Bytes and Beyond
It’s time to leave WhatsApp behind
Effective May 15, 2021, Facebook is changing the WhatsApp terms of service. A significant change concerns the sharing of user data. For now, users are presented with an alert message which they have to dismiss every day. On May 15, accepting the changes will become mandatory. The only alternative is to move on to another instant messenger. Luckily, there are plenty of instant messengers which prioritize their users' security.
What's going on with WhatsApp and Facebook?
The nature of the changes is actually up to some debate. Facebook claims that the changes are minimal. However, critics point out that Facebook is giving itself permission to transfer WhatsApp data to the "mothership."
Apart from sharing user data, WhatsApp plans to use users' IP addresses and phone number to estimate their current location. Another upcoming change is the introduction of business chats through external servers. This means that personal data may be processed by third parties.
Facebook is certainly choosing a peculiar moment for these changes: Two current lawsuits in the US allege anticompetitive practices, calling for Facebook to sell off Instagram and WhatsApp. The implication is that Facebook may want to quickly merge the data in order to later claim that a separation is no longer possible.
But aren't WhatsApp chats secure?
Even though WhatsApp encrypts both one-to-one and group chats in such a way nobody can eavesdrop on conversations (end-to-end encryption), many privacy concerns remain. WhatsApp will only work after uploading its users' address books to their servers. While this enables the app to match WhatsApp users, nobody knows exactly what data WhatsApp collects in the process.
WhatsApp also gathers a lot of user information by analyzing metadata. The company may not be able to intercept what its users are talking about, but it certainly sees that they are talking. Images and status messages also remain unencrypted.
When users click on web links within a chat, these URLs are logged and tracked. All this data is useful to aggregate detailed user profiles. If you know who's talking with whom and what links they share, knowing what they are talking about may no longer be relevant.
Alternatives to WhatsApp
There is a saying: "If you are not paying for it, you're not the customer; you're the product being sold.” But do WhatsApp's competitors fare any better in the privacy department?
At the moment, WhatsApp has three main competitors. Threema is the oldest one of the bunch, Signal is the new kid on the block, Telegram gets good press. All of them are available for Android as well as iOS.
Signal has a sugar daddy
Even though Signal has only recently started to gain popularity as a WhatsApp alternative, it's been around since 2014. Just like WhatsApp, Signal securely encrypts both individual and group chats. Like WhatsApp, Signal is free.
Huh? Didn't I just claim that a free app means that the user is the product? Well ... every rule has its exception. Signal is being produced by a foundation funded with donations. In 2018, the foundation received 50 million USD from Brian Acton, one of the founders of WhatsApp (oh, the irony). You may not be able to match that with your own donation, but every bit helps.
Signal consistently follows a privacy-centric approach. For instance, while Signal does access the user's address book, it does not upload everything, but merely hash values of the phone numbers contained therein.
What the hash is a hash?
Let me briefly explain hashes because it's going to come up again later: Instead of sending raw address data to its servers, Signal takes the phone numbers and computes a hash value from it.
Cryptographic hashes are a one-way street, i.e. it is impossible to recover a phone number from its hash value. On the other hand, hash values are consistent, i.e. if three devices compute a hash value from the same phone number, the result will always be the same hash.
By comparing the hash values from your address book with others on its server, Signal can tell you which of your contacts are using the app without the central servers knowing the numbers themselves.
While this approach is far from perfect (phone number hashes can be cracked), it still beats WhatsApp uploading its users' full address book to its servers.
Switching from WhatsApp to Signal
WhatsApp refugees are likely to find the switch fairly easy: Apart from securely encrypted texts, Signal also supports encrypted voice and video chats. All that's really missing is the Status feature.
Then again, some differences do take getting used to: The contacts tab will also list users who don't use Signal. If you send them a text message, it will be sent out as an (unencrypted) SMS.
Signal's backup strategy also is unusual, since it requires a 30-digit (!) numeric passphrase. To recover your Signal ID on a different device, you have to protect it with an eight-digit PIN code. Signal will periodically ask you for this PIN to make you memorize it.
Telegram: a bot's best friend
Telegram was launched in 2013 and has become popular mainly because of its support for "bots" and other automation features. Bots and its associated channels are a great way to set up real-life meet-ups or gaming sessions.
Users looking for privacy are probably not going to be very happy with Telegram. In December 2020, Telegram's founders announced the development of an advertising platform and the intent to eventually provide paid add-on services.
In addition, the app has been subject to several security breaches, the worst of them exposing 42 million user records to the public. By default, all communication carried out via Telegram is stored in unencrypted form on the company's servers. Individual chats can be set as "secret," but channels and group chats will always be public.
Telegram's user interface is fairly intuitive. Dealing with channels may take a bit of getting used to, but most bots come with instructions. Overall, Telegram is very useful to coordinate groups who don't require any privacy – Ingress and Pokémon Go gamers make heavily use of the channels to hook up for joint tasks.
Threema and its little green dots
Threema was founded in Switzerland in 2012. It's a paid app which costs between 2 to 3 USD, depending on whether a sale is going on. Threema prides itself on its consistent focus on privacy: Among the four messaging apps presented here, it is the only one which requires neither a phone number nor an e-mail address for registration.
Threema's name is derived from its three levels of verification. An unknown contact will appear with a single red dot. Two orange dots identify a person whose phone number appears in your address book. To reach the maximum trust level of three green dots, users have to scan in fellow users' QR code from their phone.
The choice to synchronize address book data with Threema's servers is completely optional. If enabled, it will send hashes of e-mail addresses and telephone numbers to match the IDs of other users. The company is rather upfront about the fact that these hashes are, by necessity, not perfectly secure, but that's still a significant improvement over WhatsApp's practices.
Threema supports individual and group chats as well as voice and video chats. For some time, voice chat quality was significantly inferior to WhatsApp's implementation, but this has recently improved significantly. Threema users can create surveys, for instance to coordinate lunch times or gaming sessions.
It has three backup methods: a local one and two cloud-based alternatives. Cloud-based Threema Safe backups even work across platforms: An Android backup will seamlessly import into the iOS version and vice versa.
Signal, Threema and Telegram are not the only WhatsApp alternatives in town – not by a long shot. Wikipedia's table of cross-platform instant messengers lists 45 active apps in total without even including Microsoft Teams.
Two privacy-conscious alternatives which may be worth a look for you are Element and Wire. Element implements the Matrix protocol which supports fully-encrypted individual and group chats. Wire is very stylish, but hobbled by a small user base.
So ... what to do?
There are plenty of reasons to move away from WhatsApp, but as long as many of your friends don't use anything else, you'll probably be stuck with it for the short term. That's no reason to give up on migrating, though.
The hard question is where to migrate to. In the end, it will depend on your contacts. Many friends are going to be more likely to move to Signal because it's "free." For less technically-inclined friends, it's a good idea to help them set up Signal. You're doing it for them as much as you're doing it for yourself.
Even though Threema has exemplary privacy credentials, its appeal is mostly limited to Europe. The common counter-argument "but it costs money" can be easily undermined by simply offering friends to foot the bill. Most of them will grudgingly pay for the app themselves.
For the transitional period where you're still stuck with WhatsApp, Android users can set up WhatsApp within a separate work profile and keep the contacts stored within this profile to a minimum. Recent Samsung devices also feature a "Dual Messenger" option to keep WhatsApp from accessing personal contacts (Settings > Advanced Features > Dual Messenger > Use separate contacts list).