How WhatsApp, Threema, Signal and Telegram differ in terms of data protection and security – an analysis

Element, WhatsApp, Threema, Signal, Telegram, Vibr, Wickr Me and Wire are not rock bands or fashion labels, they are instant messengers that enable the immediate exchange of text, video or voice messages with one or more recipients over the Internet.[1],[2] Thanks to smartphones, these messengers became extremely popular in a private as well as business context, since they allow data sharing in no time. The announcement of WhatsApp at the beginning of this year that the terms of use will be updated, moved data protection and the security of messengers to the fore. WhatsApp wants to share the collected data with other Facebook companies such as Instagram. But what does this mean for WhatsApp users? How secure are messengers in general? And how are the messages securely stored and transmitted?

This article compares four popular messengers – WhatsApp, Threema, Signal, and Telegram – to answer these questions.[1]-[3]

1

Figure 1: Which of the popular messengers WhatsApp, Signal, Threema or Telegram scores best in terms of data protection and security? [4]

What makes a messenger secure?

At first glance, WhatsApp, Threema, Signal and Telegram hardly differ in appearance and handling. But if you take a closer look, clear differences surface. The four messengers differ in the following points, which are also summarized in Table 1: [1]

  1. Privacy protection (use of meta and telemetry data)
  2. Financing the application
  3. Transparency of the source code (open source)
  4. End-to-end encryption of the transmitted message
  5. Storage of message histories
  6. Architecture
  7. Service provider who operates the server
  8. Jurisdiction

Table 1: WhatsApp, Threema, Signal and Telegram hardly differ in appearance and function, but they contrast significantly in terms of data protection and security. The graphic is adapted from.[1]

Threema can be used without personal information

When using a messenger, the question arises whether the user is anonymous to other users as well as the provider, i.e. whether personal information such as name, telephone number or email address is disclosed. When it comes to protecting privacy, the messengers differ greatly. The service of Threema is the only one that can be used without any disclosure of personal information. Only a randomly generated ID (QR code) is displayed to the other user. Other services such as Signal, WhatsApp and Telegram require the registration of a cell phone number or e-mail address.[1]

WhatsApp uses metadata and telemetry data for profiling

WhatsApp collects and stores GPS, time and date stamps – so called metadata – of the messages it delivers. This means that WhatsApp can associate a phone number with a time and a location. The app also saves telemetry data such as usage and diagnostic information. The metadata and telemetry data help to create a profile of the users, which is described by the term “profiling”. Telegram also collects the metadata and telemetry data and it is unclear how these data are treated.[5],[6] In contrast, Threema and Signal do not collect metadata. [7],[8]

The non-profit organization “Signal Technology Foundation” finances the Signal service

WhatsApp is owned by the Facebook group, which finances itself through the sale of individually tailored advertisement. Detailed user information is essential for this business approach so that it can be used for marketing purposes. Therefore, the collected metadata from the WhatsApp application are combined with the data from other Facebook services in order to refine the profiling a user. [5],[6] Threema, which is founded and operated by the Swiss company Kasper Systems GmbH, on the other hand, finances through app sales and Telegram by private Russian investors. Signal’s service is provided by the non-profit organization “Signal Technology Foundation”, which aims to enable “freedom of expression” and “secure global communication” [9]

The end-to-end encryption of Signal and Threema cannot be bypassed

Threema, Signal and WhatsApp use end-to-end encryption, which differ technically only litte, to secure the transmitted messages. Signal and WhatsApp even both use the Signal protocol. [8],[10],[11] That is, the messages and data to be transmitted are encrypted on the sender side and only decrypted again at the recipient. Therefore, only the sender and recipient can read the message, but not the service provider. These messengers encrypt what is state-of-the-art according to the zero-knowledge principle. [8],[10],[11]

Figure 2: Signal, Threema and WhatsApp protect the message content from third parties through end-to-end encryption. [4]

A Telegram user can optionally activate the end-to-end encryption for individual chats but it is deactivated by default and not even available for group chats.[1],[2] In addition, Telegram stores the transmitted messages long-term and unencrypted on a server by default. Therefore, the operator can read them at any time. The other services such as Signal and Threema, the encrypted messages are only stored temporarily on the server. As soon as the message has been delivered, the message is deleted. Thanks to the zero-knowledge protocol, Signal can use server infrastructure with weak data protection, since this encryption does not allow any conclusion to be drawn about the users and the performed actions.[8],[10],[11]

