Signal, Telegram, WatsApp, Viber: Who reads your messages?

Author : Iryna Shostak

Source : 112 Ukraine

Telegram and Signal downloads skyrocketed around the world last week. The banquet was sponsored by WhatsApp, namely the news that the messenger will transfer part of the data to Facebook. Users trumpet about the unfairness of such a decision and actively leave the platform in the hope that other messengers will certainly preserve their privacy. But is it really so, and is it possible to talk about any kind of confidentiality in the 21st century?
23:33, 26 January 2021


"Elon Musk trusts Signal, so I will trust it too," "Pavel Durov claims that Telegram is not worse, or even better. I agree", "WhatsApp is trying to justify itself. Well, no, I won't buy it. Delete", "iMessage and Facetime will definitely not let you down - Apple's priority for many years has been to protect the personal data of its customers","Messenger is a primitive "child" of Facebook, what kind of privacy can we talk about there?","Viber doesn't seem reliable to me, it's kind of old-fashioned. What kind of privacy is there?","Skype? Is it still alive? "

Collecting all the most common misconceptions about known communication platforms in one paragraph - done. It remains to debunk them in order to move on to something that will allow you to look at privacy from a different angle.

Signal and Telegram: have all other messengers left the chat?

Don't idealize Signal. Despite the fact that the reputation of the messenger is cleaner than that of its opponents, there are also dark "times". For example, in October 2018, information security researcher Matthew Suiche shared information that Signal, in the process of migrating from a Chrome extension to a full-fledged desktop client, exports user messages into unencrypted text files.

In simple words: all exported data (messages and attachments) remains unencrypted on disk during and after the update process (they must be deleted manually).

Further more. There was a "hole" in the "secure" Signal through which the calling device could send a message to the receiving party without its knowledge. Attackers could listen to what was happening near the user even before he accepted an incoming call. The hole was fixed in September 2019.

A year later, in September 2020, researchers from the University of Würzburg tested several services for accessing private information together with colleagues from the Darmstadt University of Technology (Germany). During the tests, it was found that three well-known messengers, including the Signal, reveal the personal data of users through the services of searching for contacts by phone numbers stored in the address book. So, during the experiment, using such services, researchers scanned 100% of the numbers of Signal users. They had at their disposal all the data that people post in their profiles (photos, nicknames, statuses, the last date and time of connection).

It's worth noting that the other two messengers that took part in the study were WhatsApp and Telegram. The results are disappointing.

Telegram is also far from ideal. Let's talk about encryption. The "gram", like most other modern instant messengers, uses end-to-end encryption - the message is encrypted on your phone and decrypted on the recipient's device. "In the middle" of this path, the messenger itself does not store a decrypted copy of the message. This encryption provides a high level of security. It is used or voice messages and video calls in Telegram, but not for regular chat messages.

For end-to-end encryption to work for you by default, you need to use "secret chat". But this applies only to private messages, in group chats you are still "naked".

Moreover, end-to-end encryption is not really a panacea. In 2018, a Habr user under the nickname ne555 managed to bypass two-factor authentication and gain access to secret chats (he was able to read and send messages to them). At the same time, the real owner of the account did not even see that he was hacked. Such manipulations were carried out by a hacker as an experiment, to which the developers reacted only after several more successful hacks.

You don't have to give up on WhatsApp. You will be surprised, but if you are not a businessman, not a politician and the information you transmit is not hypersensitive, WhatsApp is quite confidential for you.

"The problem is exaggerated (ed. - the scandal around WhatsApp). It mainly concerns business accounts, but not ordinary people. And in general, in fact, it previously transferred such data to Facebook, and this volume will not change with respect to individuals. It will change only with respect to business accounts. The messenger will continue to transmit to Facebook everything that it has previously transmitted. If this suited you before, then why does it not suit you now," says Olexander Olshansky, an expert in the field of information technology.

Related: WhatsApp leak exposes Russia link to Dutch far right

Messenger may still surprise you. Another application that got "handed" because of the tricks of Facebook is Messenger, the "child" of the corporation. Yes, linking it to a Facebook account with two-factor authentication is often criticized, and for good reason - if an attacker gains access to your account, he automatically gains access to the messenger. Its standard usage parameters also leave much to be desired - the messenger does not encrypt your messages by default. But what about "secret chat"? I thought, you weren't even aware of its existence. The same as about the automatic message deletion function.

The security offered by Apple messengers will not suit everyone. The fact is that messages in iMessage and Facetime are truly secure - a level is higher than in some other communication applications. But data security in Apple's case comes at a high price - encryption keys are stored on the company's servers, and it can theoretically read them. Moreover, in countries such as Russia and China, it can transfer them to government servers.

