Categories
More links

Brian Acton’s history with Facebook and Signal

Great thread on how Brian Acton, co-founder of WhatsApp, left Facebook post acquisition. He gave up 850 million dollars along the way, and invested 50 million in Signal, a non-profit.

Signal is a no-brainer. ๐Ÿ™‚

Categories
More links

Signal UX – a 40 hour take by Built for Mars

I found this interesting 40 hours case study of Signal, by Built For Mars. Two key takeaways seem to be that prompts must be contextual. And, being a privacy-first product, it must be even more important to ask for permissions only when necessary. It’s actually better to read the post below, to get a visual overview of where Signal can improve on. A related Hacker News thread is open too.

I don’t remember how the competitors like Telegram and WhatsApp fare, but I am keen on giving it a look myself. Maybe sometime in the future.

Categories
Posts

Of messaging apps

After WhatsApp announced an update to their privacy policy, I have answered countless questions from my friends and family. In the last week, most of my family members have jumped shipped, and I have lost track of the amount of time where I explained differences between the apps.

I figured it might be helpful to document these discussions as a blog here, here goes.

About WhatsApp’s policy update

It’s misreported by most, that WhatsApp can now read personal conversations between two users, but that’s not the case. With this policy update, the end-to-end encrypted communication aspect of WhatsApp does not change. WhatsApp will not be able to read personal, 1:1 conversations. The conversations on WhatsApp have been end-to-end encrypted since April of 2016, which is when they adopted Signal protocol.

What’s changing this time is that, or better said, what Facebook is disclosing this time is that, WhatsApp Business API customers may have access to tools that will enable them to communicate outside of WhatsApp. An example being, ability to communicate with their customers on WhatsApp, via Facebook interface, where Facebook is the vendor for this WhatsApp Business API.

This Gizmodo article[1] is a deep-drive and probably most accurate that I have read so far on the WhatsApp debacle:

Some organizations may choose to delegate management of their WhatsApp Business API endpoint to a third-party Business Solution Provider. In these instances, communication still uses the same Signal protocol encryption. However, because the WhatsApp Business API user has chosen a third party to manage their endpoint, WhatsApp does not consider these messages end-to-end encrypted. In the future, in 2021, this will also apply to businesses that choose to leverage the cloud-based version of the API hosted by Facebook.

If you are someone that does not use the Business accounts functionality of WhatsApp, you are okay to continue using WhatsApp for personal conversations. Facebook, or WhatsApp, will not be able to read your personal communication.

Is WhatsApp the best choice though?

While WhatsApp is unable to read your messages, WhatsApp has access to various other information surrounding your account, including your purchase history, location, your contact number, your contacts, identifiers (user ID specific to your installation of the app), diagnostics data, for troubleshooting bugs, financial information, user content, and usage data. This information is from the privacy policy that WhatsApp disclosed to Apple, to publish the app on the App Store.

We will never know how Facebook is using this data. Some of these are mentioned to be used only for app functionality, but Facebook is known to be a company that has been sharing WhatsApp data for years. As such, we will never know what happens behind the scenes, and the onus is on the user to vet.

What happens in the future

Millions across the world scrambled to alternatives, which include Signal and Telegram. Shortly after this exploding growth, WhatsApp made another announcement to bust some myth surrounding their update. They even went to the extent of buying full-page, front-page ads on top newspapers:

It’s important to note their usage of shared location term in their ads. By shared location, WhatsApp is referring to the location sharing functionality inside of your 1:1, or group messages. This data is end-to-end encrypted as well, as it’s part of your message. That’s not visible to Facebook, or WhatsApp.

But, WhatsApp is sneakingly dodging the fact that they have access to users’ location. It must be concerning that they are not disclosing that on their ads, where their focus is to prove that they don’t mess with users’ privacy.

Signal vs Telegram

In this section, I want to cover some fundamental differences between Signal and Telegram.

In particular, it’s worth noting that Telegram is a downgrade from WhatsApp.

While WhatsApp and Signal are end-to-end encrypted with the Signal protocol, Telegram has its own encryption protocol[2] called MTProto. While all of Telegram is using this technology, it’s only secret chats that are end-to-end encrypted. The rest of the chats, including cloud-hosted 1:1 chats with other users, and group chats, are not end-to-end encrypted.

Durov’s explanation to why Telegram does not offer end-to-end encryption[3] by default is that, they focus on speed, functionality and synchronization. The intention seems to be that, users must be able to access their data without losing it, when they switch between devices. Durov also goes on to cover how Telegram’s cloud-hosted storage is a better solution over WhatsApp’s backups on a Google Drive.

The way I see it, storing personal messages on Telegram’s servers is not any different from storing on Google Drive, via WhatsApp backups. True privacy starts when one chooses to store their messages locally on the device they use.

Telegram’s secret chats offer that, but that not being default is a deal breaker for me.

