This article compares four popular messengers – WhatsApp, Threema, Signal, and Telegram – to answer these questions.-
Figure 1: Which of the popular messengers WhatsApp, Signal, Threema or Telegram scores best in terms of data protection and security? 
What makes a messenger secure?
At first glance, WhatsApp, Threema, Signal and Telegram hardly differ in appearance and handling. But if you take a closer look, clear differences surface. The four messengers differ in the following points, which are also summarized in Table 1: 
- Privacy protection (use of meta and telemetry data)
- Financing the application
- Transparency of the source code (open source)
- End-to-end encryption of the transmitted message
- Storage of message histories
- Service provider who operates the server
Table 1: WhatsApp, Threema, Signal and Telegram hardly differ in appearance and function, but they contrast significantly in terms of data protection and security. The graphic is adapted from.
Threema can be used without personal information
When using a messenger, the question arises whether the user is anonymous to other users as well as the provider, i.e. whether personal information such as name, telephone number or email address is disclosed. When it comes to protecting privacy, the messengers differ greatly. The service of Threema is the only one that can be used without any disclosure of personal information. Only a randomly generated ID (QR code) is displayed to the other user. Other services such as Signal, WhatsApp and Telegram require the registration of a cell phone number or e-mail address.
WhatsApp uses metadata and telemetry data for profiling
WhatsApp collects and stores GPS, time and date stamps – so called metadata – of the messages it delivers. This means that WhatsApp can associate a phone number with a time and a location. The app also saves telemetry data such as usage and diagnostic information. The metadata and telemetry data help to create a profile of the users, which is described by the term “profiling”. Telegram also collects the metadata and telemetry data and it is unclear how these data are treated., In contrast, Threema and Signal do not collect metadata. ,
The non-profit organization “Signal Technology Foundation” finances the Signal service
WhatsApp is owned by the Facebook group, which finances itself through the sale of individually tailored advertisement. Detailed user information is essential for this business approach so that it can be used for marketing purposes. Therefore, the collected metadata from the WhatsApp application are combined with the data from other Facebook services in order to refine the profiling a user. , Threema, which is founded and operated by the Swiss company Kasper Systems GmbH, on the other hand, finances through app sales and Telegram by private Russian investors. Signal’s service is provided by the non-profit organization “Signal Technology Foundation”, which aims to enable “freedom of expression” and “secure global communication” 
The end-to-end encryption of Signal and Threema cannot be bypassed
Threema, Signal and WhatsApp use end-to-end encryption, which differ technically only litte, to secure the transmitted messages. Signal and WhatsApp even both use the Signal protocol. ,, That is, the messages and data to be transmitted are encrypted on the sender side and only decrypted again at the recipient. Therefore, only the sender and recipient can read the message, but not the service provider. These messengers encrypt what is state-of-the-art according to the zero-knowledge principle. ,,
Figure 2: Signal, Threema and WhatsApp protect the message content from third parties through end-to-end encryption. 
A Telegram user can optionally activate the end-to-end encryption for individual chats but it is deactivated by default and not even available for group chats., In addition, Telegram stores the transmitted messages long-term and unencrypted on a server by default. Therefore, the operator can read them at any time. The other services such as Signal and Threema, the encrypted messages are only stored temporarily on the server. As soon as the message has been delivered, the message is deleted. Thanks to the zero-knowledge protocol, Signal can use server infrastructure with weak data protection, since this encryption does not allow any conclusion to be drawn about the users and the performed actions.,,
Signal and Threema ensure that end-to-end encryption cannot be bypassed. For example, these services do not allow copies or storage of unencrypted messages on the server. In contrast, WhatsApp allows the creation of unencrypted backups on cloud computer services such as Google Cloud or iCloud. 
Signal’s and Threema’s source codes are audited by independent experts
An interesting fact about Signal is that the source code of the application is free and accessible to everyone as “open source”. Therefore, the application is audited and verified by many independent parties – including leading cryptologists. Signal is continuously improving its service based on these analyzes. Threema has just recently released its source code to the IT community for evaluation. Telegram’s source code is also open source. Not much is known, however, how independent auditing is implemented. ,,
Threema and Signal make it easier to identify against man-in-the-middle attacks
If an attacker is between two communication partners, he often has complete control over the data traffic between the participants and can thus manipulate the exchange of information at will – a so-called man-in-the-middle attack.  To protect against such attacks, Threema enables the exchange of a personal key. To do this, the communication partners have to meet and check in person by scanning their QR codes.  Signal also allows so-called security numbers to be checked via an outer channel (not Signal, but for example via telephone). If these security numbers match the ones of communication partner, a man-in-the-middle attack can be ruled out. ,
Telegram stores the data centrally on its servers
Threema, Signal and WhatAapp store data such as contact lists, groups and user profiles decentrally directly on the end devices and these are not managed on a central server. If Threema users change their smartphone, for example, they have to make a backup themselves and then re-import the data. The advantage is that only the user himself has access to it. However, if the smartphone is stolen without a backup being saved, all data is lost. Signal and WhatsApp also save their data decentrally on the smartphone and restoration is not possible without a backup. With Telegram, users can log in from anywhere in the world and have access to their chats. This is only possible because the data is stored centrally on the servers. 
