WhatsApp’s recent PR disaster has seen tens of millions flock to other platforms. Millions more are now planning to do the same, after a backlash over data sharing with Facebook. But beware—not all messengers are the same and you could be taking a more ‘dangerous’ risk than you realize. So, what should you do now?
“Using WhatsApp is dangerous,” Telegram’s founder Pavel Durov warned last January, citing cyberattacks against WhatsApp running on phones belonging to key targets, including Jeff Bezos. A year on and Durov is now celebrating “the largest digital migration in human history,” writing that “in the first week of January, Telegram surpassed 500 million monthly active users—25 million new users joined Telegram in the last 72 hours alone.”
In his warning, Durov cited a WhatsApp vulnerability in its handling of video files as well as alleged nation state attacks like the one targeting Bezos. Durov claimed that “backdoors are usually camouflaged as ‘accidental’ security flaws—in the last year alone, 12 such flaws have been found in WhatsApp.” Durov also (correctly) pointed out the risks for users who back up their WhatsApp chat histories to public clouds and questioned WhatsApp’s fabled security. “How can anybody be sure that the encryption WhatsApp claims to use is the one actually implemented in their apps?”
The two WhatsApp competitors that have benefited most from its stumble are Signal and Telegram. But they are very different to one another, and the WhatsApp versus Telegram versus Signal debate has exposed just how unaware most users are of those critical differences. Worse, many of the articles explaining WhatsApp’s issues and the alternatives do not clear up any of that confusion. This puts you at risk.
The surge of new users to Telegram is perhaps the most interesting aspect of the WhatsApp exodus. Let’s be very clear—while Signal is a more secure WhatsApp lookalike, Telegram is nothing of the sort. It is a completely different platform, designed for a completely different purpose. And while Durov says “I consider Telegram Secret Chats to be significantly more secure than any competing means of communication,” the fact remains that Telegram is not end-to-end encrypted by default, and those secret chats work between just two devices—they do not extend to groups, and they need to be manually selected.
Telegram has been described as part social media and part messenger. It is a cloud-based platform that was designed to deliver messages “seamlessly across any number of your phones, tablets or computers.” The initial use case for Telegram supported dissidents and protest groups. By hosting messages outside the state’s reach, any device could be used to access the repository. And while your data might be outside the reach of the authorities, it is technically accessible by Telegram and its employees.
Telegram operates huge groups and channels, as such it hosts content in the same way as Facebook and Twitter, pushed out to subscribing members. This functionality led to Telegram’s reputation being tainted through the platform’s alleged use by criminals, terrorists and hate groups. Just this week, it has been sued “for failing to crack down on violent extremist conversation in the aftermath of the attack on the U.S. Capitol.”
“Chat apps that offer functionality beyond messaging often compromise privacy in favor of extra features,” warns security researcher Tommy Mysk. “Telegram offers a feature like channels, that are public feeds. This makes Telegram more of an alternative to Twitter than Signal. Telegram mingles messaging methods that are end-to-end encrypted with others, such as normal chats and channels, that are not. A lay person won’t tell the difference and might end up opting for a feature that is less secure.”
With the exception of its limited secret chats, Telegram doesn’t encrypt messages all the way from you to your contacts, instead it encrypts messages between your device and its cloud, and again between its cloud and your contacts. You can use multiple devices to access your cloud-based messaging repository, and Telegram holds the keys to all that encryption.
In contrast, both Signal and WhatsApp do encrypt end-to-end by default. And while Durov is right, WhatsApp does not make its encryption open-source, it is based on Signal’s own protocol, which is fully open-source. There have never been any credible claims of vulnerabilities in this encrypted message transport itself, only with compromised endpoints—i.e., hitting phones with malware.
“When you throw nation state level capabilities and the ability to attack endpoints,” Cyjax CISO Ian Thornton-Trump says, “all bets are off and the conversation (at least one side of it) is as vulnerable as if was just clear text.”
But it turns out that while alleged Israeli spyware attacks and various technical vulnerabilities were not able to shake the confidence of WhatsApp’s vast user base, the combination of Apple’s privacy labels and a change to its terms of service, misreported as WhatsApp shares your data with Facebook, caused a backlash. Facebook has always been WhatsApp’s Achilles heel, and this has been a risk since 2014.
There are legitimate reasons for users to want to switch from WhatsApp to alternatives—the platform does collect too much data, it does share some of that data with Facebook, it is developing commercial offerings while unable to offer multi-device functionality and fully secure cloud backups. And, most of all, because of the planned integration with Facebook Messenger and Instagram.