Viber can compete even with the sensational Signal. Not many people know, but the application has end-to-end encryption, which is enabled by default for all chats. Also in the arsenal of the messenger there are "secret chats", the function of automatic deletion of messages, tracking screenshots and protection against copying and forwarding messages. Of course, this barrel of honey, like each of the messengers, has a few fly in the ointment: questions about two-factor authentication and keeping backups in clear form.

Skype is also alive. If the majority of young people have stopped using Skype, preferring more "fresh" messengers, this does not mean that it should be discounted. Unlike Telegram, the messenger has end-to-end encryption by default (but it's worth noting that developers can access the user's personal data if required, for example, by law enforcement agencies).

Also, the advantage of Skype over the same Viber is that the messenger does not backup files to other servers. Of course, speaking of Skype, one cannot fail to mention the numerous scandals associated with wiretapping of conversations in the messenger by Microsoft employees (Skype was bought by the tech giant back in 2011).

Before moving on to the climax, after which you may like the idea of ​​using carrier pigeons in your correspondence, it is important to emphasize that the developers of Signal, like the developers of any other messenger, after identifying the "holes" eliminate them, improving their applications. But attackers are also improving, picking up new "keys" to data that may interest them. Moreover, in the case of Signal and the popularity that has fallen on it, the risk is really high.

But one way or another, there is no absolute privacy. There is always a way to hack something. The only question is who needs it and how much it costs.

Your data no longer belongs to you, the question is only in the price and purpose

Don't panic. Yes this is true. None of the modern instant messengers can guarantee you one hundred percent protection. But if you are an ordinary person, not a politician, not a businessman and do not transmit sensitive information using communication platforms, breathe out.

"End to end encryption is a fairly reliable mechanism, provided that you are an ordinary person. In other cases, other hacking methods are used - they do not break the messenger itself, but use a specially designed virus that reads messages directly on your phone, because on the way they cannot be read - they are encrypted. And here it is not messengers that are a barrier, but phones, operating systems and their reliability, "says Olexander Olshansky.

Many instant messengers also collect other information about you - metadata (how often you correspond, what time of day, your location, etc.). Viber, for example, collects information about which sites you visit.

"And these are not instant messengers themselves. Sites have a piece of code that reports to instant messengers. Modern instant messengers do not collect correspondence itself, a malicious hacking is needed here, and it happens through the operating system of the phone. Within a single phone, it is not so important which messenger you use", the expert adds.

For an ordinary subscriber, the issue of security is really not a fundamental criterion for choosing a particular messenger. As a rule, the user can think about security if he or someone close to him has already had some kind of incident (for example, information leakage).

"There is a segment of users who choose the messenger precisely for security reasons, but their minority (up to 5%) compared to the general mass, focused primarily on mass and ease of use," says Nazar Grynyk.

If you have an acute question of confidentially transmitting a message to another person, then it is best to do this using Signal, Threema, Wire or Riot.IM - these messengers have high reliability according to the estimates of various analytical companies in the sector. True, first you need to persuade your interlocutors to download them.

There are also paid messengers that don't collect your metadata. But it is rather difficult for an ordinary person to use all this. In such a case, security conflicts with convenience.

"If you put a very complex alarm system on your car, it will work fine, but it is inconvenient to use - you have to enter a code every time. Such messengers also work like that," emphasizes an expert in the field of information technology Olexander Olshansky.

According to Nazar Grynyk, Director of LEAD9 Mobile Marketing, apart from the danger of hacking your correspondence by fraudsters, there is another, much more real, state monitoring.

"For example, the Russian SORM system, which gives access to all subscribers' e-mail. And for some reason it seems to me that Ukraine already has such a system," the expert says.

One way or another, but all popular instant messengers are not safe, because their encryption algorithms and approaches to security quickly become known to attackers. And here it is only a matter of time and resources to access the data. And everything can be broken. The only question is how quickly.

If none of the popular instant messengers can guarantee complete confidentiality, then what should users do? Pay attention to other factors that can help you feel more secure:

  • End-to-end 256-bit encryption, which we talked about earlier - all messages are encrypted right on the gadget before being sent and decrypted already on the gadget, to which they are delivered immediately before reading.

"The keys to 256-bit encryption should only be stored on users' gadgets, not on the messenger's server. If messages are encrypted, but the key is stored in the company, it can theoretically read your correspondence," says Grynyk.

  • What if your device was hacked and received the key to the correspondence in the messenger? To do this, you also need to have the option to generate a key for each separate session - Perfect Forward Secrecy or PFS. Thus, even having received the encryption key, it will be impossible to open all the previous correspondence stored on the device.
  • For secure browsing and communication, additionally use VPN services.

Related: Users leaving WhatsApp messenger: Reason and alternative

Система Orphus

If you find an error, highlight the desired text and press Ctrl + Enter, to tell about it

see more