Sbpr So far, I haven't seen evidence that this is happening automatically without users manually flagging messages.

Yes, from what I understand, the recipient has to report your message, that WhatsApp can automatically analyze the content of the message is an assumption.

Sbpr But yes, it's totally not worth the risk to use WhatsApp for higher threat model communications or if you're being targeted, especially due to the message metadata leaks. But I personally think WhatsApp still fits in well for most people to casually message friends and family

It still sounds better than SMS/MMS for sure.

      N1b
      Good post!
      Signal have recently made improvements to their management of my telephone number, enabling it to be hidden to others.
      Might be worth a new look 😀
      Perhaps together with an anonymous VOIP number?
      Otherwise, so irritating that WhatsApp is so easy for everybody's granma to use, and so disrespectful of privacy...

          Sbpr Thanks for this detailed write up. I have a similar threat model to yours and would love to hear your opinion on Telegram

              leo Unless this has changed, Telegram doesn't use E2EE by default, so we have to assume that most users don't have it enabled.

                leo although your question is not addressed at me, I'd like to answer because I sympathize with Sbpr's post.

                I do not like Telegram from the security and privacy perspective. It might be the most useful, beautiful and feature complete messenger out there, but not having encrypted messages by default (and only for 1:1 conversations via very hidden secret messages functionality) destroys all usability for me. I can't trust a "private" family group chat that is out there for everyone to read, no matter what company is behind it. WhatsApp, Facebook Messenger etc., despite all their flaws, offer better security and privacy on a baseline level I'm not willing to compromise.

                But again: Design, features and usability have been top notch, so it might be suitable for many use cases where privacy and security doesn't matter (e.g. when registered with a non KYC phone number that isn't connected to any crucial accounts like banking).

                    N1b not having encrypted messages by default (and only for 1:1 conversations via very hidden secret messages functionality) destroys all usability for me. I can't trust a "private" family group chat that is out there for everyone to read, no matter what company is behind it.

                    Thanks a lot for your perspective, I agree with you. I have seen a trend of switching from WhatsApp to Telegram in my friend circle and after all I am not sure this changes anything for me, as both WhatsApp and Telegram are using closed-source encryption by default. As you pointed out, at least WhatsApp promises that it uses end-to-end encryption.

                      leo

                      N1b

                      Since you asked for my opinion, I'll respond by saying I completely agree with N1b in regards to Telegram. The lack of e2ee by default and lack of e2ee for group chats for anything other than 1:1 chats is a major dealbreaker for me and enough for me to not bother with it unless I'm forced to use it. I've also read that Telegram's encryption protocol is inferior to the Signal Protocol (WhatsApp uses the Signal Protocol).

                          To give my opinion, I don't trust Telegram either (WhatsApp is a bit in the same boat, but at least E2EE is enabled by default).

                          Their marketing attracted a lot of politicians, businessmen and shady users thinking they were getting private, secure conversations.

                          https://portswigger.net/daily-swig/multiple-encryption-flaws-uncovered-in-telegram-messaging-protocol
                          https://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest
                          https://words.filippo.io/dispatches/telegram-ecdh/
                          https://blog.bytebytego.com/p/ep29-online-gaming-protocol#%C2%A7is-telegram-secure

                          • leo likes this.

                          Sbpr

                          The second part is them moving to Google Drive/iCloud for backups exclusively. While there have been attempts to backup and restore locally, I've never had luck.

                          Don't know about iOS but on Android it's still possible to have local backups and use these to restore WhatsApp. If you have backups enabled but don't configure a Google account it stores local backups in /Android/media/com.whatsapp/WhatsApp. I have been able to use these to transfer chats between phones without requiring Google Drive or the transfer chats feature.

                            sandfish786

                            if you concerned about phone number and want a private secure foss msgr product https://simplex.chat is your solution.

                            -uses signal protocol
                            -encrypted backups that can be exported and imported.
                            -zero phone number requirements
                            -security audited Nov 2022, July 2024, January 2025
                            -hidden profiles with separate passphrase
                            -multiple profiles, multi incognito profiles (per contact even)
                            -uni-directional msg relay routing
                            -random relay servers
                            -socks / tor routing possible
                            -desktop may have diffrent profiles, link up mobile device (docking), mobile device profile overlays desktop (like laptop docking into workstation); once undock, desktop profile reappears
                            -recent investment by Jack Dorsey, among others
                            -Global Village VC seed round

                            https://simplex.chat

                              Using matrix self hosted with wireguard vpn. Signal as a backup.

                              [deleted] Briar has a very annoying "feature" that reveal your last IPs and BT address to all of your contacts so your device will never be so anonymous

                                SpiderUser
                                A private messenger is only considered "good" when it has high adoption and user base, which will also
                                lead to broader peer reviews and community help to resolve issues.
                                No matter how "private decentralized quantum resistant _insert_gimmick_here" a new project will be, if
                                nobody is using it, and you would have to convince all your contacts to have it just for you, has no formal
                                reviews etc...No matter how good is it on paper and how good the team behind it.
                                When Signal (or what it is now) started, it was a small hobby project by a single person, it had many issues,
                                many crashes, was separated in 2 apps called RedPhone and TextSecure. I was one of the early adopters
                                but it really took time, patience and effort. Had terrible quality and frequent drops as well.
                                What I want to say if you have something proven, working, and battle tested, no need to jump on new shiny
                                stuff first, let it get some adoption and then decide.

                                  My close family and I all use SimpleX. My close friends have switched to Signal mostly because of me. I use Molly personally.

                                  SpiderUser GUI too much elementary and chaotic, the whole project received last update on February!

                                    [deleted] They accept VoIP numbers, so yeah, I guess. And you don't have to share your phone number with any of your contacts, since they have user names.

                                      Welcome to the unofficial GrapheneOS SimpleX group. Join us to discuss our favorite private and secure mobile operating system!

                                      Use the following link to join the group GrapheneOS (unofficial): https://simplex.chat/contact#/?v=1-4&smp=smp%3A%2F%2Fhpq7_4gGJiilmz5Rf-CswuU5kZGkm_zOIooSw6yALRg%3D%40smp5.simplex.im%2F0MEV-ohQ4BH34753-02ilVD9TUoc6PIP%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAhpoGv3YSJbSGuf2F7wsCMjjpPcLFkYvyvl6KQ0Ogxgg%253D%26srv%3Djjbyvoemxysm7qxap7m5d5m35jzv5qq6gnlv7s4rsn7tdwwmuqciwpid.onion&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22vuxRrSmp2NT_Fcp6uWVmUQ%3D%3D%22%7D

                                      Official community spaces for GrapheneOS are listed on the website: https://grapheneos.org/contact#community

                                      Please keep discussion on topic, including: GrapheneOS, Android apps and services, privacy, and mobile security.

                                      Although this is an unofficial group, we will still follow the GrapheneOS Code of Conduct found here: https://grapheneos.org/code-of-conduct

                                      I don't think there is a best. There are many good options, signal, telegram when used with e2ee chats, are not set up by default. Groups in telegram are not e2ee. Session has a good concept, but message delivery is not reliable. They are making improvements to the infrastructure. However, the big problem is, how many of your contacts use it? I have most on telegram, followed by whatsapp, and some are on signal. I have couple of people I can communicate with on session, but it's just not worth it. I also use protonmail with a few people that also have protonmail and we communicate that way, because those mails are e2ee.