The competence of the judiciary is a final point that cannot be omitted from the analysis. Depending on the country whose jurisdiction the service is subject to, the authorities may access the data of the service providers, even if the data is not stored in the respective country. The jurisdiction of WhatsApp and Signal lies with the USA, that of Threema with Switzerland and that of Telegram probably Russia. The CLOUD Act – an American law that came into force in 2018 – obliges American companies and IT service providers to guarantee the authorities access to stored data, even if the data is not stored in the USA. 
Conclusion – Signal and Threema are far superior to WhatsApp and Telegram in terms of data protection and security
Signal, Threema and Whatsapp only differ slightly in terms of security. All three services have state-of-the-art end-to-end encryption of their messages. But when it comes to data protection, there are major differences. Threema is clearly one step ahead. It is the only service that can be used anonymously, i.e. without providing personal data such as phone number or e-mail address. Signal is also designed for data protection because like Threema it does not collect meta and telemetry data, but information on personal data is still required.
In conclusion: Threema and Signal are superior to WhatsApp and Telegram in terms of data protection and security. Or as Edward Snowden put it, why he uses Signal: “I use it every day and I’m not dead yet.” 
 Threema, “Messenger-Vergleich – Erfahren Sie, wie sich die beliebtesten Chat-Apps voneinander unterscheiden.”, 2021. https://threema.ch/de/messenger-vergleich, retrieved 17. Februar 2021
 M. Williams, “ Secure Messaging Apps Comparison”, 2021. https://www.securemessagingapps.com, retrieved 17. Februar 2021.
 M. Mehner, “Sind Messenger wie Whatsapp oder Threema wirklich sicher?”, 2021. https://www.messengerpeople.com/de/sind-messenger-wie-whatsapp-oder-threema-wirklich-sicher, retrieved 17.02.2021
 Attributed to <a href=’https://www.freepik.com/vectors/technology’>Technology vector created by pch.vector – www.freepik.com</a> and <a href=’https://www.freepik.com/vectors/clouds’>Clouds vector created by vectorjuice – www.freepik.com</a>
 M. Spehr, “Facebook und Whatsapp: Die geheime Macht der Metadaten”, Frankfurter Allgemeine, 2020. https://www.faz.net/aktuell/technik-motor/digital/facebook-und-whatsapp-die-geheime-macht-der-metadaten-16762262.html, retrieved 18. Februar 2021.
 D. Fischer, “WhatsApp ist alles andere als geheim – womit uns der Messenger ausspioniert”, 2020. https://www.smartdroid.de/whatsapp-metadaten-verschluesselung-spionage, retrieved 18. Februar 2021.
 J. Lund, “Technology preview: Sealed sender for Signal”, 2018. https://signal.org/blog/sealed-sender/, retrieved 18. Februar 2021.
 Threema, “Threema. Cryptography Whitepaper”, 2020. https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdf, retrieved 16.02.2021
 “Signal Technology Foundation”. Nonprofit Explorer. Pro Publica Inc. Retrieved 6 June 2019.
 T. Perrin, M. Marlinspike, “The X3DH Key Agreement Protocol,” 2016. https://signal.org/docs/specifications/x3dh/, retrieved 17. Februar 2021
 M. Tremmel, S. Grüner, “Warum es okay ist, dass Signal Google-Server nutzt”, 2021. https://www.golem.de/specials/instantmessenger, retrieved am 17. Februar 2021.
 T. Grüner, “ Was ist eigentlich eine Man-in-the-Middle-Attacke?”, 2018. https://blog.to.com/man-in-the-middle-attacke/ , aufgerufen 18. Februar 2021.
 Signal, “What is a safety number and why do I see that it changed?”, 2021. https://support.signal.org/hc/en-us/articles/360007060632-What-is-a-safety-number-and-why-do-I-see-that-it-changed-, aufgerufen 18. Februar 2021.
 M. Marlinspike, “Simplifying OTR deniability.”, 2013. https://signal.org/blog/simplifying-otr-deniability, aufgerufen 17.02.2021.
 E. Snowden, Twitter, 2021, https://twitter.com/Snowden/status/1347217810368442368?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1347217810368442368%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fwww.indiatoday.in%2Ftechnology%2Fnews%2Fstory%2Fhow-secure-is-signal-it-s-good-enough-for-edward-snowden-so-good-enough-for-you-1757596-2021-01-10, aufgerufen 18.02.2021.