WhatsApps nasty data sharing clause
WhatsApp dropped the bomb. After shouting down doomsayers that it will not share data with Facebook (wish I could find the link now but Google is all filled with the current articles), it
announced it will do just that anwyay. Thereafter the world erupted in how to disable this by a million articles and pages.
However what I originally also missed and was pointed out to me by @Miezkatz is that there’s a nasty clause in the article on the WhatsApp page:
You can turn off the sharing of data ONLY for targetted advertisements! They can and will still use your data; phonenumber, contact lists, groups and all metadata for tons of vague purposes other than targetted advertising.
Infact nearly everyone seems to gloss over this distinction with remarkable ease in such a way that searching on how to turn it off hits tons of pages other than the official WhatsApp support page at https://www.whatsapp.com/faq/en/general/26000016. I hope I don’t have to point out this is a bad idea.
The most obvious and well-known alternative is Telegram. But there’s been quite a bit of buzz around why you shouldn’t use Telegram in the first place if you actually care about security. The tl:dr; is that their security implementation has a lot of issues and does not live up to their claims.
The next best thing seems to be Signal Private Messenger; It’s open source and available for both Android, iOS and (in combination with an Android smartphone) a desktop client for Windows in the form of a Chrome plugin. Since it’s actual opensource and you can check, download and compile the sources from https://github.com/WhisperSystems you can at least assume that it does what it says it does. Of course being opensource is no magic fix for all issues, since there are enough opensource programs that still contain serious bugs and not every developer is also a crytpography expert.
However considering that there are not so many other serious altenatives some respected sources have endorsed the use of Signal: Why you should use Signal.
Does Signal still have some issues?
Yes, for example if you let it be your default SMS app, it’s easy to miss that the message is not received or read if your recipient has no data. It does have the received and read checks that are so well known, but it’s still easy to miss.
Other things, like groups; which WhatsApp is used for a lot, are supported in Signal. However there is one major issue with that as my buddy @TheColonial found out when I was testing the group functionality.
If you add contacts to a group their phonenumbers will be visible to all members of that group, even if those people are not known to eachother!
It’s obvious why this is done; all members in the group need eachothers keys to communicate with eachother. However this is a serious information leak that you can’t even protect yourself against at this moment. It should instead have an option to deny being added to a group that includes people that you not already have keys of.
tl;dr: ditch WhatsApp and Telegram. Use Signal, but beware the group-functionality information leak.