r/privacy u/JustAnotherUser43 18h ago

question Can someone explain to me in layman terms why WhatsApp is not as good for privacy as Signal?

As per the title. I know WhatsApp “tracks” things identified to you, but all messages are encrypted and if you use it on an iPhone with “ask app not to track” enabled, then it can only get data if you purchase something through WhatsApp? Right?

I am clearly missing something - can someone explain in layman terms what the WhatsApp risk really is from a privacy point of view.

150 Upvotes

88% Upvoted

56 comments sorted by

193

u/Vast-Total-77 17h ago edited 17h ago

On WhatsApp it is impossible to hide from someone who knows your number unless you block them especially if you are in a country where WhatsApp is the equivalent of iMessage in popularity. They’ll know for sure you blocked them. Signal on the other hand you can fully prevent someone from finding you even if they have your number.

Signal can be seen in multiple court documents providing useless info whereas WhatsApp provides lots of useful metadata, etc.

Signal doesn’t belong to any ecosystem. Signal is signal. WhatsApp is Facebook. Facebook is Instagram. Privacy consumers, you get the idea.

Reading through signals blog, they are aware of modern threats to cell phones such as Cellebrite, Graykey. They even went as far as exploiting one of the devices. I can safely assure myself that if all parties involved in a signal chat factory reset their cell phone, those messages are gone forever. For a device that isn’t wiped, deleting the app should be sufficient, but you’ll need a strong password + BFU so that certain iOS logs will expire that could contain incoming notifications of signal messages or other remenants.

If you still aren’t convinced read this excerpt from the FBI themselves on what they can obtain from each app through the legal process.

WhatsApp
*Message content limited. *Subpoena: can render basic subscriber records. *Court order: Subpoena return as well as information like blocked users. *Search warrant: Provides address book contacts and WhatsApp users who have the target in their address book contacts. *Pen register: Sent every 15 minutes, provides source and destination for each message. *If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, to include message content.

Signal
*No message content. *Date and time a user registered. *Last date of a user’s connectivity to the service.

Furthermore I’ve studied many cases, and I have to say using an ecosystem product makes the FBI happy. All it takes is one fbi agent who knows how to correctly word a search warrant and you’re cooked. You’ll get caught by something you weren’t even aware could be used to identify you. The January 6th riot is an example of this.

24

u/mailslot 7h ago

Also, the founder of WhatsApp left after concerns about Meta (like data sharing & privacy) and donated $50m of his own money to setup the foundation that runs Signal. He’s still CEO of that foundation, IIRC.

9

u/ScallionFluffy5144 11h ago

Where can I find information on other apps and what the FBI can extract.

15

u/Vast-Total-77 11h ago

You will never find out what they can physically extract unless you have access to forensic tools or study iOS forensics a lot. You can see what they can obtain through the legal process here although this is subject to change.

https://www.malwarebytes.com/blog/news/2021/12/heres-what-data-the-fbi-can-get-from-whatsapp-imessage-signal-telegram-and-more

Take this document with a grain of salt. I’m sure it doesn’t cover everything they can actually obtain.

You can also research iOS forensics on google and find good stuff like this https://www.magnetforensics.com/blog/ios-forensics-evidence-sources-to-capture-before-they-expire/

3

u/DasArchitect 14h ago

Signal on the other hand you can fully prevent someone from finding you even if they have your number.

How does that work?

20

u/Satalana12 13h ago

From settings -> Privacy -> Phone number . You choose who can see your number and who can find you by number.

In addition to that, you can set a username to allow people to contact you using it to prevent sharing your personal phone number, this username can be changed any time you want and as many times you want. And the best past Signal doesn't even log it on their servers.

3

u/DasArchitect 13h ago

That's interesting, I hadn't noticed that setting.

How do messages reach you by your username, if it's not stored anywhere?

12

u/Azertygod 12h ago edited 12h ago

Small mistake from previous commentator. Per the Signal blog:

Your username is not stored in plaintext, meaning that Signal cannot easily see or produce the usernames of given accounts...

Usernames in Signal are protected using a custom Ristretto 25519 hashing algorithm and zero-knowledge proofs. Signal can’t easily see or produce the username if given the phone number of a Signal account. Note that if provided with the plaintext of a username known to be in use, Signal can connect that username to the Signal account that the username is currently associated with. However, once a username has been changed or deleted, it can no longer be associated with a Signal account.

Signal only stores the hash, not the username, and only the most recent hash at that.

While messages must be addressed (previously with phone number, now with hashed username), and thus the addresses must be stored, one of Signal's strongest protection on who you're messaging is in their sealed sender protocol, which is also a great read.

