How Private Are the Messaging Apps?

There have been many questions raised about how private our data really is. Some whistleblowers, such as Edward Snowden, brought to light how easily the government or even corporations can access and use our data. Apple had to apologize for its Siri grading program, where its employees and contractors were listening in on samples of Siri conversations. That sparked a debate about whether or not our phones are recording us. Northeastern University’s study indicated that 17,000 of the most popular apps recorded users’ screens and shared them with third parties without user knowledge.

While we become more dependent on our phones and get lured into providing additional data, some apps provide appealing alternatives. WhatsApp became instantly popular due to its branding as ‘encrypted’ messaging. There are many other messaging apps that flaunt their encryption capabilities, such as Viber, Signal, and Wickr.

Apple’s iMessage

iMessage is used by 1.3 billion people today. Apple claims that iMessage provides end-to-end encryption only accessible with your passcode. While Apple cannot see the messages while in transmission between devices (sender and receiver), there are still ways to access the messages saved on the device.

Your messages hit the Apple server once you hit ‘send.’ That means that Apple is able to store the data for 30 days and thus access it during that time. End-to-end encryption does not guarantee unconditional or unlimited protection. It is encryption at the time of transmission. Still, when the database that enables you to store the chat on your phone does not include double encryption, the messages’ content can easily be extracted with some light developer work.

Few legal cases have shed light on the fact that Apple, in fact, cannot access the full contents of the messages. However, they can and do collect metadata in their logs, which can provide revealing information about you and your activities. While Apple claims that it does not collect or store any location-related information, the logs collect IP addresses that often contain GPS data. The lesson here is that there are legal grey areas, and a company may still unintentionally collect certain data even if it claims otherwise.

WhatsApp

WhatsApp gained its prominence initially due to being the most secure messaging app. They added the feature to delete messages on devices. Even if only one person in the group wants to delete the messages in a group chat, the messages can be deleted off all participants’ devices. This feature solves the issue of discontinued encryption when the messages are retained on one or more devices. All in all, many of its 1.5 billion users considered WhatsApp to be the most secure third-party messaging app.

Not so fast. In February, it came to light that the WhatsApp messages could be found via Google search. It was a blunder on the app’s part. The invite link to a group chat was accidentally getting indexed by Google and thus making its existence available to the public. Over 470K WhatsApp chats were found when searching the “chat.whatsapp.com” URL. Some apparently included the phone numbers of the participants. This incident, along with being acquired by Facebook, which was repeatedly criticized for data breaches, eroded the trust people once had in the app’s security. End-to-end encryption doesn’t guarantee that messages cannot be accessed in their entirety by whoever owns the server, who in this case will be Facebook. The European Union moved to ban WhatsApp for official use and switch to Signal.

Signal

The Signal became popular in light of the security breaches of WhatsApp. The Signal is similarly an open-source, end-to-end encrypted messaging app, but it does not store metadata or allow cloud backup. The endorsement of the European Union, which switched over from WhatsApp, as well as Edward Snowden, an ex-NSA whistleblower who called to attention overreaching access to personal data by the government, really elevated the status of the new messaging app. Just like SMS, iMessage, or WhatsApp, Signal offers messages, attachments, and voice/video calls.

Signal offers a feature that allows messages to be auto-deleted after some time. Once the sender opts in to use this feature, it cannot be stopped or called back. Signal also offers another privacy-enforcing feature called Screen Security which disables anyone from taking screenshots. These features ensure that the messages remain encrypted as they won’t be saved in any form on the device.

Perhaps what’s most interesting about Signal is that it also provides next-level encryption for in-app phone calls. Once the call is connected, both participants will see two words appear on their phones sequentially. Thus, the participants can verify that they see the same words to ensure the encryption is working correctly. If the words do not match, they can disconnect the call and switch over to a different internet network. This protects the conversation from being intercepted or accessed in any way. Such powerful technology led to a partnership with Microsoft to bring Signal’s encryption protocol to Skype.

Wickr

Wickr claims to be the most secure platform even though it only recently started making strides towards being open-source. It has a few different versions, Wickr Me, Wickr Pro, and Wickr Enterprise. Wickr Me is the most basic peer-to-peer messaging, and Wickr Pro provides video calls and conferencing as well as better file-sharing capabilities. Wickr Enterprise is for corporations with services tailored to help corporations provide a secure, well-encrypted communication platform while complying with all relevant regulations.

Wickr supports ephemeral messaging where the content disappears shortly once it’s read by the recipient. When you sign up, your username is secured using one of the best cryptographic functions called SHA256. Using AES256 encryption, Wickr encrypts data not just during transmission like its competitors but also once upon delivery. The data is deleted permanently from its server once it expires. Your device is also anonymous to Wickr as it doesn’t track or store IP addresses. The FBI famously accessed WhatsApp messages during its investigations of some of President Trump’s associates, such as Paul Manafort. As Wickr offers multiple layers of encryption and extremely limited storage of data on its servers, the government will not be able to obtain much data from Wickr even with a subpoena.

The platform supports compliance while preserving its commitment to multi-layered user communications and activity encryption. While it complies with valid legal requests from the government authorities, it will notify the users regarding any surveillance and communicate as much information as it legally can. Wickr Pro offers a bot to companies who need to retain the audit trail of conversations, and the saved messages only live with the bot, not with the participants’ devices.

Other Popular Private Messaging Apps

Telegram

Another popular messaging app is Telegram Messenger, with over 700 million monthly active users. It takes a strong stand for freedom of expression and protection of users’ privacy and presents itself as a secure messaging app. 

By default, Telegram does not provide end-to-end encryption. Even users do not receive any notifications or warnings when using weak encryption.

Line

As of 2021, Line has over 178 million active monthly users, most of them in Thailand, Taiwan, Indonesia, and Japan. The Line provides end-to-end encryption by default, so all communication privacy scores on its messaging apps are good. 

Along with the lack of publication of transparency reports, it does not do enough to inform consumers of human rights risks.

Snapchat

With 347 million daily active users globally, Snapchat is an American-based multimedia instant messaging app. Its policy shows strong commitments to users’ privacy, but it doesn’t protect it as well as it should. 

It has not deployed end-to-end encryption, and the company must tell every user how they are dealing with human rights threats. Also, Snapchat’s ‘disappearing’ messages feature does not protect user privacy.

Viber Media

Viber messaging app contains over 1.1 billion registered users and 820 million monthly active users. It is well known for giving end-to-end encryption by default in all communication. Unfortunately, neither company publishes a transparency report nor details how it implements encryption.

Kakao

South Korea-based video calling and messaging app KakaoTalk has 50 million monthly active users worldwide. 

In October 2014, the company got criticized and came under considerable pressure as it had provided information about its customers to the South Korean government. After that company took steps to enhance its encryption levels, but it’s not providing end-to-end encryption by default.

Vigilance Is Key in Ensuring Security

Simply having end-to-end encryption does not equate to comprehensive privacy protection. A company’s disclosure and legal disclaimers can be intentionally or unintentionally misleading, as many other loopholes and agreements could allow alternative entry into your personal data. The best way to protect yourself is to aim to anonymize your internet activities as much as possible using security protocols and protection software.