Privacy in the Messenger

DROSTTE

I am concerned about the privacy of messaging apps. I use WhatsApp and Telegram because almost everyone I communicate with uses them. What can I do to protect my privacy when using these apps?

Byteang3l

DROSTTE there's not a whole lot you can do, they're un-private by nature. Given how much malware uses both of them to spread, just don't click on untrusted links, keep exploit protections enabled, etc. It's always worth trying to get your contacts to move elsewhere, it worked with my friends and family with a bit of prodding. As a general rule, if a messaging app demands a phone number to sign up, it's not very good, with the possible exception of signal, who does it to "prevent spam"

FWIW, I think both apps you mentioned let you hide your number from other users, telegram definitely does, Whatsapp might? Never used either to be honest. But the most private option is to ditch both.

brandy078

DROSTTE

Put WA in an own profile.
Make a new account with a burner number and don't use that number anywhere else.
VPN always on.
No contact sync.
no permissions except Network
no push notifications
no background sync
no automatic media download
self destructed messages (24h)
disable read recipes, no profile picture, no info, no status ect.

Do the same with Telegram.

This reduces the amount of meta data you share with those companies.

Watermelon

DROSTTE Neither WhatsApp nor Telegram are truly end-to-end encrypted. WhatsApp has non-end-to-end encrypted backups available for all users (alongside end-to-end encrypted backups), has extremely wide reach with lots of metadata collected which can tell a LOT, has WhatsApp Web available which defeats end-to-end encryption distrusting the server (there's an optional extension called Code Verify to verify the authenticity of the WhatsApp Web app, but it's optional, which is a loophole), WhatsApp doesn't let you lock the cryptographic identity of your contacts and their servers can request your WhatsApp app to reencrypt in-transit messages to a new encryption key without your permission or expectation, and it's incompatible with some of GrapheneOS's exploit protections. Telegram has optional two-factor authentication, irresponsible amateur cryptography, tons of features, keeps message history permanently in the cloud protected only by your login security and no end-to-end encryption, and the Secret Chats are extremely deceptive and broken by design.

For WhatsApp, see: https://faq.whatsapp.com/1095301557782068
You might want to install WhatsApp in a separate user profile or Private Space just to be able to control precisely when it runs and when it stops, and try to prevent it from communicating with other apps. Multiple user profiles (including Private Space for the matter) have various non-obvious oddities, though. You might also want to reboot your device often, especially since WhatsApp is incompatible with some of the exploit protections, which could be an avenue to attack the rest of your phone from inside WhatsApp.

For Telegram:

Only install Telegram from Google Play Store. There's a version on their website (APK download) you can use side by side with the Google Play version, you can use AppVerifier to compare their signing certificates, they should match.
Forcibly enable all six exploit protections on the Telegram app. This shouldn't cause any exploit protection warnings in the app, it seems that Telegram is compatible with all of them, at least for me. If Telegram would ever become incompatible with any of them, consider using it in a separate user profile or in Private Space, and rebooting your phone often, for the same reason as I said above for WhatsApp.
Only grant the Telegram app permissions for Network and Notifications, everything else (including Sensors) isn't needed for it to work. (You might have to grant additional permissions to register, but I'm not sure. I didn't have to grant it Sensors permission at any point. You can revoke them down to just these two after you finish registration.)
Open the settings inside Telegram, go to privacy & security, and configure everything there. Enable all security features that you can, tighten down visibility of all information to nobody as much as you can, etc.
Make sure to enable two-factor authentication on the Telegram account. This is much more needed compared to e.g. Signal (maybe WhatsApp too, I'm not sure) because your profile details and all your chats/groups aren't protected if two-factor authentication is disabled. (Signal does something brilliant, in that if you turn off Signal PIN, you can't restore your profile details, group memberships (I believe, from reading their docs), etc, so an attacker can't abuse lack of two-factor authentication to steal this info or impersonate you (which in turn gives you the reverse guarantee — that the people you chat with are probably the people you expect them to be rather than someone who stole their SIM card or something), and if you do enable Signal PIN you're forced to choose a non-trivial PIN so it'd be at least somewhat meaningful. I believe WhatsApp also has this property, but I was unable to confirm this from their documentation and my searches.)
Make sure to enable self-destructing messages for all chats (you can set the default for new chats in the security settings). Telegram is unique compared to Signal/WhatsApp/etc in that previous messages aren't deleted from the servers once delivered, and they have no end-to-end encryption, and protected only by login security rather than requiring scanning a QR code from within your app. You want anyone compromising your Telegram account or the Telegram servers to not have your entire chat history to steal, so self-destructing messages is much more needed on Telegram compared to e.g. WhatsApp.

