If you’re one of the 1.3 billion people using Facebook Messenger, then a powerful new campaign from WhatsApp as well as comments from Facebook itself should convince you it’s time to leave. Meanwhile, some surprising new data, published today, should tell you which messaging alternative you should use instead.
WhatsApp deserves genuine credit for popularizing the secure messaging we all use today—it has put end-to-end encryption onto more devices and into more hands than anyone else. But, despite claiming “security and privacy are in our DNA,” WhatsApp has been rightly slammed for collecting too much user metadata—data about our data. How much of this is shared with Facebook is secondary to the fact it shouldn’t be collected in the first place.
WhatsApp was caught on the hop—its immediate response to Apple’s privacy label revelations was poor and its PR response when it pushed out a change of terms that tidied up its links to Facebook was nothing short of a disaster. Millions quickly installed alternatives—Telegram and Signal foremost among them. The stark irony being that while Signal is a step-up on WhatsApp security-wise, Telegram is a serious step backward.
Telegram’s issue is that it does not offer the same default end-to-end encryption as WhatsApp and Signal, as well as the likes of iMessage, Wickr and Threema. Telegram’s default is to encrypt messages between your device and its cloud. Encryption to which it holds the key. And while Telegram does offer “secret chats,” these only work between two individuals on a single device each—no multi-device access, no groups.
While Telegram beats the drum for security and privacy, claiming it’s better than WhatsApp, the reality is that from a technical perspective, your content is stored on a third-party cloud and can be accessed by that third-party. This is a risk that end-to-end encryption—assuming you don’t back up chats to other cloud services—will prevent.
WhatsApp is now campaigning on its security and privacy creds to stem the Facebook backlash and the surge of users installing Signal and Telegram. “Whatever you share on WhatsApp, stays between you,” is the message. “That’s because your personal messages are protected by end-to-end encryption and that will never change.”
As a means of defending against the Facebook backlash, this is misleading. Message encryption was never in question. The issue was the metadata associated with that messaging, and the device data pulled by WhatsApp and disclosed by Apple’s privacy labels—which was well out of step with its competition.
The issue of sharing that metadata with Facebook was misreported—nothing important has changed. In any case, WhatsApp has backtracked on its threat to delete the accounts of any users that do not accept the new terms, assuring that “No one will have their account suspended or deleted… Rest assured we never planned to delete any accounts based on this and will not do so in the future.” But the damage is done.
And so, to Facebook Messenger. On every count, this is a messaging platform you should avoid. First, because if you think WhatsApp collects too much data, just look at the chart for Messenger below. If WhatsApp’s data collection caused a backlash—what about this? And, worse, Facebook admits to monitoring the actual content in your messages to ensure compliance with its policies.
We saw this risk in practice when security researchers Tommy Mysk and Talal Haj Bakry found Facebook Messenger capturing links sent between users, and even downloading attachments and file shares sent between users. This invasive practice has now been stopped in Europe, given data protection laws, but not elsewhere.
The second and most critical issue is Messenger’s lack of default end-to-end encryption, which would prevent this and which WhatsApp has stressed is critical. Unlike Messenger, WhatsApp cannot send server-side link previews or download private attachments and links, it cannot monitor content. As WhatsApp said in a status update sent within its app, “we can’t read or listen to your personal conversations.” But Messenger can—and does. It is not default end-to-end encrypted.
And remember, this is data hungry Facebook we’re talking about. If you still use Facebook Messenger, you should switch to a secure, private alternative.
A new report from the security team at Wandera, published here for the first time, suggests that despite the Facebook backlash, WhatsApp traffic is holding up—this will be a surprise to many and goes against the many headlines suggesting otherwise. Wandera has looked at actual app usage across the devices it monitors, forget install numbers, how much has the usage changed as this WhatsApp backlash has unfolded.
The caveat, as always, is that the data is representative, a subset of the overall user bases of these platforms. But it tells an interesting tale.
“Our service is specifically focused on mobile app intelligence,” Wandera’s Michael Covington told me. “It allows us to monitor for threats in the different apps that users install on their devices [and] has visibility into how and when those apps communicate on the network; it allows us to look at whether individual apps are actually being used… It has a very good mix of both company-owned and personal devices.”
The headline news is that Signal has surged more than 85% but WhatsApp usage has held steady. There’s no discernible change in its growth trend from September through to January—at least not across Wandera’s sample set—it dipped a little but has since recovered. Wandera’s data on Telegram is less reliable, given the way traffic is logged, but Telegram told me its daily and monthly active users, as well as its overall traffic, are all up 30% since last September.
I’ve argued all along that users are ill-advised to jump from WhatsApp unless and until they understand the differences between the different alternatives. There is absolutely no point in leaving WhatsApp over security and privacy concerns and using Telegram instead, which is a much less private and secure alternative.
Facebook told me that Messenger traffic is also growing, despite the privacy label backlash and the alarming data gathering Messenger admits. This is a surprise.
A good example of a Messenger issue was the link disclosed last October, with the disclosure that it was monitoring user content. “After three months of our article about link previews,” Mysk told me, “I wanted to check if Messenger and Instagram were still downloading huge files from links shared in their respective private chats. Facebook has disabled link previews for users in Europe. The way Facebook approaches link previews evidently violates data protection regulations in the EU, namely GDPR.”
Looking at the traffic data for the various messaging platforms, Signal appears to be the winner, based on its recent surge, but that was on a much smaller base compared to the others. The fact that WhatsApp appears to be holding steady is more notable.
“I think it’s too soon to assess the impact this ‘privacy awakening’ will have on WhatsApp,” Covington told me. “Our data speaks volumes about how entrenched WhatsApp is within both consumer and business communities; all you need is for a few people to hang on and it prevents all the well-intentioned, privacy-conscious users from moving on entirely. I think this is what Facebook is counting on from its users.”
The fact users aren’t shifting is the reason Facebook is not acting to fix the issues with Messenger. Another reason that it’s time to quit. Last week, Facebook CEO Mark Zuckerberg promised again that Messenger would become end-to-end encrypted. Eventually. “The most important aspect of privacy and security,” he told analysts during his fourth quarter results call, “is that your conversations should stay between you. That means your conversations should always be end-to-end encrypted and they should disappear when you’re done with them.”
But last year, Facebook told me there was no target date they could share for adding end-to-end encryption to Messenger, that the timing “is consistent with what we’ve said since the launch—that it’s going to take time and we’re committed to doing this right.” Last week, despite stating the need for such security, Zuckerberg would only say that encryption is “the direction we’re heading in with Messenger.” And today, again, Facebook confirmed to me that there’s still no update on timing.
And so, if you’re a Facebook Messenger user then you should make the switch—you can use WhatsApp if that’s easiest. The larger of Facebook’s messengers is much better and more secure and its user base is holding up. If you’re using Telegram, here’s a guide to setting it up safely. And if you’re using WhatsApp, take time to review the alternatives. My advice is to run WhatsApp and Signal in parallel—and recommended security settings for both can be found here: (Signal/WhatsApp).