Preface

I know that the best user-friendly messenger to use is Signal. I know there are other cool messengers and protocols like Matrix/Element and Session. Because of my predicament, I would like to keep this discussion specifically to comparing SMS and WhatsApp.

My big fat problem

Ain’t nobody want to use Signal around me. I’ve pitched it to multiple people with no dice. Signal will remain on my phone as a beacon to friends and family for whenever they become enlightened, but I have to make due in the meantime.

There are other threads on here about trying to figure out how to sell people on E2EE messengers.

What I need to decide is which of these two options I will default two when I have the option: SMS and phone calls vs WhatsApp. These are what I can reasonably expect to use.

Option 1: SMS

Everyone’s got SMS. It’s basic texting. The benefit of using this is that it’s the default for everyone.

However, it is easily the least private option as the only thing “secure” about it is that you’d have to get into my phone to see texts. Otherwise they’re unencrypted and flying over the air between destinations. Phone calls are in a similar boat. Anyone who wanted to get their hands on my communication could do so with the right technical know-how.

Not to mention any potentially logging that is already happening by my carrier.

Option 2: WhatsApp

This messenger is almost ubiquitous in my part of the world, to the point where I can reasonably assume to find people on it. The only reason it doesn’t dominate is because I’m in the US and iMessage maintains it’s spot in the market.

The benefits are encrypted chat and calls as well as other nice to have chat features like read receipts, disappearing messages, and reactions. And the fact that all of this is over the internet makes it faster and, in the case of calls, much clearer.

The cons are… you know. It’s owned by Meta. I do trust that it’s actually end-to-end encrypted, but Meta gets to keep all of the meta data that my presence and exchanges create. Everyone is kept out except for Zuck, which is still not a great feeling.

Ay carumba

What should I default to? What would you default to in my place? What other mitigations, benefits, or concerns should I keep in mind in order to decide?

I know these aren’t great options to choose from, but if we could focus replies on specific solutions, that would be great. I know these are trash options from the perspective of many in the privacy community, but I’m trying to lean into the best options I got.

Honestly it’s a matter of choosing between the lesser evil.

My main selling point of Signal for Imessage users would be that Signal is just like Imessage except it’s cross-platform, and has more features.
I have found that this pitch works more than others.

Imo having encryption is more important than avoiding metadata collection.
IF I had to choose between the two I would choose Whatsapp, because everyone already probably uses it and submits metadata to Meta anyway, so might as well let them use it with you, plus the fact that sms is just sent in the open air and logged by cell carriers is far scarier than the Zucc knowing what time you had breakfast.
Although I would advise switching to alternatives asap.

• If your phone supports multiple profiles (like GOS), try keeping a separate profile for Whatsapp as compartmentalization is always a good practice.
  If your phone doesn’t support profiles try using Shelter.

• Try using tools like Exif Eraser (android), Imagepipe (android), Metapho (IOS), to remove metadata from media before sending it through Whatsapp.

• I’ve recently also been looking to block Whatsapp’s metadata collection through DNS filtering.
  Although I have no idea how successful I have been, this might be an option if someone finds a way to make it work.

Signal on Android can be set to recieve all incoming SMS. I would not use anything controlled by Meta ever.

would your friends be open to receiving links? post a message on a site that automatically deletes messages once a friend visits the specific URL.

I appreciate the recommendation and I like that it’s kind of messenger agnostic. However, if the folks I talk to grimace at using Signal, I think having them read my messages through a link to another site would face even more friction, as well as not being super convenient for day-to-day use.

I do a version of this for sensitive information, though. For that I will default to an encrypted messenger (usually Signal) and my friends and family usually let me get away with that.

The worst of both worlds.

I would still try to convince them when you can.
I would use it on a separate Sim, in a locked profile if this is the cases and never send sensitive data. If you want a payment or anything, then show them in person, remove any and all metadata before sending.

Otherwise, do what your doing at the moment.
Only thing you can hope for is signal getting more popular and there would be a reason for swapping.
Maybe mentioning a data breach that some may be associated with and telling people in your groups to look into this and show that your interested in security for their sake aswell? If that isn’t to pushy of course.