For both:

Never log into your account or link new devices from any other device than your GrapheneOS phone.
Never log into your account from any web browser on your GrapheneOS phone, not even Vanadium.
Use them for as few conversations as possible.
Consider end-to-end encryption to be completely broken on both apps. Upgrade to something like Signal/Molly wherever possible. Avoid Secret Chats in Telegram, it's security theater that could give you or your contact a false feeling of security, making you or them share something that wouldn't have been shared otherwise. (The cryptographic identity of your contact in Secret Chat isn't tied to the contact like on WhatsApp/Signal (i.e. you have to scan the QR code to confirm the cryptographic identity for every new contact), but rather to the Secret Chat itself (i.e. you have to reverify in person the cryptographic identity for every new Secret Chat even with the same person), and the cryptography is amateur and irresponsible anyway, and Telegram has a “feature” that you can have multiple Secret Chats with the same person and Secret Chats can be deleted for both sides by any side, and they live locally on the device without being shared across all your devices like WhatsApp/Signal do.)
Keep GrapheneOS secure with the latest OS and App Store updates, security preview releases, up-to-date WhatsApp/Telegram apps, lock down the USB-C port, etc.
Disable automatic download/rendering of media and PDF files.
Be mindful what you click on, don't open stuff you don't need or from strangers, etc.

DROSTTE

Byteang3l
Hiding your phone number is only one side of the coin. The other side is preventing personal data leaks. I don't trust Signal because they have only published half of their source code. Why? To me, that's reason enough to question its security. There are also doubts about Telegram's reliability after what happened to Durov in France. Although Telegram offers more options for hiding personal data, it won't help if someone wants to access the information. I found passport data just by knowing the user's name.

eggy

DROSTTE that's gotta be a clearly a typo in your post. Signal is fully open sourced. They didn't publish only "half", but the whole thing. It's Telegram that never open sourced their server code.

Eumenia

DROSTTE I don't trust Signal because they have only published half of their source code.

What do you mean?
Their clients are FOSS

Byteang3l

DROSTTE I just don't trust signal, SimpleX Chat is better. Post quantum cryptography, no phone number requirement or user IDs, not even random ones, not in America, etc. The phone number requirement is inexcusable to be honest, there's other ways to "prevent spam" Also, with their "half open source" are you referring to server side code being closed?

DROSTTE

eggy
Yes, I was wrong. But what about Telegram Desktop? As far as I know, its code is open source.

andrej567

first of all this about telegram

https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/

gta3

Use molly-foss which is a hardened fork of Signal and uses signals servers, also allows cross compatavilty with signal users.

Telegram & whatsapp are closed source spyware lol....

They are not encrypted and offer u no privacy.

Send somthing random on WhatsApp then go onto YouTube and what u typed appears in your recommended feed... Lol

Telegram even advertises publicly that chats are not by default private, unless you enable the private feature each and every time lol... Even then as its closed source we all know its still not private

The world has become naive, weak, thick, and subservient.

eggy

gta3 FYI, molly-foss and molly are now merged into one app.

I'd also highlight the importance of self-hosting your own mollysocket and ntfy server to get push notifications from molly while still being easy on your phone's battery life. I understand this is out of reach for most people though.

de0u

gta3 Use molly-foss which is a hardened fork of Signal and uses signals servers, also allows cross compatavilty with signal users.

Telegram & whatsapp are closed source spyware lol....

They are not encrypted and offer u no privacy.

Oddly, the Signal Foundation says that WhatsApp is encrypted, using Signal's encryption (source). If there is a source supporting the claim that WhatsApp is not encrypted, I'm sure many people here would be interested.

gta3 Send somthing random on WhatsApp then go onto YouTube and what u typed appears in your recommended feed... Lol

"Random" and "arbitrary" do not mean the same thing. To send something random it would be necessary to use a genuine random number generator to pick the words in the topic. Typing some phrase that seems like it might very well be unpredictable is not at all the same thing, given the ability of various services to track and model behavior and guess what any given person is likely to be interested in.

If it's true that typing a truly random phrase into WhatsApp causes the information to fall into the hands of YouTube (a Meta competitor, by the way), I'm sure people here would be interested in reports from trustworthy sources of this happening.

gta3

eggy thanks for your post.

Are molly default socket notifications hard on the battery?

Oggyo

eggy I'd also highlight the importance of self-hosting your own mollysocket and ntfy server to get push notifications from molly

Hi eggy, I have a question.
Let's say I accomplished that, but my correspondent still relies on the FCM to get the push notifications.
Can this still be considered a privacy weakness?

gta3

brandy078 you sgouldnt be using telegram period, whether its in its own profile or not is irrelevant. Its spyware

gta3

de0u

You posted a strawman argument, I never used the word arbitrary once, let alone made any comparisons of arbitrary vs random.

