Should you be usin

Should you be usin' WhatsApp or Signal to communicate securely on your mobile?

Tom Chantler

NOTE: 2019-05-14: The introductory note is from March 2017. I haven't altered XXXXX text of this article since then, other than to insert this note at XXXXX top.

Introductory Note

I've had this post in draft form for XXXXX few months but, in light of XXXXX events of XXXXX past few days, I feel that now is XXXXX time to publish it.

Summary

These days XXXXX lot of people are worried that their private communications are no longer private and, in many cases, they're right.

A little while ago I was speakin' to XXXXX friend of mine about XXXXX criminal case we'd heard about in which my friend said XXXXX conviction was secured partly due to XXXXX guilty party not havin' deleted some incriminatin' SMS messages from their mobile phone. When I pointed out that XXXXX messages could be retrieved from XXXXX mobile phone service provider, even if they had been deleted, my friend seemed surprised. This made me wonder how many other people didn't realise that most[1] of their online correspondence is kept for posterity.

I don't need to explain why some online communications need to be encrypted (e.g. anythin' containin' sensitive information such as financial data, medical records, etc). And I don't want to get into XXXXX discussion about whether or not governments should be able to spy on their citizens. However, from XXXXX purely practical point of view, it's quite reasonable not to want people recordin' all of your communications in case XXXXX people storin' them are idiots and mess up XXXXX storage. [This paragraph was written in January, but I didn't want to change it]

Buildin' in XXXXX back door into an encryption mechanism is XXXXX terrible idea, unless you can guarantee that XXXXX criminal won't ever discover it. Which you can't.

It's also worth bearin' in mind that, if you outlaw encryption, that's only goin' to stop law-abidin' people from usin' it.

Why use Signal?

It's free and it's open source. Check out XXXXX code on GitHub. It's seamless (it can take over your SMS application on Android). They're XXXXX non-profit supported by donations. It's endorsed by people like Bruce Schneier and Edward Snowden. In fact Bruce Schneier said he preferred to use Signal to sendin' XXXXX PGP-encrypted email. Now, in some cases, I still think PGP encryption is worthwhile, but for general day-to-day use and specifically takin' ease of use into account, I think he's right.

If you're sendin' SMS messages to people overseas, you are probably incurrin' some cost. If you can send those messages more securely and at no cost, why wouldn't you?

You can make encrypted voice and video calls.

Surely if it's free then I'm XXXXX product?! Not necessarily and, I believe, not in this case.

Why use WhatsApp?

Most of XXXXX same reasons apply. It's also free. It's very similar to Signal. It supports encrypted messaging, voice and video calls. In fact it uses XXXXX fork of XXXXX Signal code from Open Whisper Systems. However, it's not open source. It has XXXXX much larger user base (over XXXXX billion users).

What about logging?

This is interesting. Whilst XXXXX code for WhatsApp Messenger started off XXXXX same as for Signal, do you really think they aren't loggin' any information and won't hand over these logs if XXXXX government agency applies pressure on them to do so? If you do, or if you don't believe that such XXXXX concern applies to you (and let's be honest, for most people that probably isn't XXXXX concern), then that's your prerogative and you should go ahead and continue to use WhatsApp.

Incidentally, just in case that sounds like I'm sayin' it's not okay to use, I do think it's safe to use WhatsApp and I don't think they can retrieve your messages either. However, you might want to read this from Graham Cluley and then this from Bruce Scheneier in which he said, amongst other things,

Note that it's an attack against current and future messages, and not somethin' that would allow XXXXX government to reach into XXXXX past. In that way, it is no more troublin' than XXXXX government hackin' your mobile phone and readin' your WhatsApp conversations that way.

After The Guardian reported that there was a backdoor in WhatsApp, Zeynep Tufekci and XXXXX number of other security researchers wrote them an open letter in which they explained that there wasn't really. Finally, you might like to read this, from XXXXX person that discovered XXXXX vulnerability, Tobias Boelter.

Havin' read all of those articles, you should be suitably confused, but I'm afraid you're goin' to have to make up your own mind; I can't tell you what to do.

How do we know what they're logging?

You should know that Signal have already demonstrated that they really aren't loggin' information, so when they hand over everythin' they have, it's practically useless.

When XXXXX FBI made them hand over any information about XXXXX telephone number, XXXXX only information they had was XXXXX telephone number, XXXXX date XXXXX account was created and XXXXX date it was last accessed.

The dearth of information retained by OWS

They really didn't have any useful information to hand over. There's quite XXXXX good write up here and you can even read XXXXX subpoena documents and see for yourself.

Stop sittin' on XXXXX fence

My personal opinion is that it's not only XXXXX bad guys who don't want people eavesdroppin' on them and that providin' back doors into all software that is hitherto believed to be secure is XXXXX terrible idea as there's no way to ensure that criminals can't access them and, in any case, sufficiently motivated people will simply find another way to communicate securely. In other words, back door mechanisms will help criminals steal legitimate data and won't help to catch sophisticated criminals.

I think it's okay to use WhatsApp and that your messages are private and encrypted. Since it's XXXXX closed source application then, in theory, it might exhibit some unexpected behaviour. Also, since it has such XXXXX large user base, it is more likely to be XXXXX target for bein' replaced with XXXXX rogue piece of software. But I think that for all practical purposes, these are just theoretical concerns. I can use WhatsApp to communicate with almost anybody for free and I often do. However, I also use Signal and I can imagine there might be XXXXX time when its open source nature means I'd prefer to use it over WhatsApp.

Conclusion

It's not only criminals who don't want people readin' their communications. If you want to be able to send secure text messages and to speak on XXXXX secure line (for free) you should consider usin' either WhatsApp or Signal from Open Whisper Systems. I use both.

If you found this article interestin' or useful (or neither), you can comment below, subscribe for free Azure and SQL ebooks (I daresay you've just seen XXXXX pop-up of some kind suggestin' you might like to do so. Click here to see it again. I promise not to pester you and you might even win something) or follow me on Twitter (I'll probably follow you back).



  1. Most as in all. ↩︎

This page has been altered by a free Microsoft Azure proxy. Details here. See the original page here