WhatsApp’s new privacy policy and the mass migration of users to Signal

In case some of you guys have missed it, WhatsApp is updating its privacy policy and some users have already been confronted with the new consent screen that cannot be evaded - accept or stop using the app altogether.

Changes between the old and new privacy policies have been extensively reviewed here.

In an aggressive move to merge databases, the integration of WhatsApp with the parent company Facebook is going to pick up pace. It’s worth mentioning, that Facebook promised to maintain the independence of the two brands as they acquired WhatsApp in 2014. The most important change in the privacy policy of WhatsApp is that in addition to message metadata, the following will be datamined by Facebook in unencrypted form: messaging, calling, status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” information; whether you are online, when you last used our Services (your “last seen”); and when you last updated your “about” information.

Interestingly, Facebook has not been able to pull this off as discreetly as they presumably had hoped, and as is usually the case when BigTech updates privacy policies. Many users were annoyed with these intrusive changes and are now exploring other instant messaging platforms.

The most popular choice is the privacy messenger app Signal. Signal has been around since 2013 and has been especially popular among civil activists and journalists wary about government surveillance (notably, Hong Kong and Black Lives Matter). Edward Snowden and Laura Poitras have long stated that they regularly use the app. Elon Musk endorsed Signal on January 8 precipitating an unprecendented surge in interest in the platform, causing temporary problems with service. (Signal assures these have been addressed and solved).

But how do we know Signal is not going to be the same as WhatsApp only a few years later? How will they evade the acquisition trap that has plagued succesful online services (Instagram before WhatsApp) for years? Well, Signal is not a company, but a non-profit organization (called a 501c3 nonprofit) funded by donatations. This means they are not traded on the stock market and they cannot be “acquired”. The Signal protocol is a strong encryption mechanism that has been extensively peer-reviewed. In fact, WhatsApp adopted the Signal protocol for their own end-to-end encryption and Tutanota uses it for their fully encrypted E-mail service. Encryption has been hard-wired into Signal code since the start including contact lists, so that even if Signal had any interest in selling their users’ data, they could not decode it. Also, Signal’s code is open-source - this means it is for anyone to download from GitHub and modify to make their own version. So even if they were to “sell” Signal, theoretically, someone could just make a new version of the same app the next day where everyone could move over to. Really the only drawback with Signal is their location in the US - this makes them theoretically vulnarable to US governmental bullying.

There are some other alternatives out there. Telegram is clearly one, much more widespread in Europe than Signal. Telegram has two major issues: first, knowledgable people don’t seem to trust their encryption protocols as much as Signal’s. Second, Telegram places larger focus on user experience which is why encryption is not turned on by default - you have to initiate “secret chats”. These issues aside, so far there has been no reason to mistrust Telegram. It is worth noting though, that Pavel Durov, the owner and manager of Telegram recently announced the introduction of ads to be able to fund the growing service. A clear downside of the commercial business model.

I would like to mention a third alternative, Threema. The swiss company has been around since 2012, their user base seeing [two dramatic increases], one after the Snowden revelations in 2013 and one as Facebook acquired WhatsApp in 2014 :-) Their largest user base is in Germany and the company as well as its servers are located in Switzerland, an obvious advantage of this platform when it comes to the surrounding legal landscape regarding data privacy. Furthermore, Threema is the only one of the four services discussed that does not require a phone number from its users (this is optional to facilitate connecting with contacts). Obviously this is a big boost to privacy. On the downside, the Threema app has a one-time fee in the app store and its code is not open source.

My personal commentary: I haven’t used Signal much (very few of my contacts use it), I am using the other apps discussed here on a regular basis. Still, to me it seems that Signal would currently be best suited to replace WhatsApp, because of its very secure and extensively reviewed architecture and the current hype around it. Let’s not forget, a deciding factor for these platforms is the number of users already on them! This “dead weight” is also what is still carrying WhatsApp, even though other services have long bypassed it in both user experience (Telegram) and security (Signal).