ETA: This explainer from their blog (while not covering sealed sender and group chat encryption) is a good resource for a layperson looking to understand what data Signal collects.

22

u/Metastophocles 16h ago

WhatsApp = owned by Facebook

Therefore I cannot trust it. 

u/Cute_Initiative_8789 7m ago

Its basically that simple indead

77

u/Comfortably_drunk 18h ago

In laymans terms: Meta bad. Signal not as bad. Yet.

12

u/Timbit42 17h ago

If the government decides Signal should collect more metadata and share it with the government, then Signal won't be much better than WhatsApp. Both are centralized and Signal could easily start collecting metadata.

The most private messengers do not collect metadata and hide your IP through multi-hop routing and do not have a central server where metadata can be collected. If a government does force Signal to collect metadata, people will move to the more private messengers. It may only be a matter of time.

15

u/Busy-Measurement8893 17h ago

If the government decides Signal should collect more metadata and share it with the government, then Signal won't be much better than WhatsApp. Both are centralized and Signal could easily start collecting metadata.

Sure, but that would require client changes due to Sealed Sender preventing a lot of metadata from being collected in the first place.

-9

u/Timbit42 17h ago

So what? Do you think Signal would not comply with a government order? US citizens are supposed to have a right to privacy but the founding documents aren't being followed as religiously these days.

20

u/TopExtreme7841 16h ago

Considering they were about to totally shut down their EU servers over shit like that, no, they most likely wouldn't.

If they made those changes we'd see it, and if it was re-licensed as proprietary, that would end 99% of the users, normal people don't use Signal in the first place, so again, no.

15

u/Busy-Measurement8893 17h ago

I think they would sooner do a Session/Quad9 and move to another country than comply.

Also, Signal is FOSS. You could easily dodge any such changes to the client by just using Signal-FOSS or Molly.

-5

u/Timbit42 14h ago

Temporarily.

2

u/Comfortably_drunk 17h ago edited 17h ago

What I said but longer:)

4

u/Timbit42 17h ago

Now they know why.

11

u/[deleted] 17h ago

[deleted]

14

u/cryptosupercar 17h ago

A reminder that the US drone assassination program solely uses metadata for targeted strikes, in the event that anyone thinks, well at least they can’t see my messages.

10

u/GhostInThePudding 15h ago

WhatsApp isn't open source, therefore it can't be trusted for privacy.

Sure it may encrypt your messages, but how do you know it doesn't also send a copy of some messages to Meta, or has a backdoor so they can decrypt your messages.

When it comes to privacy, nothing that isn't open source can ever be trusted. Yes open source apps can have things snuck into them too, but at least it is possible to check. Non open source apps can simply never be trusted.

8

u/theantnest 16h ago

Whatsapp has encrypted backups turned off by default.

So even if you turn it on, everybody you message must also have it turned on for it to be secure.

5

u/tjyolol 16h ago

No matter how good the encryption is, if it’s Meta, it’s hard to fully trust it. Even if I’m wrong, I wouldn’t feel comfortable using it if I was genuinely worried about someone watching my conversations. It just wouldn’t be worth the risk to me.

14

u/LurkerByNatureGT 17h ago

Meta may not know the content of the message, but they know who is messaging the crisis text line at 2am. And they will add that to their profile to target advertising. 

3

u/tacularia 13h ago

Something to do with the way spyware is deployed. And the reputation of the parent company. Most users don't have to be worried about that kind of thing though.

1

u/wierd010 11h ago

How’s spyware deployed through whatsapp ?

1

u/tacularia 6h ago

Any chat app can receive files, whether they are legitimate or malware. They are one of the most vulnerable apps you can have on a phone and if you're targeted that would be a potential way in.

3

u/The-Last-Lion-Turtle 11h ago edited 8h ago

Signal regularly replies None to a subpoena.

This is what Whatsapp collects and sends when asked.

https://www.rollingstone.com/politics/politics-features/whatsapp-imessage-facebook-apple-fbi-privacy-1261816/

Also I don't believe in anything privacy that's based on asking rather than it being cryptographically secure.

6

u/UniqueClimate 12h ago

lol, here I’ll actually provide a layman’s term, unlike others in this thread:

Signal is more secure because they publish their code, as opposed to WhatsApp where we just “have to take Facebooks word for it” that it’s secure and private.

“Take Facebooks word for it” let that sink in.

8

u/numblock699 17h ago

One sells your behaviour data to advertisers. One does not.

3

u/Tough_Promise5891 8h ago

Meta ( Facebook ) owns WhatsApp, but signal is independent. Facebook makes money by selling your data, signal does not need to

3

u/DavyB 8h ago

One word: Facebook.

