WhatsApp stepped-up its security game by rolling out end-to-end encryption for its 700 million users earlier this year. Open Whisper System’s Signal, released in 2014, is relatively new to the game but has amassed a lot of security focused disciples owing to its great encryption. For the uninitiated, many of the private messaging apps like WhatsApp, Facebook Messenger, Google Allo use Open Whisper System’s secure protocol to enforce encryption. For the average user, if all these messaging apps already sport Open Whisper system’s strong encryption, why so much fuss in switching over to Signal? So, today I’ll point out 5 security reasons to switch from WhatsApp to Signal:
1. WhatsApp Doesn’t Encrypt Metadata
Let me give you a quick heads-up on what metadata means. From Techterms.com: “Metadata describes other data. It provides information about a certain item’s content. For example, an image may include metadata that describes how large the picture is, the colour depth, the image resolution, when the image was created, and other data.”
Similarly, in the context of messaging, metadata means the data about the actual text message which may include the sender’s phone number, recipient’s phone number, date and time of the message. At first glance, it’s easy to discard messages metadata as it might seem trivial. But make no mistake. Using metadata, researchers can create a network that describes with whom and when the individual communicates. For instance, back in 2013, Microsoft’s research team published a paper, which described a system to discern your age, gender, sexuality solely on the basis of things you liked on Facebook. Pretty creepy, right?
Similarly, while WhatsApp cannot read your actual message, it can hand over the metadata of the message to comply with the laws. The law authorities may analyse this data to find out the date, time and all the people you’ve been in contact with. Signal, the good-guy takes pride in acknowledging that it encrypts this metadata, so when time comes, it virtually has nothing substantial to hand over.
2. WhatsApp Lacks In-app Encryption
WhatsApp enabled end-to-end encryption for the messages that go through the internet but missed a basic functionality — no encryption for the messages stored on your phone. So what good is encryption for messages over the network if somebody happens to steal your device without a passcode? They can obviously go through all your messages.
To combat this, Signal encourages you to set-up a passphrase of your own. Then, all text messages in Signal are encrypted with your passphrase before being stored locally. You can also choose to lock Signal automatically after a certain amount of time.
3. WhatsApp’s Online Backups Are Unencrypted
Backing up your WhatsApp messages to your Google Drive can come very handy. After all, there’s no telling when your phone could fail you or even worse, get stolen. Restoring messages from Google Drive could prove as a lifesaver in those situations. Unfortunately, storing your data in the cloud poses an even bigger risk when it comes to security. As backup data is stored in Google Drive, your Google credentials are the single layer of security here. Don’t trust me? See this screenshot from WhatsApp settings, which clearly says that messages you backup are not protected by end-to-end encryption while in Google Drive:
If God forbid, your Gmail gets hacked, or if Google has to comply with a warrant, remember all your conversations are going to be exposed. But that is not all. Even if you have online backups disabled, but the other party you’re conversing with has it enabled, you’re going down, too. You know the time when you’ve to suffer for other’s faults? Yes, this is one such moment.
Signal solves this problem by well, not providing a fully-featured backup option. It only includes a simple manual backup/restore to plain text option if you need.
This may not be the most convenient option, but in the end, it all boils down to one single thing: features vs security. And Signal does what it does best — focusing on security.
4. WhatsApp is Proprietary (And Owned by Facebook!)
End-to-end encryption provides only one side of the story. For the complete picture, it’s necessary to understand how the encryption has been integrated. With closed source apps like WhatsApp, it’s next to impossible to review the code and see how well the encryption has been integrated. On the other hand, Signal’s code base is open source and can be analysed by researchers to find if security measures are enforced properly.
Furthermore, Facebook owns WhatsApp, and Facebook’s business model is based on advertising. Remember, how in August WhatsApp declared that they’ll be sharing some of your data with the parent company Facebook? Primarily, it shared your phone number to offer better friend suggestions and of course, more relevant ads! Even if you opted-out during the 30-day period, it still shared some data with Facebook.
In contrast, Open Whisper Systems is a non-profit community of volunteers, as well as a small team of dedicated grant-funded developers.
5. Signal has Better Security-focused Settings
I’d also like to point out two little security-focused settings that Signal has. The first one is “Disappearing messages“, which stays true to its name and lets you send self-destructing messages. You have the option to send messages, which self-destruct after 5 seconds to all the way up to a week.
The second one is “Screen security“, which prevents anyone from taking a screenshot of your conversation. Obviously, it is not fool-proof as someone could always take a picture from another phone.
Also, your conversation does not show a preview in the Signal window, when you hit the recent/multitask button on Android. Refer the below picture for better understanding.
Although these two are not headline-grabbing features, little details like these are why I’m inclined towards Signal.
Exactly How Secure is Signal?
Signal provides top-grade encryption, the reason why even NSA whistleblower Edward Snowden recommends using it. If you really want to know what data Signal can share about you, if the time comes, it’s this: the time of your Signal account creation and the date of last connection to Signal’s servers, that too with reduced precision to a day. That’s pretty much it. No, really. Not even metadata, let alone actual message content. For reference, Signal was subpoenaed recently and here’s the information they disclosed.
So Are You Making the Switch to Signal?
These were my five security reasons on why you should switch to Signal. From a security perspective, Signal emerges as a clear winner. If you’re looking for more featured-pack experience, you are probably better off with WhatsApp or Telegram. However, if you’re paranoid about your privacy, make the switch to Signal today!