Singal vs WhatsApp
I had this post laying around for a bit, and I wasn’t sure if I want to share it. To be honest, I don’t like it. It sounds like I’m giving up, or as if I’m writing out of desperation. Still, I think what’s expressed here is important to discuss, even if all there is at the end is “so now what?”
Before I go ahead, I want to re-present my angle again. This is not criticism of Signal’s encryption, but of what privacy is. I discussed it before. In my opinion, the most important thing in is access to your own data. In the case of Signal, there’s a problem.
Signal has an option to back up your conversations in a safe manner. No one, not even you, have access to the encrypted backup. Yes, importing from backup is easy - provided you’re using a device that is tied to the phone number you gave Signal when you registered with the service. Lost the number or want to switch? “Changing numbers is not currently supported.” And that’s that.
These days, phone numbers are just as valuable as social security numbers (if not more). They are often tied to a person’s full name and address. Unfortunately, they are not as regulated. While every flimsy social networking website will ask for your phone number and refuse to work without it, few will want to protect if from data breaches. Most will just sell this information to make a buck.
When I registered with Signal, I was considering my privacy and wanted to keep my identity to myself. It was easy enough to use a temporary phone number and an alias; the problem is that now I no longer have access to this phone number. This means I cannot effectively back up my data. Yes, there are some abandoned projects (and a few new ones) to export the backups Signal creates, but as far as I know, all of them require that the backup is not encrypted, which means tweaking with the app in some hackery way. To put simply: with Signal, we are locked to one phone number forever.
So I took a look at WhatsApp again recently. I know, I know, hang on to your pitchforks a moment.
“Encryption!” we all yell. “Facebook has all your data, and is an evil evil company!” “They know who called, from where, for how long!” Yes, yes and yes. You know what else? As long as my phone is not on some seriously restricted ROM with an alternative SIM and paid for in full in cash, Google (or Apple, if we’re talking iPhone) has my information, and my carrier, and the authorities. But at least I can have a copy of my chats backed up without encryption, even if I want to do it just once. While the meta-data is collected by Facebook, the conversations themselves are encrypted, or so they tell us.
Meanwhile, we have to accept WhatsApp’s biggest perk annoyance: almost everyone has it. I don’t know about you, but my friends and family are tired to keep track of me with all the various texting apps I tried over the years, and I don’t blame them.
With Moxie out, I believe the company is soon to become public. The signs are everywhere: at this point the app is very popular, and it’s choke-full of cute and useless eye-candy for the armies of newcomers who don’t even know what encryption means.
I hope it’s clear by now that I’m not really championing WhatsApp over Signal, or that I’m happy to leave it behind. I’m tired of chasing the next shiny app that screams “privacy” and stores my information on yet another server that is owned by Amazon, Facebook, Google or Apple China1.
While I can resort to use GPG-encrypted emails or some FOSS XMPP app, my friends and family won’t. So what’s the point? At least with “non private” apps I can have a local copy of the conversations I have with my family and friends, stored on my own computer.
Footnotes
-
I’ve heard and been using Matrix too. It’s promising, but it’s just yet another server with my stuff on it. I could build my own server, but it requires some serious know-how and computer power that will be most likely stored on a virtual server over at Amazon or Digital Ocean. Round and round we go. ↩︎