Signal is a fully-featured instant messaging app that’s open source, nonprofit and audited regularly. They only collect the data they need to function, and only for as long as strictly necessary. On the other hand, WhatsApp, once a champion of privacy that vowed never to sell ads, has now become another inlet of personal data for its parent company, Facebook.

What’s wrong with WhatsApp?

WhatsApp was acquired by Facebook in 2014 for $19.6 billion and now uses it as a gigantic data-collection funnel to power its ad-targeting algorithms. Besides of the dubious ethics in the way Facebook conducts its business, recent scandals such as Cambridge Analytica’s use of Facebook data show that Facebook might not be the best custodian of your personal data.

WhatsApp is often touted as secure as all messages are encrypted, even as they pass through their servers. However this is misleading as communication is far from private: WhatsApp actually collects a lot more metadata than what’s strictly required for WhatsApp to function. It’s all there, in their privacy policy (edited for readability):

Information you provide:

• Your phone number
• All the phone numbers in your address book (including those contacts who don’t use WhatsApp)
• Your Profile name, picture and status message
• Your Favourite contacts
• Your WhatsApp groups and broadcast lists

Automatically collected information:

• Your activity interacting with WhatsApp and other users
• When you were online, when you were last seen, when you updated the status
• Your Device information: Hardware model, Operating System, Browser, IP address, mobile network, device identifier
• Your location (if sharing locations with contacts, viewing locations nearby, or when others share locations with you)

Information collected from third parties:

• If you don’t use WhatsApp but anybody who has your phone number does, you are included in the WhatsApp database.
• If you share third-party links via WhatsApp, WhatsApp might retrieve information from the source.

So basically WhatsApp can build a network of who-knows-who, regardless of whether they have WhatsApp installed. They can also know where you have been, what phone and carrier you use, and even some of the stuff you share online. And it all can be linked to your existing data in Facebook and Instagram, as they also have your phone number. Did you really think the ability to log in to Facebook with your phone number was for your convenience? How does it feel being a product?

So how is Signal different?

Signal is open source, nonprofit and audited regularly. Being open source means the code is open to independent review, the security designs are well-documented, and everybody can use the code for free. In fact, WhatsApp started using Signal’s secure messaging in 2016. So if WhatsApp uses the same secure protocol as Signal, what’s the difference? Again the answer lies in Signal’s privacy policy (edited for readability):

Information we store

• The phone number or identifier you register with.
• Randomly generated tokens and keys necessary for setting up a call or transmitting a message.

Transient information

• Your phone’s internet address may be kept in memory for rate limiting or to prevent abuse.
• Your address book contacts may be scrambled and transmitted to the server in order to determine which of your contacts are registered.

That’s it. The only data they store is your phone number. And they don’t even need to know which phone numbers are stored in your address book to display your contact list.

But if Signal is free, am I not the product?

Not in this case. Signal operates as a nonprofit. While Open Whisper Systems, the company behind Signal, is not registered as a nonprofit, they have just created the Signal Foundation, a nonprofit whose mission is “to support, accelerate, and broaden Signal’s mission of making private communication accessible and ubiquitous.” The foundation was started with an initial $50 million in funding from Brian Acton, co-Founder of WhatsApp, who left in 2017 after the company launched monetisation efforts and now is telling everybody to stop using Facebook.

Yeah, but all my friends are on WhatsApp!

You don’t need to choose; you can have both installed while you ask your contacts to switch to Signal. I have been doing this for a few weeks and it’s suprising how willing people are to try Signal.

I have approached this by moving my WhatsApp groups to Signal, starting with smaller groups of close friends who are happy to humour me and try Signal. I then moved to larger groups that may be harder to move. By this time, quite a few people from the smaller groups were in Signal already, so people are not greeted by an empty contacts list. Also, those without Signal get a sense that they are missing out.

Once I’ve finished with all my groups, I will to send a message to everybody saying that I plan to stop using WhatsApp and use Signal esclusively, along with a link to this post. It sounds drastic, but by then all the people who I contact often will be in Signal already anyway. The rest can call me or text me. It’s actually nice to hear other people’s voices!

You are helping even if you install Signal and don’t use it, as when other people install it they’ll see some of their friends there already.

Epilogue: What about distributed instant messaging?

I really like Signal because it’s open source, nonprofit and transparent. But they are still a single controlling organisation. How cool would it be to have a Signal that doesn’t actually depend on a single entity? There are some peer-to-peer instant messaging apps out there, such as FireChat or Riot, but all seems in its infancy. I’ll be keen to try them once they reach maturity, but in the meantime it’s Signal for me all the way!