SMS vs WhatsApp?

Preface

I know that the best user-friendly messenger to use is Signal. I know there are other cool messengers and protocols like Matrix/Element and Session. Because of my predicament, I would like to keep this discussion specifically to comparing SMS and WhatsApp.

My big fat problem

Ain’t nobody want to use Signal around me. I’ve pitched it to multiple people with no dice. Signal will remain on my phone as a beacon to friends and family for whenever they become enlightened, but I have to make due in the meantime.

There are other threads on here about trying to figure out how to sell people on E2EE messengers.

What I need to decide is which of these two options I will default two when I have the option: SMS and phone calls vs WhatsApp. These are what I can reasonably expect to use.

Option 1: SMS

Everyone’s got SMS. It’s basic texting. The benefit of using this is that it’s the default for everyone.

However, it is easily the least private option as the only thing “secure” about it is that you’d have to get into my phone to see texts. Otherwise they’re unencrypted and flying over the air between destinations. Phone calls are in a similar boat. Anyone who wanted to get their hands on my communication could do so with the right technical know-how.

Not to mention any potentially logging that is already happening by my carrier.

Option 2: WhatsApp

This messenger is almost ubiquitous in my part of the world, to the point where I can reasonably assume to find people on it. The only reason it doesn’t dominate is because I’m in the US and iMessage maintains it’s spot in the market.

The benefits are encrypted chat and calls as well as other nice to have chat features like read receipts, disappearing messages, and reactions. And the fact that all of this is over the internet makes it faster and, in the case of calls, much clearer.

The cons are… you know. It’s owned by Meta. I do trust that it’s actually end-to-end encrypted, but Meta gets to keep all of the meta data that my presence and exchanges create. Everyone is kept out except for Zuck, which is still not a great feeling.

Ay carumba

What should I default to? What would you default to in my place? What other mitigations, benefits, or concerns should I keep in mind in order to decide?

I know these aren’t great options to choose from, but if we could focus replies on specific solutions, that would be great. I know these are trash options from the perspective of many in the privacy community, but I’m trying to lean into the best options I got.

Honestly it’s a matter of choosing between the lesser evil.

My main selling point of Signal for Imessage users would be that Signal is just like Imessage except it’s cross-platform, and has more features.
I have found that this pitch works more than others.

Imo having encryption is more important than avoiding metadata collection.
IF I had to choose between the two I would choose Whatsapp, because everyone already probably uses it and submits metadata to Meta anyway, so might as well let them use it with you, plus the fact that sms is just sent in the open air and logged by cell carriers is far scarier than the Zucc knowing what time you had breakfast.
Although I would advise switching to alternatives asap.

  • If your phone supports multiple profiles (like GOS), try keeping a separate profile for Whatsapp as compartmentalization is always a good practice.
    If your phone doesn’t support profiles try using Shelter.

  • Try using tools like Exif Eraser (android), Imagepipe (android), Metapho (IOS), to remove metadata from media before sending it through Whatsapp.

  • I’ve recently also been looking to block Whatsapp’s metadata collection through DNS filtering.
    Although I have no idea how successful I have been, this might be an option if someone finds a way to make it work.

2 Likes

Signal on Android can be set to recieve all incoming SMS. I would not use anything controlled by Meta ever.

1 Like

would your friends be open to receiving links? post a message on a site that automatically deletes messages once a friend visits the specific URL.

I appreciate the recommendation and I like that it’s kind of messenger agnostic. However, if the folks I talk to grimace at using Signal, I think having them read my messages through a link to another site would face even more friction, as well as not being super convenient for day-to-day use. :confused:

I do a version of this for sensitive information, though. For that I will default to an encrypted messenger (usually Signal) and my friends and family usually let me get away with that.

The worst of both worlds.

I would still try to convince them when you can.
I would use it on a separate Sim, in a locked profile if this is the cases and never send sensitive data. If you want a payment or anything, then show them in person, remove any and all metadata before sending.