Signal and Threema ensure that end-to-end encryption cannot be bypassed. For example, these services do not allow copies or storage of unencrypted messages on the server. In contrast, WhatsApp allows the creation of unencrypted backups on cloud computer services such as Google Cloud or iCloud. [1]

Signal’s and Threema’s  source codes are audited by independent experts

An interesting fact about Signal is that the source code of the application is free and accessible to everyone as “open source”. Therefore, the application is audited and verified by many independent parties – including leading cryptologists. Signal is continuously improving its service based on these analyzes. Threema has just recently released its source code to the IT community for evaluation. Telegram’s source code is also open source. Not much is known, however, how independent auditing is implemented. [8],[10],[11]

Threema and Signal make it easier to identify against man-in-the-middle attacks

If an attacker is between two communication partners, he often has complete control over the data traffic between the participants and can thus manipulate the exchange of information at will – a so-called man-in-the-middle attack. [12] To protect against such attacks, Threema enables the exchange of a personal key. To do this, the communication partners have to meet and check in person by scanning their QR codes. [1] Signal also allows so-called security numbers to be checked via an outer channel (not Signal, but for example via telephone). If these security numbers match the ones of communication partner, a man-in-the-middle attack can be ruled out. [13],[14]

Telegram stores the data centrally on its servers

Threema, Signal and WhatAapp store data such as contact lists, groups and user profiles decentrally directly on the end devices and these are not managed on a central server. If Threema users change their smartphone, for example, they have to make a backup themselves and then re-import the data. The advantage is that only the user himself has access to it. However, if the smartphone is stolen without a backup being saved, all data is lost. Signal and WhatsApp also save their data decentrally on the smartphone and restoration is not possible without a backup. With Telegram, users can log in from anywhere in the world and have access to their chats. This is only possible because the data is stored centrally on the servers. [1]

Jurisdiction

The competence of the judiciary is a final point that cannot be omitted from the analysis. Depending on the country whose jurisdiction the service is subject to, the authorities may access the data of the service providers, even if the data is not stored in the respective country. The jurisdiction of WhatsApp and Signal lies with the USA, that of Threema with Switzerland and that of Telegram probably Russia. The CLOUD Act – an American law that came into force in 2018 – obliges American companies and IT service providers to guarantee the authorities access to stored data, even if the data is not stored in the USA. [1]

Conclusion – Signal and Threema are far superior to WhatsApp and Telegram in terms of data protection and security

Signal, Threema and Whatsapp only differ slightly in terms of security. All three services have state-of-the-art end-to-end encryption of their messages. But when it comes to data protection, there are major differences. Threema is clearly one step ahead. It is the only service that can be used anonymously, i.e. without providing personal data such as phone number or e-mail address. Signal is also designed for data protection because like Threema it does not collect meta and telemetry data, but information on personal data is still required.

WhatsApp is very weak in terms of data protection. WhatsApp’s privacy policy provides for the use of user data as well as meta data and telemetry data, which are used in combination with other Facebook applications for advertising purposes. The telemetry data in particular must be viewed very critically. Telegram is a messenger that cannot be considered secure under any common definition, as the messages are not end-to-end encrypted by default and are stored on a server for a long time, where they could be read by the service provider or possible attackers.

In conclusion: Threema and Signal are superior to WhatsApp and Telegram in terms of data protection and security. Or as Edward Snowden put it, why he uses Signal: “I use it every day and I’m not dead yet.” [15]

References

[1] Threema, “Messenger-Vergleich – Erfahren Sie, wie sich die beliebtesten Chat-Apps voneinander unterscheiden.”, 2021. https://threema.ch/de/messenger-vergleich, retrieved 17. Februar 2021

[2] M. Williams, “ Secure Messaging Apps Comparison”, 2021. https://www.securemessagingapps.com, retrieved 17. Februar 2021.

[3] M. Mehner, “Sind Messenger wie Whatsapp oder Threema wirklich sicher?”, 2021. https://www.messengerpeople.com/de/sind-messenger-wie-whatsapp-oder-threema-wirklich-sicher, retrieved 17.02.2021

[4] Attributed to <a href=’https://www.freepik.com/vectors/technology’>Technology vector created by pch.vector – www.freepik.com</a> and <a href=’https://www.freepik.com/vectors/clouds’>Clouds vector created by vectorjuice – www.freepik.com</a>

[5] M. Spehr, “Facebook und Whatsapp: Die geheime Macht der Metadaten”, Frankfurter Allgemeine, 2020. https://www.faz.net/aktuell/technik-motor/digital/facebook-und-whatsapp-die-geheime-macht-der-metadaten-16762262.html, retrieved 18. Februar 2021.

