Hi ! Today we are going to check the most viral instant messaging app used world wide and one less known. Warning, is gonna be another long ass post. But i promise it’s worth it.
I’m, of course, talking about:
- Telegram
- Signal
- SimpleX
But let’s not waste any more time and dig deep in why, at my humble opinion, we should migrate to SimpleX.
Due to the nature of this type of applications they are required to collect some data. Some use the most basic data in order to work, other collects even your personal thoughts and only one (in this list) collects nothing.
Let’s see in detail:
During my research on which datas this app collects (and share with Meta aka Facebook and all his partners) i found a lot of what i call “legalees” (legal ambiguous talk). and non definitive lists. So i’m gonna translate what i found (from their official website) and list all the information that for sure they collect.
Basically, by using their app, you accept that:
- your phone number
- your messages
- your medias
- full access to your phone storage (giving them permission to do whatever they want on it)
- your ip
- your carrier (sim operator)
- your entire phonebook
- access to camera and mic (when you want or not)
- and way much more to list (please, visit their privacy policy page. It might change based on where you live)
are in their hand with the excuse of “how to make better their service”.
Yes “cryptography end-to-end”. That apply only to the transmission of the message. And, let’s be honest, end-to-end encryption for how it works presents some serious bugs. About this i’m gonna cite something to you to make you understand better what i mean
Many people believe, quite religiously, that if the communication is end-to-end encrypted then it absolutely cannot be tampered with while in transit. What is end-to-end encryption? It is the application of cryptography to the content of the message that requires that the sender and the recipient somehow agree on the encryption key to use. It is not that different from putting your mail into a box with a complex lock on it, and somehow passing the key and the box to the recipient. If you then were to pass the box via the postal courier, then you probably wouldn’t want to pass the key to open the box via the same courier – it would be sensible to pass the key in some other way, maybe send it in a separate letter.
Evgeny Poberezkin
Of course, this is an over simplification and even the author that made that statement explain, later, in more detail how it really works. But, for me, delivers very well the key concept of the end-to-end. More on this is readable here: https://www.poberezkin.com/posts/2022-12-07-why-privacy-needs-to-be-redefined.html
Anyway, goin back on our steps, all the datas are still on your device too, on your backup (most surely not encrypted by default) and where you put your backup (which cloud provider are you using). So. for a person that care it’s privacy i would never recommend WhatsApp
Telegram
Well. this is much more controversial then WhatsApp. And honestly i don’t know why people tend to say that is “more privacy friendly” compared to other apps. Here’s why is, to me, controversial:
Born by the mind of the Durov brothers (Pavel and Nikolai). This two individual had (have) quite an interesting life and looks like they know their business (if you have some time, check them out. Even wikipedia is enough).
What makes me “worry” about their product Telegram is as follow:
- Pavel Durov got raided from Russian police (on Putin’s order) because he allegedly refused to collaborate with the government. He got to the point where he had to flee from his home country and when reached USA he started Telegram (pretty cool right ? But we are talking of Putin. If he didn’t collaborate he would be dead, no matter where he is in the world. That’s my personal opinion, take it as it is: an opinion)
- Chat, by default, do not use end-to-end encryption. To have it you have to start a Secret Chat. (non sense for me)
- While on WhatsApp if you delete a contact from your phonebook it is deleted on their server too the same cannot be said about telegram. It will have an incremental history of your phonebook.
- Also here you are forced to give your phone number and they collect pretty much same data as WhatsApp
Signal
Now we are talking. App favourite by many, especially from our beloved Edward Snowden. It’s encryption protocol is so good that is even used by WhatsApp. But, i think, that many people kinda idolize this app because they explicitly say:
We do not sell, rent, or monetize personal data or content in any way. Calls and messages are always encrypted, and we only collects data provided by the user, such as the phone number used to register the account, profile name, a profile picture, messages, and contacts
Extract from Signal Privacy Policy
And what makes me laugh is that even they do nothing with your data, they still collect them !
So, they collect pretty much basic datas in order to work properly. But in the last few years some concerns (and very serious allegation) were raised.
My favourite allegation is that “Signal is backed by CIA”.Knowing Snowden history and reading this thing made me laugh a lot because was for me an impossible thing.
But then, some stuff, really made me doubt about what i was thinking. Here’s why:
- How an organization (no-profit) could mantain a structure for delivering an app like signal
- The owner of this organization are the same that invented and sold whatsapp
Then i realized: well, whatsapp shares are worth billions and thats how they fund Signal. Then i spent some time researching Jan Koum, Brian Acton (whatsapp original inventor and actual owner of Signal) and i got again laughin on the claim of them being backed by CIA. After a while i finally found the source of this claim and all comes to clickbaiting and journalist ignorance. Now, i’m gonna avoid writing here who are those journalist and for which journal they write (even tho i want so much….but i’m pretty sure that with my luck and the word used nothing good will come from this) but the title were like: “WikiLeaks says its CIA disclosures indicate agency can bypass encryption on popular messaging services” or “WikiLeaks release said CIA managed to bypass encryption on popular services such as Signal, WhatsApp and Telegram” (yes i did it, i gave you enough to find journal and journalist).
The truth is that all was taken out of context and manipulated by an ignorant person (in both cases).
Yes, at least today, Government agencies under a lawful request they can request to a phone manufacturer to “bypass” the lock screen (talking especially to you apple), giving the proper access to everything on the phone. And that’s how they can read all your messages. Because they have physical access to the phone. (yes, we can argue that there are ways to “snoop” on any messaging app. But that’s for an another article)
So, i think i talked enough about Signal. It is secure, it’s founders are good people and no, is not backed by CIA. They just collect data somewhere collecting dust apparently.
SimpleX
Finally, i purposely left the best as last. When i heard of this app for the first time i was left speachless because of it’s way to work, totally innovative and really privacy friendly.
So, all the apps we talked about till now, on technical level, all use a user id in order to identify a person. That is your phone number or an ID generated by a database you have a unique number attached to you. SimpleX ? Not only doesn’t use any kind of user id but don’t even assign a random number ! So, here comes the most common question (that even i made): “How the hell knows to who deliver a message if no identifier are used ?”
To deliver messages, instead of user IDs used by all other platforms, SimpleX uses temporary anonymous pairwise identifiers of message queues, separate for each of your connections — there are no long term identifiers.
You define which server(s) to use to receive the messages, your contacts — the servers you use to send the messages to them. Every conversation is likely to use two different servers.
This design prevents leaking any users’ metadata on the application level. To further improve privacy and protect your IP address you can connect to messaging servers via Tor.
Only client devices store user profiles, contacts and groups; the messages are sent with 2-layer End-to-end encryption
From SimpleX WebSite
I invite you to read their whitepaper reachable at https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md
It will give you more then enough information on how everything works.
Please, do the right thing and decide to adopt this fantastic app: https://simplex.chat/
As always,
Stay Safe !