WhatsApp’s end-to-end encryption is fine. The irony is that the millions switching WhatsApp for Telegram will be less secure in doing so—that’s not a matter of opinion, that’s because it does not have end-to-end encryption by default.
Don’t take my word for it—let’s look at what Telegram itself says. “Do I need to trust Telegram for this to be secure?” the platform asks in its own FAQs. “When it comes to secret chats, you don’t,” it says. And to the question, “why not just make all chats ‘secret’?” Telegram argues that it has balanced security, speed and multiple device access, as well as restoring messages when a phone is lost. It has compromised with “messages in Secret Chats using client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud.”
Telegram is right—if users opt to use WhatsApp’s public cloud (Apple or Google backups), then they lose the protection of its end-to-end security. But with WhatsApp you can trade the risk of lost device against compromising message security. You don’t get to make that choice with Telegram—not unless you stick to 1:1 secret chats.
Because most of your Telegram messages are not end-to-end encrypted, you rely on Telegram’s internal security and policies. “To protect the data that is not covered by end-to-end encryption,” it says, “Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect.”
Bear in mind Telegram’s origins—this is all about keeping data from the authorities. As a result of this structure, it says, “several court orders from different jurisdictions are required to force us to give up any data… We can ensure that no single government or block of like-minded countries can intrude on people’s privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.” All of which, it says, means “we have disclosed 0 bytes of user data to third parties, including governments.”
But Mysk cautions that “Telegram stands out from Signal and even WhatsApp in the way it persistently begs for access to contacts. Telegram makes it inconvenient to use the app without granting access to contacts. In addition, it offers its users the chance to connect without exchanging phone numbers. However, when adding a new contact by username, the option to share the user’s phone number with the new contact is activated by default.”
As a Telegram user, if you want to match the actual messaging security used by WhatsApp, you need to stick to those secret chats. But, unlike WhatsApp and Signal and iMessage, among others, those secret chats cannot include groups or anything beyond selected 1:1 chats. With secret chats, Telegram says, “all data is encrypted with a key that only you and the recipient know—there is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages… Secret chats are not part of the Telegram cloud and can only be accessed on their devices of origin.”
This might sound familiar to users of WhatsApp, which says, “end-to-end encryption ensures only you and the person you’re communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. All of this happens automatically: no need to turn on any special settings to secure your messages.”
Telegram is not a high-risk platform. But it’s not the step-up from WhatsApp, security-wise, that it claims. In reality, both platforms have issues—albeit different ones, and are reasonably secure. Jumping ship from one to the other makes little sense.
If you want to leave WhatsApp over security and privacy concerns, you should move to Signal, not Telegram. Signal is the closest lookalike to WhatsApp. It does not link any data to its users—albeit it uses your phone number to identify your account.
But what about other messaging platforms—how do they stack up?
The most sophisticated messaging architecture is Apple’s. iMessage is underpinned by some very clever tricks, enabling users to run a central iCloud message repository that syncs across all your trusted Apple devices, without ever losing end-to-end encryption. In Telegram’s parlance, this is the best of both worlds. To enable this, you need to have “Messages in iCloud enabled.” There is a caveat, though. If you also have iCloud backups enabled, a copy of your end-to-end encryption key will be included.
The main issue with iMessage, of course, is that it doesn’t operate cross-platform. So, while it is the cleverest messaging option for Apple users, it can’t be the go-to messenger on your device. The fallback when you message non-Apple users is SMS, and SMS is a security horror show.
Android Messages is not a good alternative to WhatsApp. It is essentially an SMS client that has now evolved to RCS to add the chat features available in WhatsApp and iMessage. it is not end-to-end encrypted at the moment, although Google has this update in beta. But right now, it only works for 1:1 messaging, rather like Telegram, does not extend to groups, and needs both sides of a chat on the beta app.
There are other, less well known options now available, including Viber, which adds end-to-end encrypted messaging to its VoIP platform and Wickr, which is best described as an enterprise version of Signal, designed for corporate use. There is also Swiss-based Threema, which has become a favorite of the very security conscious. That platform is even more secure than Signal—it doesn’t use phone numbers as identifiers and so can keep accounts wholly anonymous. It has a much smaller user base though, so you’ll be unlikely to find many of your contacts (if any) onboard.
Somewhat topically, I asked Flavio Aggio, CISO at the World Health Organization, which messenger he would recommend. He wouldn’t advocate for any single one, but mentioned Signal, Threema and Telegram as good options. I did get the sense that he would plump for Threema if pushed—the fact that it can be used without a phone number, he saw as a major plus.
If you do move, you’re fine with any of the end-to-end encrypted alternatives I’ve mentioned. You’re also fine with Telegram, but make sure you understand the differences and the risks; you will be committing to storing most of your content in Telegram’s cloud, and that won’t be for everyone. Most new users are unaware of this and assume that it’s a more secure version of WhatsApp. That simply isn’t the case.
For ESET’s Jake Moore, “Signal seems to be winning the race against Telegram,” based on the contacts he sees moving. “I think that may continue due to its default end to end encryption on offer,” he says, “a must for any messaging service in my opinion. People migrating to privacy focused apps does not happen overnight. However, WhatsApp was available for years before it became the number one messaging platform.”
This misinformation dilemma was perfectly illustrated by one of the many emails I received this week from messaging platforms looking to plug their wares. “Messaging apps, like Telegram and Signal, are end-to-end encrypted,” the email said. “WhatsApp, while end-to-end encrypted, has a number of loopholes that allow conversations to be stored or shared.”
This is all dangerously misleading, and shows what little chance everyday users have of picking through the misinformation to get the facts. Signal and WhatsApp are end-to-end encrypted by default, Telegram is not. And while Signal’s deployment is fully open source and so theoretically more secure, there are no “loopholes” in WhatsApp, by which the email meant backdoors allowing Facebook to monitor content.
As former intel officer Philip Ingram points out, “the debate about continued security with different messaging apps after the mass exodus from WhatsApp underpins that many using the excuse of privacy seem to want to follow herd induced habits rather than think for themselves.” Unsurprisingly, Ingram uses Threema. “A Swiss-based, truly anonymous messaging app,” he says. “I haven’t looked back.”