If you notice a rip on your kitchen curtains, and you mention it to a friend via WhatsApp, then 60seconds later find curtain repair videos on your youTube feed... With zero prior search history of curtain repair, this is highly indicative of data sharing, and its also random enough.

Second point.
How would signal have the authority to claim WhatsApp is encrypted?

Whilst you ask me to prove my post, I ask you to prove yours.

Whatsapp is closed souce, Ill be even easier on you and instead of asking you to provide proof, can you even explain how signal can make any assertive statements what/what not WhatsApp do in there backend?

Meta is a for profit company that relies on invading peoples privacy and data scavaging, its most highly plausible that every single whatsapp chat is parsed through AI and sold to third parties for a range of uses... Such as marketting, anti terrorism, and the rest of it...

To assume otherwise would be highly naive.

SkynetPrime

gta3 Whilst you ask me to prove my post, I ask you to prove yours.

I don't believe de0u asked you to prove this, more just asking for a source supporting your claim. The same way @de0u supplied a source supporting there claim:

de0u the Signal Foundation says that WhatsApp is encrypted, using Signal's encryption (source)

de0u

gta3 If you notice a rip on your kitchen curtains, and you mention it to a friend via WhatsApp, then 60seconds later find curtain repair videos on your youTube feed... With zero prior search history of curtain repair, this is highly indicative of data sharing, and its also random enough.

Is that what happened?

If so, is it possible that your friend searched for a video on repairing curtains, and that you and your friend have watched a YouTube video together? Or is it possible that a voice assistant such as Alexa was listening?

Without careful experimental controls, "Information sharing" does not necessarily imply that WhatsApp isn't encrypted.

de0u

gta3 How would signal have the authority to claim WhatsApp is encrypted?

WhatsApp concealing their source code from their customers does not mean they conceal their source code from everybody! I don't work for the Signal Foundation, or for Meta, but it is quite plausible that Meta employees and Signal employees worked together on WhatsApp source code under a nondisclosure agreement. This sort of thing is routine.

Whatsapp is closed souce, Ill be even easier on you and instead of asking you to provide proof, can you even explain how signal can make any assertive statements what/what not WhatsApp do in [their] backend?

If WhatsApp is indeed encrypted end-to-end, then the privacy of WhatsApp messages mathematically doesn't depend on what WhatsApp does "in their back end". That's what end-to-end encryption means. Clearly E2EE still permits traffic analysis, meaning that WhatsApp knows who communicates with whom and when. But that has nothing to do with WhatsApp hypothetically learning the contents of messages.

gta3 Meta is a for profit company that relies on invading peoples privacy and data scavaging, its most highly plausible that every single whatsapp chat is parsed through AI and sold to third parties for a range of uses... Such as marketting, anti terrorism, and the rest of it...

To assume otherwise would be highly naive.

The forum moderators have expressed disapproval for alarmist claims without evidence. If there is evidence for a claim, that is better than an unsupported claim that some people agree with and others do not.

eggy

gta3 If you're not using FCM or UnifiedPush with Molly, it'll fall back to WebSockets which is much harder on your battery, yes.

Byteang3l DROSTTE I just don't trust signal, SimpleX Chat is better. Post quantum cryptography, no phone number requirement or user IDs, not even random ones, not in America, etc.

You randomly don't trust Signal? Cool story. Signal's protocol is also post quantum. You can register with a burner phone number and forget about it as you'll never need it again. You can hide your contact number from everyone and just solely rely on your Signal username.

Eumenia What do you mean?
Their clients are FOSS

He already acknowledged that it was a typo and he meant to write Telegram.

Oggyo Hi eggy, I have a question.
Let's say I accomplished that, but my correspondent still relies on the FCM to get the push notifications.
Can this still be considered a privacy weakness?

A very minor one, but yes. Signal encrypts their push notification data, so Google can't know the content of your message or who you're messaging with absolutely certainty. It could theoretically infer things from the metadata of your FCM-using contact and maybe the timing of their notifications. The biggest win of using mollysocket + ntfy to me is that you don't need to run google play services on your phone, but still get push notifications from signal that'll be easy on your phone's battery life.

de0u The forum moderators have expressed disapproval for alarmist claims without evidence. If there is evidence for a claim, that is better than an unsupported claim that some people agree with and others do not.

It's hard to provide evidence for closed source apps, but he might have a point. While Meta can't see the contents of your messages as they pass through their servers, they could still parse your WhatsApp messages locally on your phone for keywords to flag your account.

brandy078

gta3 I see. But OP asked for better privacy when using WA and TG