[6] D. Fischer, “WhatsApp ist alles andere als geheim – womit uns der Messenger ausspioniert”, 2020. https://www.smartdroid.de/whatsapp-metadaten-verschluesselung-spionage, retrieved 18. Februar 2021.

[7] J. Lund, “Technology preview: Sealed sender for Signal”, 2018.  https://signal.org/blog/sealed-sender/, retrieved 18. Februar 2021.

[8] Threema, “Threema. Cryptography Whitepaper”, 2020. https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdf, retrieved 16.02.2021

[9] “Signal Technology Foundation”. Nonprofit Explorer. Pro Publica Inc. Retrieved 6 June 2019.

[10] T. Perrin, M. Marlinspike, “The X3DH Key Agreement Protocol,” 2016. https://signal.org/docs/specifications/x3dh/, retrieved 17. Februar 2021

[11] M. Tremmel, S. Grüner, “Warum es okay ist, dass Signal Google-Server nutzt”, 2021. https://www.golem.de/specials/instantmessenger, retrieved am 17. Februar 2021.

[12] T. Grüner, “ Was ist eigentlich eine Man-in-the-Middle-Attacke?”, 2018. https://blog.to.com/man-in-the-middle-attacke/ , aufgerufen 18. Februar 2021.

[13] Signal, “What is a safety number and why do I see that it changed?”, 2021. https://support.signal.org/hc/en-us/articles/360007060632-What-is-a-safety-number-and-why-do-I-see-that-it-changed-, aufgerufen 18. Februar 2021.

[14] M. Marlinspike, “Simplifying OTR deniability.”, 2013. https://signal.org/blog/simplifying-otr-deniability, aufgerufen 17.02.2021.

[15] E. Snowden, Twitter, 2021, https://twitter.com/Snowden/status/1347217810368442368?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1347217810368442368%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fwww.indiatoday.in%2Ftechnology%2Fnews%2Fstory%2Fhow-secure-is-signal-it-s-good-enough-for-edward-snowden-so-good-enough-for-you-1757596-2021-01-10, aufgerufen 18.02.2021.

The Author
OUR SERVICES

The increase in the use of technology in all areas of life has also led to a sharp increase in cyber crime. In Industry 4.0 you work in a network and is always available. The data will become part of the core business. In addition to new market opportunities, this change also entails new security risks. Targeted cyber attacks with the goal of getting money or company secrets are increasing rapidly. Akana supports companies and organizations in all industries in implementing a successful IT security strategy. Our experienced consultants also actively support the implementation of IT security measures so that your company is well protected.

INSIGHTS

The corona pandemic has digitized our everyday life. In response to the pandemic and to shape their digital future, companies are increasingly using the advantages of cloud infrastructures such as Amazon Web Service, Microsoft Azure, Google Cloud, Alibaba, IBM or Oracle. But what is a “cloud”? What are the advantages for companies? And what do companies have to consider in the area of security and data protection? An analysis.

Identity and access management (IAM) is the discipline to enable the right individuals to access the right IT resources, such as systems applications, files, and networks, at the right time for the right reasons. This often needs to be enabled across diverse technologies and the resulting processes must meet the security policies of the organization. The IAM system is a critical part of IT infrastructure of any larger organization.

VIDEO

Our IT security expert Michael Fedier talks about the 7 steps to take your IT security to the next level and how we do IT security consulting at Akana.

Our way of working has been turned upside down by the corona virus. Companies had to offer their employees the opportunity to work from home in the shortest possible time. It was not only a challenge to provide the necessary infrastructure. Not infrequently, the necessary safety precautions were also neglected. Thanks to the home office, productivity can be maintained as much as possible. But the new way of working is susceptible to hackers who want to profit from the current situation.

Two-factor authentication (2FA) –or multi-factor authentication (MFA) in general – has grown in importance in security in recent years. This is about how users (employees and customers) authenticate to systems. Authentication by username and password is called 1FA. However, in order to increase safety, 2FA or MFA has been increasingly used in recent years.

OUR SERVICES
Share with Others
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on pinterest
Share on email
Share on print

ALWAYS UP TO DATE

AKANA NEWSLETTER