What is Signal, and is it really safer than WhatsApp?

Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.

The encrypted messaging app Signal has seen an explosion in take-up recently. It reported a whopping five-fold growth in its Android user base on Tuesday alone, taking it to more than 50 million downloads on the platform.

There are a couple reasons for this—one relating to widespread privacy concerns about Facebook-owned WhatsApp, and another to the fallout of last week’s U.S. insurrection at the Capitol, which has seen widespread suppression of far-right extremist content.

Elon Musk probably helped when he tweeted his approval for Signal, and Twitter CEO Jack Dorsey gave him a retweet. But either way, the app just got hot.

So here’s what you need to know about Signal—plus a note about Telegram, the other messaging app users are flocking to.

What’s the WhatsApp uproar about?

Last week, WhatsApp changed its privacy policy to note that users’ information will be shared with Facebook and its other properties, Instagram and Messenger. As they will have seen via a popup notification in the app, WhatsApp users will need to agree to these changes by Feb. 8 or lose their accounts.

Well, not all users—those in the EU and the U.K., who are protected by strong privacy laws, get a different privacy policy that doesn’t make the offending changes.

It’s not surprising that Europe gets different treatment, given that EU regulators fined Facebook $122 million several years ago for absorbing WhatsApp data into the mothership despite having promised not to do so in 2014, when it bought the messaging service.

Wait, this has been happening for years?

Yup, since 2016, when WhatsApp started sharing data with Facebook by default.

At the time, it gave existing users a brief window of opportunity to opt out of the data-sharing, but the vast majority of its users today have never had that opt-out. This month’s change really just removes the wording in the privacy policy that referred to the opt-out, while adding information for business users.

So what data is being shared?

Stuff like your phone number, phone numbers from your address book, details about your operating system and device, plus information about which other Facebook products you’re using.

All of which may make WhatsApp a questionable choice if you’re a dissident, a spy, or a journalist trying to protect her sources from identification by spies—Facebook has a lousy privacy record after all, and Edward Snowden told the world how U.S. intelligence hoovers up its data—but it’s just fine for most people’s needs.

And the contents of messages?

Nope. Those are protected by end-to-end encryption, with the encryption key stored on your device. Despite the misinformation that has been swirling around in recent days, your WhatsApp messages can only be read by you and your correspondents, as long as no-one hacks into your phones.

This encryption is so solid that Brazilian authorities, enraged at being unable to read drug-trafficking suspects’ messages, threw a local Facebook exec in jail five years ago.

Now, here’s a bit of added irony, given the current uproar: WhatsApp’s encryption is so good because it uses Signal’s encrypted-messaging protocol, and has done so since 2016.

So what is Signal anyway?

Signal’s history dates back a decade or so, to when a startup called Whisper Systems was developing enterprise mobile security software. It got bought up by Twitter, which wanted co-founder Moxie Marlinspike (not his real name—that’s Matthew Rosenfeld—but an awesome one nonetheless) to beef up its own security.

Marlinspike bailed in 2013 to form a new secure-messaging-and-calling outfit called Open Whisper Systems. Its early products, TextSecure and RedPhone, became the unified product known as Signal in 2015. Around that time, Facebook, WhatsApp and Google all made the Signal protocol the security foundation for their messaging services—but Signal, the app, remained a relatively niche offering, relying on the Freedom of the Press Foundation for funding.

The big shakeup came in 2018, when WhatsApp co-founder Brian Action—who had recently left Facebook with billions in his pocket—threw $50 million into a new Signal Foundation that he said would “pioneer a new model of technology nonprofit focused on privacy and data protection for everyone, everywhere.”

And how’s it different to WhatsApp?

Signal offers some features that WhatsApp does not, such as the ability to handle your phone’s text messages. In other ways, it’s not quite as user-friendly—it still hasn’t rolled out group calls, for example.

As you might expect for a privacy-focused app, Signal doesn’t allow users to see when other users are online, nor does it allow people to share their locations in real-time—both things you can do on WhatsApp.

But they’re pretty similar apps for most use cases; so much so that leading privacy group the Electronic Frontier Foundation (EFF) recommends both for secure communications, along with a relatively small-fry German app called Wire.

And what about Telegram?

A good question, seeing as Telegram also announced the arrival of 25 million new users this week, taking it to more than 500 million active users.

Telegram was founded around the same time as Signal was, by the Russian tech entrepreneurs Pavel and Nikolai Durov, who previously founded the social networking site VK.com. Pavel Durov remains in charge, and has steered the company through an epic censorship confrontation with the Putin regime that Telegram eventually won.

The comparison between Telegram and services such as WhatsApp and Signal is not a straightforward one, because Telegram is part secure messenger, part microblogging platform a lá Twitter—it allows groups of up to 200,000 users, and channels for broadcasting to many more—and part cloud storage provider.

But in terms of its messaging functionality, Telegram does offers end-to-end encryption. The problem is, it doesn’t turn it on by default—users must first set up a “secret chat” to use this feature. It is also impossible to set up end-to-end-encrypted group chats in Telegram.

Durov claims this is to allow Telegram chats to be backed up into its cloud, and to enable functionality such as massive group chats and the sending of large documents and videos.

In short, Telegram’s main pitch is its rich functionality, and it only expects a minority of its users to prefer high security and privacy. That’s why privacy-first groups such as the EFF recommend Signal and WhatsApp, rather than Telegram.

But doesn’t fully encrypted messaging protect bad people?

This is also a good question, what with far-right users reportedly turning to Signal and Telegram after getting booted off Twitter and seeing their own ultra-conservative social-network, Parler, getting taken out by Google, Apple and Amazon. Could they be using these services to plot new attacks?

The short answer is “yes,” but the question of what to do about it is anything but simple.

The encryption debate has been going on in circles since the 1990s, and it comes up pretty much every time a terrorist attack grabs the headlines.

Without going into the ins and outs of the debate—you can catch up on those here and here—it unfailingly comes back to the same question: Is it possible to design a system that provides genuine security and privacy protections for most people, while still allowing investigators to access the messages of bad actors via some kind of back-door mechanism?

For the last three decades, the answer to that question has consistently remained “no.” And there is no sign of that situation changing anytime soon.

This article was updated to clarify that it is specifically end-to-end encryption that is not available for group chats on Telegram. The service does offer client-server encryption for such conversations, though that would not stop Telegram itself from being able to read the contents of messages.

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward