“There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.” -Bruce Schneier
For the last couple of months, “End to End Encryption” has been the buzzword dominating the airwaves. With reports of private chats of celebrities , on discarded devices, on Whatsapp becoming the talk of the town. It was time to finally address the elephant in the room- What about Whatsapp’s promise of End-to-End Encryption and if it is not safe enough what are the alternatives?
WhatsApp is the most popular communications app on the planet with over two billion users using it for messaging. Bought by Facebook in 2014, the service popularised the use of end-to-end encryption in day-to-day communications, introducing it as its default for messaging in 2016.
It was done in cooperation with Moxie Marlinspike’s Open Whisper Systems to integrate the Signal encrypted messaging protocol. Microsoft and Google have both used the protocol, which is the gold standard in encrypted communications. Now Open Whisper Systems exists as Signal Messenger, LLC, and is part of the Signal Foundation. This rebranding has seen the foundation put more effort into its own app. The Signal Foundation’s flagship Signal app provides fully-fledged and easy to use secure communications in its own right.
Here are some reasons why one should probably take the leap from Whatsapp from Signal:
1. Signal is more up to date with Security features.
Signal has the lead when it comes to rolling out new security features. Case in point being, Signal debuted disappearing messages– messages which are automatically deleted after a stipulated amount of time– back in 2016 while Whatsapp is still testing this feature with a selected number of users.
Several other mainstream and beta features that Signal has over WhatsApp users include one time view media messages, encrypted profiles for users, an incognito keyboard switch for Android to keep Gboard to prevent your device from sending your type history back to the peering eyes of Google, and also backups that don’t default to unencrypted storage in i Cloud or Google Drive. Signal also has a very dedicated clientele in Linux desktop users – which is more appealing to those in the security and data analysis fields, while WhatsApp directs them to its web app.
2. Signal possibly has less potential for hidden vulnerabilities
For starters, Whatsapp with it’s much larger user base is a much more attractive target for malicious actors, but the fact that Whatsapp’s code base is a completely closed box means that vulnerabilities possibly require more time to be detected.
But WhatsApp’s closed-source code (beyond its use of the open Signal protocol) means that there are a lot of potential targets that remain unknown until they’re exploited. A startling example was a vulnerability in WhatsApp’s VoIP stack, used by intelligence agencies to inject spyware in 2019.
3. Signal is COMPLETELY open source
Signal’s source code, in its entirety, is published for anyone to examine and use under a GPLv3 license for clients and an AGPLv3 license for the server. This means that one can see what’s going on inside it – or, more usefully, rely on the specialist expertise of people who review the code and know exactly what they’re looking for.
4. One can run one’s own Signal Server
In what is another advantage of an open source code base- one can tinker with it on it’s own, if that’s what one’s into and has the required expertise. The layman would probably never need or use one’s own Signal server for either one’s business or private use but it’s good to know you have the option just in case. It’s designed as a mass communications platform and isn’t really intended to scale down, it’s a pain to build and there are currently no containerised versions for easy deployment.
5. Trust issues with Facebook.
Perhaps the most crucial reason to ditch Whatsapp, is it’s parent Facebook’s shady history with user privacy and data breaches.
Facebook has a truly appalling history in terms of data collection and handling, from the Cambridge Analytica scandal (shall we call it)to its long standing practice of sharing data about users with phone manufacturers.
Facebook has already proved that it can’t be trusted with WhatsApp user data that should, under EU law, have remained private. In 2017, European regulators penalised Facebook for sharing the WhatsApp users’ phone numbers with its Facebook social network for advertising purposes. Firmly in breach of data protection regulations, it was an opt-out rather than opt-in system. Facebook had previously claimed such a mechanism would never be implemented.
WhatsApp co-developer Brian Acton, who left Facebook in 2017 and went on to co-found the Signal Foundation with Marlinspike, lashed out at Facebook’s approach to privacy and claimed that Facebook had coached him “to explain that it would be really difficult to merge or blend data between (WhatsApp and Facebook)” when giving information to EU regulators in 2014.
Facebook’s intention of using Whatsapp for advertising purposes, potentially compromising its security leading to Acton’s exit , sacrificing some $850 million in stock in the process. Acton’s compatriot and Whatsapp’s developer, Jan Koum, also exited Facebook over reported disputes regarding Facebook’s attempt to compromise encryption. Following this, Mark Zuckerberg has come out publicly to profess his faith in End to End Encryption and also vowed to add it to Facebook Messenger.
With that we rest our case, and leave for you to decide if you are ready to jump ship.
You can also check out Moxie Marlinspike’s blog at https//moxie.org/blog/ to read some fascinating blogs and gain insight into his philosophy regarding user privacy, data security and a lot more.