Apple App Store ‘Privacy Labels’
But the one reason not to move from WhatsApp is over concerns with its message security. WhatsApp takes credit for universalizing access to end-to-end encryption, and while any platform of its scale will be subject to sophisticated nation state attacks—just look at Apple, WhatsApp’s end-to-end encryption is fine. The irony is that the millions switching WhatsApp for Telegram will be less secure in doing so—that’s not a matter of opinion, that’s because it does not have end-to-end encryption by default.
Don’t take my word for it—let’s look at what Telegram itself says. “Do I need to trust Telegram for this to be secure?” the platform asks in its own FAQs. “When it comes to secret chats, you don’t,” it says. And to the question, “why not just make all chats ‘secret’?” Telegram argues that it has balanced security, speed and multiple device access, as well as restoring messages when a phone is lost. It has compromised with “messages in Secret Chats using client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud.”
Telegram is right—if users opt to use WhatsApp’s public cloud (Apple or Google backups), then they lose the protection of its end-to-end security. But with WhatsApp you can trade the risk of lost device against compromising message security. You don’t get to make that choice with Telegram—not unless you stick to 1:1 secret chats.
Because most of your Telegram messages are not end-to-end encrypted, you rely on Telegram’s internal security and policies. “To protect the data that is not covered by end-to-end encryption,” it says, “Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect.”
Bear in mind Telegram’s origins—this is all about keeping data from the authorities. As a result of this structure, it says, “several court orders from different jurisdictions are required to force us to give up any data… We can ensure that no single government or block of like-minded countries can intrude on people’s privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.” All of which, it says, means “we have disclosed 0 bytes of user data to third parties, including governments.”
But Mysk cautions that “Telegram stands out from Signal and even WhatsApp in the way it persistently begs for access to contacts. Telegram makes it inconvenient to use the app without granting access to contacts. In addition, it offers its users the chance to connect without exchanging phone numbers. However, when adding a new contact by username, the option to share the user’s phone number with the new contact is activated by default.”
As a Telegram user, if you want to match the actual messaging security used by WhatsApp, you need to stick to those secret chats. But, unlike WhatsApp and Signal and iMessage, among others, those secret chats cannot include groups or anything beyond selected 1:1 chats. With secret chats, Telegram says, “all data is encrypted with a key that only you and the recipient know—there is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages… Secret chats are not part of the Telegram cloud and can only be accessed on their devices of origin.”
This might sound familiar to users of WhatsApp, which says, “end-to-end encryption ensures only you and the person you’re communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. All of this happens automatically: no need to turn on any special settings to secure your messages.”
Telegram is not a high-risk platform. But it’s not the step-up from WhatsApp, security-wise, that it claims. In reality, both platforms have issues—albeit different ones, and are reasonably secure. Jumping ship from one to the other makes little sense.
If you want to leave WhatsApp over security and privacy concerns, you should move to Signal, not Telegram. Signal is the closest lookalike to WhatsApp. It does not link any data to its users—albeit it uses your phone number to identify your account.
But what about other messaging platforms—how do they stack up?
The most sophisticated messaging architecture is Apple’s. iMessage is underpinned by some very clever tricks, enabling users to run a central iCloud message repository that syncs across all your trusted Apple devices, without ever losing end-to-end encryption. In Telegram’s parlance, this is the best of both worlds. To enable this, you need to have “Messages in iCloud enabled.” There is a caveat, though. If you also have iCloud backups enabled, a copy of your end-to-end encryption key will be included.
The main issue with iMessage, of course, is that it doesn’t operate cross-platform. So, while it is the cleverest messaging option for Apple users, it can’t be the go-to messenger on your device. The fallback when you message non-Apple users is SMS, and SMS is a security horror show.
Android Messages is not a good alternative to WhatsApp. It is essentially an SMS client that has now evolved to RCS to add the chat features available in WhatsApp and iMessage. it is not end-to-end encrypted at the moment, although Google has this update in beta. But right now, it only works for 1:1 messaging, rather like Telegram, does not extend to groups, and needs both sides of a chat on the beta app.
Facebook Messenger is even more of a no-go. It offers a similar 1:1 “secret” chat option to Telegram—which is end-to-end encrypted, but everything else does not have that level of security. It also has a woeful privacy policy—a vast array of metadata is collected by Facebook, and the platform admits to monitoring content, including file links and attachments. The best advice for Messenger users is to switch.
There are other, less well known options now available, including Viber, which adds end-to-end encrypted messaging to its VoIP platform and Wickr, which is best described as an enterprise version of Signal, designed for corporate use. There is also Swiss-based Threema, which has become a favorite of the very security conscious. That platform is even more secure than Signal—it doesn’t use phone numbers as identifiers and so can keep accounts wholly anonymous. It has a much smaller user base though, so you’ll be unlikely to find many of your contacts (if any) onboard.