Otherwise, do what your doing at the moment.
Only thing you can hope for is signal getting more popular and there would be a reason for swapping.
Maybe mentioning a data breach that some may be associated with and telling people in your groups to look into this and show that your interested in security for their sake aswell? If that isn’t to pushy of course.

I wish there was more one can do, but there is only so much.

yeah it does require more work. I guess you would use it for sharing low level privacy stuff. but what can you do if you can’t teach people to use better apps?

anyway I was wondering why no one ever talks about Onionshare:

Michael Bazzell (The Privacy, Security, & OSINT Show) spoke about interesting technique. Little bit of psychology. Tell people that you’re on Signal and you don’t check the other things very often. Every time someone sends you a message on any other platform, take really long time to anwer. Disable notification for these apps if you have to. On the other hand - every time they send message to Signal, answer immediately.

For me it was kind a radical - I said to everyone that from this date and for this reason I’m on Signal only. Period. Either they want to contact you or not.

Here’s the latest in my thought process to decide between these two options. There are two categories of data to think about: the meta data and the actual contents of the message. I’m including phone calls into this as well because they’re in a similar boat in terms of who has access to what.

The meta data

Who can collect the SMS meta data?

When the text message is sent from my phone Google has access because I use Google Messages and stock Android with Google Play services. I’m thinking about switching to Signal at least as an SMS client but that’s another can of worms that’s specific to my use case.

While the text is going over the air, my cell carrier has access to the meta data. As it goes to the other phone then basically any of the other major carriers also have access to that meta data as part of delivering the text to the recipient. Just depends on what carrier the recipient is using.

Once the text lands on the other person’s phone, the other potential observers are Google again, Samsung and any other OEM providers that use their own SMS client on their skin of Android, and Apple through their Messages app.

The cherry on top is anyone who happens to be listening in. I don’t know if texts and calls are something that be collected en masse or required targeting, that exposure remains.

So the total parties with access to the meta data of my communication is four or more. The least potential parties is two (Google and my carrier assuming the recipient uses my set up).

  1. Google
  2. Major cell carriers (3+)
  3. Apple, Google, Samsung and other Android manufacturers (2+)
  4. Anyone who may choose to listen in

Who can collect WhatsApp meta data?

Maybe Google because I’m using stock Android, and of course Meta. I’m using their app.

In transit the message is encrypted. I don’t know if that hides the meta data from the carrier or network I’m using if it’s in a similar boat to using a VPN. When using a VPN, the ISP can tell I’m using a VPN, but I don’t know if they know which VPN I’m using or what else. I supposes there is the time and date the package is sent, so that adds is maybe the least they can collect. As of now I’m not sure whether to count the ISP as having access to meta data but I will.

Then once it lands, Meta again because it stays in WhatsApp. Maybe Google, Apple, or an Android OEM but I’m still not sure whether they have access to the app.

In my hazy opinion, the parties that can for sure collect the meta data is Meta because they provide the app. Google, the ISPs involved, and the OS vendors of the recipient phone may also be able to collect some meta data, but I’m not sure how much. So let’s say about three to four parties have access to at least some meta data.

The contents of the message

Who can see the contents of SMS?

All parties who have direct access to the meta data also have access to the content. We’re still looking at about four or more parties have access to the messages themselves.

Who can see the contents of WhatsApp messages?

As far as I can tell, only Meta could have access, and even that is disputed. Because the contents of the communication is end-to-end encrypted, theoretically no one except the sender and recipient have access to the message. However, because Meta holds the encryption keys (I think), they can decrypt the messages. Do they do that? I don’t think so and I don’t feel comfortable saying they do without evidence.

I’ll say that at most there is one unlikely party.

Conclusion

The option with the least exposed meta data and message content is WhatsApp.

:confused:

I don’t want to do it, but I think I’m going to start defaulting to WhatsApp when I can unless there’s a more secure option available with the person I’m contacting.

side question: is it possible to use GPG .asc in Whatsapp? What I mean is encrypt your message then paste the cyphertext as your message, then send.