I wish there was more one can do, but there is only so much.

yeah it does require more work. I guess you would use it for sharing low level privacy stuff. but what can you do if you can’t teach people to use better apps?

anyway I was wondering why no one ever talks about Onionshare:

Michael Bazzell (The Privacy, Security, & OSINT Show) spoke about interesting technique. Little bit of psychology. Tell people that you’re on Signal and you don’t check the other things very often. Every time someone sends you a message on any other platform, take really long time to anwer. Disable notification for these apps if you have to. On the other hand - every time they send message to Signal, answer immediately.

For me it was kind a radical - I said to everyone that from this date and for this reason I’m on Signal only. Period. Either they want to contact you or not.

Here’s the latest in my thought process to decide between these two options. There are two categories of data to think about: the meta data and the actual contents of the message. I’m including phone calls into this as well because they’re in a similar boat in terms of who has access to what.

The meta data

Who can collect the SMS meta data?

When the text message is sent from my phone Google has access because I use Google Messages and stock Android with Google Play services. I’m thinking about switching to Signal at least as an SMS client but that’s another can of worms that’s specific to my use case.

While the text is going over the air, my cell carrier has access to the meta data. As it goes to the other phone then basically any of the other major carriers also have access to that meta data as part of delivering the text to the recipient. Just depends on what carrier the recipient is using.

Once the text lands on the other person’s phone, the other potential observers are Google again, Samsung and any other OEM providers that use their own SMS client on their skin of Android, and Apple through their Messages app.

The cherry on top is anyone who happens to be listening in. I don’t know if texts and calls are something that be collected en masse or required targeting, that exposure remains.

So the total parties with access to the meta data of my communication is four or more. The least potential parties is two (Google and my carrier assuming the recipient uses my set up).

1. Google
2. Major cell carriers (3+)
3. Apple, Google, Samsung and other Android manufacturers (2+)
4. Anyone who may choose to listen in

Who can collect WhatsApp meta data?

Maybe Google because I’m using stock Android, and of course Meta. I’m using their app.

In transit the message is encrypted. I don’t know if that hides the meta data from the carrier or network I’m using if it’s in a similar boat to using a VPN. When using a VPN, the ISP can tell I’m using a VPN, but I don’t know if they know which VPN I’m using or what else. I supposes there is the time and date the package is sent, so that adds is maybe the least they can collect. As of now I’m not sure whether to count the ISP as having access to meta data but I will.

Then once it lands, Meta again because it stays in WhatsApp. Maybe Google, Apple, or an Android OEM but I’m still not sure whether they have access to the app.

In my hazy opinion, the parties that can for sure collect the meta data is Meta because they provide the app. Google, the ISPs involved, and the OS vendors of the recipient phone may also be able to collect some meta data, but I’m not sure how much. So let’s say about three to four parties have access to at least some meta data.

The contents of the message

Who can see the contents of SMS?

All parties who have direct access to the meta data also have access to the content. We’re still looking at about four or more parties have access to the messages themselves.

Who can see the contents of WhatsApp messages?

As far as I can tell, only Meta could have access, and even that is disputed. Because the contents of the communication is end-to-end encrypted, theoretically no one except the sender and recipient have access to the message. However, because Meta holds the encryption keys (I think), they can decrypt the messages. Do they do that? I don’t think so and I don’t feel comfortable saying they do without evidence.

I’ll say that at most there is one unlikely party.

Conclusion

The option with the least exposed meta data and message content is WhatsApp.

I don’t want to do it, but I think I’m going to start defaulting to WhatsApp when I can unless there’s a more secure option available with the person I’m contacting.

side question: is it possible to use GPG .asc in Whatsapp? What I mean is encrypt your message then paste the cyphertext as your message, then send.

Mate GPG is meant to be used on emails. Yes it’s possible but it’s foolery to do as it’s incredibly complex to be used in a chat and a key compromise could lead the attacker to read all your texts.