Somewhat topically, I asked Flavio Aggio, CISO at the World Health Organization, which messenger he would recommend. He wouldn’t advocate for any single one, but mentioned Signal, Threema and Telegram as good options. I did get the sense that he would plump for Threema if pushed—the fact that it can be used without a phone number, he saw as a major plus.
If you do move, you’re fine with any of the end-to-end encrypted alternatives I’ve mentioned. You’re also fine with Telegram, but make sure you understand the differences and the risks; you will be committing to storing most of your content in Telegram’s cloud, and that won’t be for everyone. Most new users are unaware of this and assume that it’s a more secure version of WhatsApp. That simply isn’t the case.
For ESET’s Jake Moore, “Signal seems to be winning the race against Telegram,” based on the contacts he sees moving. “I think that may continue due to its default end to end encryption on offer,” he says, “a must for any messaging service in my opinion. People migrating to privacy focused apps does not happen overnight. However, WhatsApp was available for years before it became the number one messaging platform.”
Social Networking Top 5, January 19
Apple App Store
This misinformation dilemma was perfectly illustrated by one of the many emails I received this week from messaging platforms looking to plug their wares. “Messaging apps, like Telegram and Signal, are end-to-end encrypted,” the email said. “WhatsApp, while end-to-end encrypted, has a number of loopholes that allow conversations to be stored or shared.”
This is all dangerously misleading, and shows what little chance everyday users have of picking through the misinformation to get the facts. Signal and WhatsApp are end-to-end encrypted by default, Telegram is not. And while Signal’s deployment is fully open source and so theoretically more secure, there are no “loopholes” in WhatsApp, by which the email meant backdoors allowing Facebook to monitor content.
As former intel officer Philip Ingram points out, “the debate about continued security with different messaging apps after the mass exodus from WhatsApp underpins that many using the excuse of privacy seem to want to follow herd induced habits rather than think for themselves.” Unsurprisingly, Ingram uses Threema. “A Swiss-based, truly anonymous messaging app,” he says. “I haven’t looked back.”
The federal government is ordering the dissolution of TikTok’s Canadian business after a national security review of the Chinese company behind the social media platform, but stopped short of ordering people to stay off the app.
Industry Minister François-Philippe Champagne announced the government’s “wind up” demand Wednesday, saying it is meant to address “risks” related to ByteDance Ltd.’s establishment of TikTok Technology Canada Inc.
“The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners,” he said in a statement.
The announcement added that the government is not blocking Canadians’ access to the TikTok application or their ability to create content.
However, it urged people to “adopt good cybersecurity practices and assess the possible risks of using social media platforms and applications, including how their information is likely to be protected, managed, used and shared by foreign actors, as well as to be aware of which country’s laws apply.”
Champagne’s office did not immediately respond to a request for comment seeking details about what evidence led to the government’s dissolution demand, how long ByteDance has to comply and why the app is not being banned.
A TikTok spokesperson said in a statement that the shutdown of its Canadian offices will mean the loss of hundreds of well-paying local jobs.
“We will challenge this order in court,” the spokesperson said.
“The TikTok platform will remain available for creators to find an audience, explore new interests and for businesses to thrive.”
The federal Liberals ordered a national security review of TikTok in September 2023, but it was not public knowledge until The Canadian Press reported in March that it was investigating the company.
At the time, it said the review was based on the expansion of a business, which it said constituted the establishment of a new Canadian entity. It declined to provide any further details about what expansion it was reviewing.
A government database showed a notification of new business from TikTok in June 2023. It said Network Sense Ventures Ltd. in Toronto and Vancouver would engage in “marketing, advertising, and content/creator development activities in relation to the use of the TikTok app in Canada.”
Even before the review, ByteDance and TikTok were lightning rod for privacy and safety concerns because Chinese national security laws compel organizations in the country to assist with intelligence gathering.
Such concerns led the U.S. House of Representatives to pass a bill in March designed to ban TikTok unless its China-based owner sells its stake in the business.
Champagne’s office has maintained Canada’s review was not related to the U.S. bill, which has yet to pass.
Canada’s review was carried out through the Investment Canada Act, which allows the government to investigate any foreign investment with potential to might harm national security.
While cabinet can make investors sell parts of the business or shares, Champagne has said the act doesn’t allow him to disclose details of the review.
Wednesday’s dissolution order was made in accordance with the act.
The federal government banned TikTok from its mobile devices in February 2023 following the launch of an investigation into the company by federal and provincial privacy commissioners.
— With files from Anja Karadeglija in Ottawa
This report by The Canadian Press was first published Nov. 6, 2024.
LONDON (AP) — Most people have accumulated a pile of data — selfies, emails, videos and more — on their social media and digital accounts over their lifetimes. What happens to it when we die?