Signal, on the other hand, is built with the core idea of not knowing anything about the user. It has end-to-end encryption enabled by default, thus enabling the user to get going. For those users that are moving away from WhatsApp, Signal must be the preferred choice. Should one choose to use Telegram, it’s very important to note that only 1:1, opted-in, secret chats are end-to-end encryption.

This article also covers how Signal is a superior solution overall:

Between Signal and WhatsApp

You must be choosing Signal.

While WhatsApp and Signal may seem similar, there is a vast difference in functionality and privacy aspects of the apps. I want to cover two primary factors.

The only information that Signal knows is your mobile number, and Signal makes no attempt to link that to your identity. In other words, Signal wouldn’t know that a certain mobile number belongs to you, wouldn’t know who you are communicating with, using that mobile number, how often you do that, or use that information to map to external services/products. Even during the latest outage on the 15th of Jan, 2020, Android developers from the Signal team had to ask for debug logs from the community, to troubleshoot the cause of the outage. It was necessary for them to ask for it, because Signal does not collect any details by default.

Data that Signal is involved with
Data that Telegram is involved with

Signal also offers linked devices, which include tablets, desktops and laptops, that can work without having your mobile device active. WhatsApp requires your mobile device to be active, or online, to have the desktop counterpart work.

One may read the desktop version of WhatsApp as a “beam”-able version of your mobile display.

Signal doesn’t work that way. Signal can work even when your mobile device is switched off. And when your mobile device is activated again, your desktop messages sync over to mobile.

[1] This Was WhatsApp’s Plan All Along
[2] MTProto Mobile Protocol
[3] Why Isnโ€™t Telegram End-to-End Encrypted by Default?

Categories
More links

Signal team is looking for Android debug logs

Signal has been down for over 20 hours, and the cause of outage seems to be steep increase in the number of signups in the last few days.

In a recent update, Android developers from Signal asked for the community members’ logs:

Hi folks! Weโ€™re trying to track down an issue where Android devices may be sending too many messages. Given we have no metrics, the only way we can get more information is for yaโ€™ll to share your debuglogs. So please, regardless of whether you think your phone was acting funny, please post a debuglog here, or DM me if that makes you more comfortable.

If you are willing to help out as well, you may submit the debug logs here, or DM the author on their forum.

Signal’s explosive growth comes shortly after WhatsApp’s announcement of changes in their policies, which is further pushed by 3 months.


Categories
More links

Signal on GitHub trends

So cool to see Signal‘s repositories on the top 5 for this week on GitHub! If you have benefited from this open source, free, privacy-respecting software, you may consider supporting them with donations as well.


Categories
Posts

Signal

I don’t have a WhatsApp (and Facebook) account, but I did hear about their terms change — users are required to accept to the new policies wherein WhatsApp data can now be shared with Facebook. As I understand, this does not impact the e2e (end-to-end encrypted) messages aspect of WhatsApp. It’s based on the Signal protocol and messages will continue to remain as private as possible.

Related Hacker News thread: WhatsApp gives users an ultimatum: Share data with Facebook or stop using app.

What’s changing this time though, or better said, what’s made more explicit is that, other aspects of WhatsApp usage may now be shared with Facebook. Paul’s article here particular covers what’s changing in detail, and also backs up with relevant sources:

In practice, this means that WhatsApp shares a lot of intel with Facebook, including account information like your phone number, logs of how long and how often you use WhatsApp, information about how you interact with other users, device identifiers, and other device details like IP address, operating system, browser details, battery health information, app version, mobile network, language and time zone. Transaction and payment data, cookies, and location information are also all fair game to share with Facebook depending on the permissions you grant WhatsApp in the first place.

As I understood from a few other Hacker News and media articles, WhatsApp made another drive-by change: Removed text about not having access to private keys. This comment in particular highlights that an user’s opt-in for WhatsApp business account delegates access to Facebook, which as a vendor of WhatsApp Business API.

To most, this sharing of access may not matter, but I feel differently. Especially in a world where better, privacy-focussed options, like Signal and Telegram (only via secret chats) are available, it’s a no-brainer to consider these options. Mohan has covered some privacy-respective messenger app alternatives that you may like to read.

I have been a Signal user for many years, but have truly stood by it in the last year or so.

I am very pleased with their growth, especially in India, and I am pleased that most of my friends and family are moving over as well. If you haven’t moved yet, you may consider doing so today. We may as well read Brian Acton, Elon Musk and Edward Snowden’s work/tweets as an endorsement. It’s particularly interesting to know that WhatsApp co-founder (Brian Acton) left Facebook post acquisition, to infuse 50 million dollars in Signal.

Signal is a non-profit company, free, publishes their client-side and server-side code in the open, and promises unexpected focus on privacy. It’s among the very few apps (the only other platform that I know of is Matrix, but it’s riddled with bugs) in the market that offer synchronized, end-to-end encrypted messaging.

With their focus being on privacy, it’s natural that they are not able to offer advanced features like Telegram bots, and that’s okay.

I see that as a decent tradeoff.