Privacy in messaging apps: A comparison

Introduction

If you own a smartphone, you have probably figured out that paying a telephone company 0.10 CHF to send a text message is quite ludicrous. Most people by now have moved to internet-based messaging services such as WhatsApp, but have you ever wondered how WhatsApp can be completely free (of cost) to use? Surely, the company behind it must have a lot of employees that manage their infrastructure?

The answer is, of course, that WhatsApp is owned by Facebook [1]. Facebook is harvesting user data not only for their own targeted advertising, but also to sell this data to third party companies, such as the political consulting firm Cambridge Analytica. This was very publicly covered by the media recently [2]. This is likely completely legal, as all Facebook users have agreed to this when clicking "accept" on the terms of service. Most services we use are able to collect an incredible amount of data about us. For a scary example, if you have an Android phone, Google keeps a record of every place you have been by tracking you with GPS. You can look at that map with this link [3]

This has many users questioning how safe these services are, if they have trustworthy encryption, and ultimately, if their privacy is respected at all. Fortunately, there are quite a few alternatives to WhatsApp with the same functionality. Following, we will show you how you can distinguish good services from bad ones, and we will present a few alternatives to WhatsApp.

Privacy & Encryption

The dictionary defines privacy as "the state of being free from unwanted or undue intrusion or disturbance in one's private life or affairs; freedom to be let alone" [4]. In the context of messaging apps, this boils down to your conversations being private, i.e. no one that you don't want to can see what you are talking about with your friends and family.

The only way to achieve this is by the use of encryption. However, we also have to differentiate between "bad" encryption and "good" encryption. If your messages are encrypted, but someone has a master key with which he or she can read all messages, this is of course still not safe. In the end, the only way to build trust in an encryption system is by reviewing the actual program code that is used. This is only possible if the application is "open source", i.e. if everyone can view the program code (the so-called source code) openly.

Decentralization

Decentralization is, well, the opposite of centralization. With centralization, the entire network is connected over a central point. Decentralization allows users to communicate "point to point", i.e. there is no single instance that has total control, but lots of smaller communication centers. An example for a centralized system is WhatsApp: if you send a message to someone, it goes to the central WhatsApp servers which then deliver your message to its recipients. An example for a decentralized system is a very old one: Email. You can send an email from and to any email address, be it from your employers company mail account, a university account, or even Googles Gmail.

Decentralized systems are generally preferable from a privacy point of view: Because no instance has total control, there is less potential for abuse like companies collecting your data or censorship. This blog post [5] is an interesting (albeit a bit dramatic) opinion on the topic.

WhatsApp

WhatsApp is certainly the most popular messaging service, which makes it the first choice for many users. However, Facebook’s ownership of WhatsApp makes it questionable if the users privacy rights are respected. Your user data is most likely being harvested for Facebook’s profit. It is also a completely closed system, with the apps being closed source and the network service being centralized. This gives us no reason to trust their encryption.

Telegram

Telegram is not only popular at ETH, but also worldwide. This is due to the fact that the available mobile apps for Android and iOS as well as the desktop apps (Windows, Mac, Linux) are very high quality and open source. Unfortunately, there are a few downsides: The server components of the system are proprietary, i.e. closed source. The company behind Telegram is also based in Russia, which gives them a bit of a dubious status, as articles such as these [6] show. Adding to that, chats are not encrypted by default, which leads to many users not using encryption at all.

Threema

Threema is a commercial, Swiss instant messaging service. According to the authors, it offers strong end-to-end encryption by default. Unfortunately, this cannot be publicly verified as neither the application nor the server source code are open. Although the fact that all data is stored on servers located in Switzerland (that are therefore subject to Swiss data protection laws) is nice, security and privacy aspects still cannot be verified independently. Since we have alternatives that are completely open source, there is not much justification to use Threema over them.

Signal

Signal is an instant messenger dedicated to secure communication and privacy. The complete source code of both the client and the server applications are openly available. Signal allows users to get access to secure, encrypted communication through a very easy to use app. If you just want a simple app that "just works", Signal is a good choice. Signal, however, still uses a centralized approach, where all communication goes over the central Signal servers, with no way to integrate other servers into the network.

Riot.im

Riot.im is a relatively new platform. It is based on the Matrix [7] protocol, which aims to be a secure, decentralized network for communication. Riot.im is the reference implementation of this protocol, available for Android and iOS, and via the web. It is growing quickly, and although everyone can (and is encouraged to) run their own servers, Riot.im provides a free to use service for everyone. The apps are not quite as polished some others, but they are being improved rapidly, with new features getting added at a very fast pace. If you are not afraid of some occasional rough edges, the Matrix network is an exciting option that aims to have every feature imaginable.

Conversations (XMPP)

Conversations is an implementation of the open XMPP protocol in an open source app. It is popular in certain privacy-focused circles, since everyone can host their own, decentralized XMPP server and have it communicate to the others. This way, your communications never pass other servers than those of the senders and receivers. There is no single point of failure and it is highly resistant against censorship, just like Matrix. Unfortunately, XMPP wider popularity is impeded by the complexity of running your own servers, and the fact that commercially run servers are necessary, if you do not want to host your own.

Conclusion

You probably have noticed that there is no single, optimal solution. Every system has its downsides. If you care about privacy and security, you might want to choose Riot.im, Signal or XMPP. Of those, Signal is probably the most easy to use, while Riot.im and Conversations (with XMPP) are decentralized and are much more feature-rich. If you just care about being able to talk to all your friends with one app, you are probably stuck with WhatsApp, since, in the end, if you cannot convince your friends to make the switch to another app with you, you will not be able to talk to anyone. However, in this day and age, where all major tech companies collect all the data they can get their hands on, we should really make an effort to save our privacy.

Sources:

- [1] "The Facebook Companies" (https://www.facebook.com/help/111814505650678/)

- [2] "Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users", https://www.nytimes.com/2018/04/04/technology/mark-zuckerberg-testify-congress.html

- [3] https://www.google.com/maps/timeline?pb

- [4] Privacy (http://www.dictionary.com/browse/privacy)

- [5] "Achtung! Decentralize, decentralize, decentralize!" (https://drewdevault.com/2018/03/24/Decentralize-decentralize-decentralize.html)

- [6] "Telegram Loses Bid to Block Russia From Encryption Keys, Bloomberg" (https://www.bloomberg.com/news/articles/2018-03-20/telegram-loses-bid-to-stop-russia-from-getting-encryption-keys)

- [7] The Matrix network. (https://matrix.org/blog/home/)