It’s wise to draft a will spelling out who inherits your physical assets after you’re gone, but don’t forget to take care of your digital estate too. Friends and family might treasure files and posts you’ve left behind, but they could get lost in digital purgatory after you pass away unless you take some simple steps.
Here’s how you can prepare your digital life for your survivors:
Apple
The iPhone maker lets you nominate a “ legacy contact ” who can access your Apple account’s data after you die. The company says it’s a secure way to give trusted people access to photos, files and messages. To set it up you’ll need an Apple device with a fairly recent operating system — iPhones and iPads need iOS or iPadOS 15.2 and MacBooks needs macOS Monterey 12.1.
For iPhones, go to settings, tap Sign-in & Security and then Legacy Contact. You can name one or more people, and they don’t need an Apple ID or device.
You’ll have to share an access key with your contact. It can be a digital version sent electronically, or you can print a copy or save it as a screenshot or PDF.
Take note that there are some types of files you won’t be able to pass on — including digital rights-protected music, movies and passwords stored in Apple’s password manager. Legacy contacts can only access a deceased user’s account for three years before Apple deletes the account.
Google
Google takes a different approach with its Inactive Account Manager, which allows you to share your data with someone if it notices that you’ve stopped using your account.
When setting it up, you need to decide how long Google should wait — from three to 18 months — before considering your account inactive. Once that time is up, Google can notify up to 10 people.
You can write a message informing them you’ve stopped using the account, and, optionally, include a link to download your data. You can choose what types of data they can access — including emails, photos, calendar entries and YouTube videos.
There’s also an option to automatically delete your account after three months of inactivity, so your contacts will have to download any data before that deadline.
Facebook and Instagram
Some social media platforms can preserve accounts for people who have died so that friends and family can honor their memories.
When users of Facebook or Instagram die, parent company Meta says it can memorialize the account if it gets a “valid request” from a friend or family member. Requests can be submitted through an online form.
The social media company strongly recommends Facebook users add a legacy contact to look after their memorial accounts. Legacy contacts can do things like respond to new friend requests and update pinned posts, but they can’t read private messages or remove or alter previous posts. You can only choose one person, who also has to have a Facebook account.
You can also ask Facebook or Instagram to delete a deceased user’s account if you’re a close family member or an executor. You’ll need to send in documents like a death certificate.
TikTok
The video-sharing platform says that if a user has died, people can submit a request to memorialize the account through the settings menu. Go to the Report a Problem section, then Account and profile, then Manage account, where you can report a deceased user.
Once an account has been memorialized, it will be labeled “Remembering.” No one will be able to log into the account, which prevents anyone from editing the profile or using the account to post new content or send messages.
X
It’s not possible to nominate a legacy contact on Elon Musk’s social media site. But family members or an authorized person can submit a request to deactivate a deceased user’s account.
Passwords
Besides the major online services, you’ll probably have dozens if not hundreds of other digital accounts that your survivors might need to access. You could just write all your login credentials down in a notebook and put it somewhere safe. But making a physical copy presents its own vulnerabilities. What if you lose track of it? What if someone finds it?
Instead, consider a password manager that has an emergency access feature. Password managers are digital vaults that you can use to store all your credentials. Some, like Keeper,Bitwarden and NordPass, allow users to nominate one or more trusted contacts who can access their keys in case of an emergency such as a death.
But there are a few catches: Those contacts also need to use the same password manager and you might have to pay for the service.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
LONDON (AP) — Britain’s competition watchdog said Thursday it’s opening a formal investigation into Google’s partnership with artificial intelligence startup Anthropic.
The Competition and Markets Authority said it has “sufficient information” to launch an initial probe after it sought input earlier this year on whether the deal would stifle competition.
The CMA has until Dec. 19 to decide whether to approve the deal or escalate its investigation.
“Google is committed to building the most open and innovative AI ecosystem in the world,” the company said. “Anthropic is free to use multiple cloud providers and does, and we don’t demand exclusive tech rights.”
San Francisco-based Anthropic was founded in 2021 by siblings Dario and Daniela Amodei, who previously worked at ChatGPT maker OpenAI. The company has focused on increasing the safety and reliability of AI models. Google reportedly agreed last year to make a multibillion-dollar investment in Anthropic, which has a popular chatbot named Claude.
Anthropic said it’s cooperating with the regulator and will provide “the complete picture about Google’s investment and our commercial collaboration.”
“We are an independent company and none of our strategic partnerships or investor relationships diminish the independence of our corporate governance or our freedom to partner with others,” it said in a statement.
The U.K. regulator has been scrutinizing a raft of AI deals as investment money floods into the industry to capitalize on the artificial intelligence boom. Last month it cleared Anthropic’s $4 billion deal with Amazon and it has also signed off on Microsoft’s deals with two other AI startups, Inflection and Mistral.
