Signal, WhatsApp and Telegram: Major security differences between messaging apps
If your choice of encrypted messaging app is a toss-up between Signal, Telegram and WhatsApp, do not waste your time with anything but Signal. This isn’t about which has cuter features, more bells and whistles or is most convenient to use — this is about pure privacy. If that’s what you’re after, nothing beats Signal.
By now you probably already know what happened. On Jan. 7, in a tweet heard ’round the world, tech mogul Elon Musk continued his feud with Facebook by advocating people drop its WhatsApp messenger and use Signal instead. Twitter CEO Jack Dorsey retweeted his call. Around the same time, right-wing social network Parler went dark following the Capitol attacks, while political boycotters fled Facebook and Twitter. It was the perfect storm — the number of new users on Signal and Telegram has surged by tens of millions since.
The jolt also reignited security and privacy scrutiny over messaging apps more widely. Among the three currently dominating download numbers, there are some commonalities. All three are mobile apps available in the Play Store and App Store, and which support cross-platform messaging, have group chat features, offer multifactor authentication, and can be used to share files and photos. They all provide encryption for texting, voice and video calls.
Signal, Telegram and WhatsApp all use end-to-end encryption in some portion of their app, meaning that if an outside party intercepts your texts, they should be scrambled and unreadable. It also means that the exact content of your messages supposedly can’t be viewed by the people working for any of those apps when you are communicating with another private user. This prevents law enforcement, your mobile carrier and other snooping entities from being able to read the contents of your messages, even when they intercept them (which happens more often than you might think).
The privacy and security differences between Signal, Telegram and WhatsApp couldn’t be bigger, though. Here’s what you need to know about each of them.
- Does not collect data, only your phone number
- Free, no ads, funded by nonprofit Signal Foundation
- Fully open-source
- Encryption: Signal Protocol
Signal is a typical one-tap install app that can be found in your normal marketplaces like Google’s Play Store and Apple’s App Store and works just like the usual text-messaging app. It’s an open-source development provided free of charge by the nonprofit Signal Foundation and has been famously used for years by high-profile privacy icons like Edward Snowden.
Signal’s main function is that it can send — to either an individual or a group — fully encrypted text, video, audio and picture messages, after verifying your phone number and letting you independently verify other Signal users’ identity. For a deeper dive into the potential pitfalls and limitations of encrypted messaging apps, CNET’s Laura Hautala’s explainer is a life-saver.
When it comes to privacy, it’s hard to beat Signal’s offer. It doesn’t store your user data. And beyond its encryption prowess, it gives you extended, onscreen privacy options, including app-specific locks, blank notification pop-ups, face-blurring antisurveillance tools and disappearing messages.
Occasional bugs have proven that the tech is far from bulletproof, of course, but the overall arc of Signal’s reputation and results have kept it at the top of every privacy-savvy person’s list of identity protection tools. The Guardian, The Washington Post, The New York Times (which also recommends WhatsApp) and The Wall Street Journal all recommend using Signal to contact their reporters safely.
For years, the core privacy challenge for Signal lay not in its technology but in its wider adoption. Sending an encrypted Signal message is great, but if your recipient isn’t using Signal, then your privacy may be nil. Think of it like the herd immunity created by vaccines, but for your messaging privacy.
Now that Musk’s and Dorsey’s endorsements have sent a surge of users to get a privacy booster shot, however, that challenge may be a thing of the past.
- Data linked to you: Name, phone number, contacts, user ID
- Free, forthcoming Ad Platform and premium features, funded mainly by founder
- Only partially open-source
- Encryption: MTProto
Telegram falls somewhere in the middle of the privacy scale, and it stands apart from other messenger apps because of its efforts to create a social network-style environment. While it doesn’t collect as much data as WhatsApp, it also doesn’t offer encrypted group calls like WhatsApp, nor as much user data privacy and company transparency as Signal. Data collected by Telegram that could be linked to you includes your name, phone number, contact list and user ID.