Mate GPG is meant to be used on emails. Yes it’s possible but it’s foolery to do as it’s incredibly complex to be used in a chat and a key compromise could lead the attacker to read all your texts.

1 Like

Long time lurker, first time poster – thanks for this thread, everyone. I’m in a similar predicament, though I’ve had a bit of success in getting my friends to switch to signal. But I’ve got one who is very resistant.

So I’m thinking about downloading whatsapp and trying to use it for that one stubborn contact – I think there are videos out there on how to use whatsapp without giving it access to all your contacts. In general though I’m really uncomfortable with Meta/FB having any of my data. :confused:

3 Likes

Welcome to the community!

Yeah, it’s not a great position to be in. The only way that I can deal with it is by remembering that SMS is even less private than WhatsApp. But even then I understand how folks can choose the other direction and would rather use SMS than WhatsApp.

3 Likes

I would choose SMS as it is open-source and can be used with Free Software made for the protocol. Whatsapp is proprietary so I think the clear winner is SMS. Yes the security of SMS is quite bad but is Whatsapp any better? Whatsapp is proprietary while SMS isn’t. Whatsapp is just as insecure as SMS if not worse. As a matter of fact it may as well be that Whatsapp uses SMS under the hood (Yes it sounds ridiculous I know). The point is we just don’t know how whatsapp works as it’s proprietary. So you may as well use SMS.

From what I understand, WhatsApp has been audited and confirmed to use the Signal protocol, so all communications are encrypted and that is a sizeable improvement over SMS. However, Meta does have access to all the meta data, and that’s not great. WhatsApp is more secure than SMS, but from a privacy standpoint it depends on whose eyes you’re trying to avoid.

Who audited it? Whatsapp in their Whatapp Whitepaper?

I say they are using Fairy Dust secure protocol which is super secure and Quantum attack resistant protocol. Prove me wrong.

This is also a way of checking who really wants to be in touch with you. Did the same thing with Disc*rd and mumble.

Do not use SMS, seriously.
They’re plaintext, not even client to server encryption.

Sure, whatsapp sucks, but at least is not plaintext.

Thankfully nobody uses SMS where I live.

The problem with whatsapp is, mainly, metadata.
So by doing so you would not be fixing anything, only adding a layer of complexity & inconvenience to communication.

Also, GPG is not a good choice, especially for IM.
Among several things it lacks forward secrecy.

There’s a popular (and quite controversial) webpage exposing all PGP/GPG flaws. I’m sorry but I can’t seem to have the link right now.

I couldn’t find the fancy real-deal audits, but I did find claims from reputable sources validating that WhatsApp does in fact use end to end encryption.

EFF in 2021: “To be clear: WhatsApp still uses strong end-to-end encryption, and there is no reason to doubt the security of the contents of your messages on WhatsApp.”

Mozilla in 2021: “Is WhatsApp bad for privacy? From a technical perspective, no, not really. WhatsApp uses super strong end-to-end encryption for all texts, chats, and video calls, This is great! WhatsApp can’t read your messages or see your calls. The flip side of this is Facebook–a company infamous for its vast and questionably ethical collection of so much data–owns WhatsApp. This means that lots of metadata, things like purchase history, location, device ID, and more–can be captured and shared with businesses advertising on WhatsApp.”

Signal Foundation in 2017: “We believe that WhatsApp remains a great choice for users concerned with the privacy of their message content.”

The one audit I did find was the NCC Group in 2021 regarding their encrypted backup, which also didn’t seem to find anything scandalous as far as I could tell.

The first three are big names in the privacy space, while it is possible they are wrong, they are staking their reputation on making these statements. If you don’t believe the EFF, I don’t know what more to say.

Compare that to SMS that is an open standard but totally lacks encryption, leading to the exposure I noted earlier in this thread.

Ideally I would of course love to use Signal, but if I can’t use that, then I have to pick between two bad choices. Gotta make lemonade from lemons.