3

u/BeachHut9 4h ago

3 words: FB owns WhatsApp

16

u/fdbryant3 17h ago

I was going to write a reply but decided to let an AI I am not allowed to name do it for me:

Signal offers superior privacy compared to WhatsApp in several key areas:

  1. Metadata protection: Signal uses a feature called Sealed Sender to hide metadata, including who sent a message and when, even from Signal itself. WhatsApp, on the other hand, can access and share metadata with Meta and third parties.
  2. Data collection: Signal collects minimal user data, while WhatsApp gathers extensive information such as device ID, usage data, purchase history, location, and contact information4. This data can be used for Meta's research purposes.
  3. Open-source transparency: Signal's code is open-source and peer-reviewed, allowing for independent verification of its security claims. WhatsApp's code is not open-source 3.
  4. IP address protection: Signal offers a call relay feature that hides users' IP addresses during calls, whereas WhatsApp does not provide this option.
  5. Customizable privacy settings: Signal allows for more granular control over privacy features, such as adjusting notification content and using disappearing messages across all chats.
  6. Address book handling: WhatsApp uploads users' address books to Meta servers without encryption, potentially exposing contact information to bad actors. Signal handles this data more securely.
  7. Corporate ownership: Signal is independent, while WhatsApp is owned by Meta (formerly Facebook), which has a history of data privacy concerns.

9

u/A_norny_mousse 17h ago

A rare +1 for AI

2

u/kiipa 17h ago

This is the best answer.

1

u/Creative_Crayon 2h ago

Point one is so important - Sealed Sender means that only the recipient can access the data. Whatsapp could be compelled by a court order to release data, or they could choose to look at the contents of a message.

Signal has no access to the message, so can never be forced to disclose it.

All the over features are bonuses, but Sealed Sender and minimal meta data are key for why privacy advocates recommend it.

4

u/Icy_Jeweler_9508 15h ago

WhatsApp is owned by meta who collects a bunch of metadata about who you call and message and when, etc. and shares this info with other meta companies such as Facebook to better advertise to you and what not. Collecting this data also means it's more subject to hackers, law enforcement, etc to see it (fortunately messages themselves are e2ee)

Signal does not collect this metadata and therefore doesn't have this information for themselves (or others) to use to track who you have in your contacts, who you message and when

2

u/Ibe_Lost 6h ago

Whatsapp has been known to be hacked. Signal likes to yell to people on your contact list hey this guy just installed signal.

2

u/desmond_koh 16h ago

Trust.

People trust Signal (the organization) more than they trust Meta.

1

u/BeachHut9 4h ago

Equally tons of people mischievously trust Meta and FB. Fools.

3

u/mercistheman 17h ago

Trying to see the value using signal if your contacts are not planning on switching also.

1

u/beachntowels 54m ago

Metadata (who, when, where) is stored on WhatsApp, not Signal

-2

u/Own-Custard3894 17h ago

WhatsApp and signal are end to end encrypted. When talking about end to end encryption, you need to be very specific about from which end to which end. In the case of both signal and WhatsApp, they are encrypted from the signal or WhatsApp app, to the recipient signal or WhatsApp app. That means the apps themselves have full access to everything being sent, unencrypted. For that matter, all messages are also fully available unencrypted to the system (eg iOS or android), in order to display them on the screen.

The next question is how much do you trust the app developers. I for one trust signal (open source, nonprofit) a lot more to not violate my private data than Meta (which claims it doesn’t use WhatsApp messages, but it’s definitely harvesting something, IMO).

3

u/MoxFuelInMyTank 16h ago

Signal is sealed sender and best they can give is the phone number and unix date of creation. Ultimately you can never unsend a message so security is always reliant on never sending things in the first place.

-5

u/RemarkableWorms 18h ago

WhatsApp uses the Signal protocol as far as I know

2

u/Dako1905 17h ago

You are correct, but Signal tries its best to delete all metadata where Meta instead tracks and gives the glowies all your metadata.

-9

u/Danoweb 17h ago

Answer: encryption.

Longer answer: signal uses a specific protocol for its encryption that makes it much more difficult to intercept and read messages. Other apps like whatsApp, etc simply encrypt the messages "en route". But signal encrypts things en route, as well as in storage, and it doesn't use the same encryption key for everyone, it uses a form of GPG encryption so that the keys for each conversation are different from the keys for other conversations... This makes "brute forcing" or other "test and check" approaches much more cumbersome for would be attackers.

8

u/Busy-Measurement8893 17h ago

WhatsApp uses the exact same protocol as Signal and has been doing so for almost a decade:

https://signal.org/blog/whatsapp-complete/

5

u/No_Performer4598 17h ago

WhatsApp uses the signal protocol