Telegram also collects your IP address, something else Signal doesn’t do. And unlike Signal and WhatsApp, Telegram’s one-to-one messages aren’t encrypted by default. Rather, you have to turn them on in the app’s settings. Telegram group messages also aren’t encrypted. Researchers found that while some of Telegram’s MTProto encryption scheme was open-source, some portions were not, so it’s not completely clear what happens to your texts once they’re in Telegram’s servers.
Telegram has seen several breaches. Some 42 million Telegram user IDs and phone numbers were exposed in March of 2020, thought to be the work of Iranian government officials. It would be the second massive breach linked to Iran, after 15 million Iranian users were exposed in 2016. A Telegram bug was exploited by Chinese authorities in 2019 during the Hong Kong protests. Then there was the deep-fake bot on Telegram that has been allowed to create forged nudes of women from regular pictures. Most recently, its GPS-enabled feature allowing you to find others near you has created obvious problems for privacy.
I reached out to Telegram to find out whether there were any major security plans in the works for the app, and what its security priorities were after this latest user surge. I’ll update this story when I hear back.
- Data linked to you: Too much to list (see below)
- Free; business versions available for free, funded by Facebook
- Not open-source, except for encryption
- Encryption: Signal Protocol
Let’s be clear: There’s a difference between security and privacy. Security is about safeguarding your data against unauthorized access, and privacy is about safeguarding your identity regardless of who has access to that data.
On the security front, WhatsApp’s encryption is the same as Signal’s, and that encryption is secure. But that encryption protocol is one of the few open-source parts of WhatsApp, so we’re being asked to trust WhatsApp more than we are Signal. WhatsApp’s actual app and other infrastructure have also faced hacks, just as Telegram has.
Jeff Bezos’ phone was famously hacked in January of 2020 through a WhatsApp video message. In December of the same year, Texas’ attorney general alleged — though has not proven — that Facebook and Google struck a back-room deal to reveal WhatsApp message content. A spyware vendor targeted a WhatsApp vulnerability with its software to hack 1,400 devices, resulting in a lawsuit from Facebook. WhatsApp’s unencrypted cloud-based backup feature has long been considered a security risk by privacy experts and was one way the FBI got evidence on notorious political fixer Paul Manafort. To top it off, WhatsApp has also become known as a haven for scam artists and malware purveyors over the years (just as Telegram has attracted its own share of platform abuse, detailed above).
Despite the hacks, it’s not the security aspect that concerns me about WhatsApp as much as the privacy. I’m not eager for Facebook to have yet another piece of software installed on my phone from which it can cull still more behavioral data via an easy-to-use app with a pretty interface and more security than your regular messenger.
When WhatsApp says it can’t view the content of the encrypted messages you send to another WhatsApp user, what is doesn’t say is that there’s a laundry list of other data that it collects that could be linked to your identity: Your unique device ID, usage and advertising data, purchase history and financial information, physical location, phone number, your contact information and that of your list of contacts, what products you’ve interacted with, how often you use the app, and how it performs when you do. The list goes on. This is way more than Signal or Telegram.
When I asked the company why users should settle for less data privacy, a WhatsApp spokesperson pointed out that it limits what it does with this user data, and that the data collection only applies to some users. For instance, financial transaction data collection would be relevant only to those WhatsApp users in Brazil, where the service is available.
“We do not share your contacts with Facebook, and we cannot see your shared location,” the WhatsApp spokesperson told CNET.
“While most people use WhatsApp just to chat with friends and family, we’ve also begun to offer the ability for people to chat with businesses to get help or make a purchase, with health authorities to get information about COVID, with domestic violence support agencies, and with fact checkers to provide people with the ability to get accurate information,” the spokesperson said. “As we’ve expanded our services, we continue to protect people’s messages and limit the information we collect.”
Is WhatsApp more convenient than Signal and Telegram? Yes. Is it prettier? Sure. Is it just as secure? We won’t know unless we see more of its source code. But is it more private? Not when it comes to how much data it collects comparatively. For real privacy, I’m sticking with Signal and I recommend you do the same.