In the last article about encrypted communication and clients for big brother apps, we explained what the network effect is, what privacy actually is, and all the different ways we can look at it. We also outlined why, from a security and privacy perspective, I don't consider Telegram to be as good a technology as Signal.
But let's take a little closer look at the specifics of Signal and Telegram from a perspective other than privacy. What are all the ways in which Signal and Telegram differ, and which features of these applications really determine their widespread use, that is, their network effect?
Does it even make sense to mention WhatsApp?
Yes, it makes sense to mention WhatsApp. And it's for historical reasons. The year 2021 is, after all, a significant historical milestone for WhatsApp and it is (also) related to Signal and Telegram.
It is nothing but a mass exodus of WhatsApp users to Signal and Telegram. While WhatsApp itself is to blame for the exodus, it has also been greatly aided by Apple. Indeed, Apple, through a label in its App Store that informs customers about the details of their privacy settings, has warned that WhatsApp collects extensive amounts of metadata about its two billion users.
Instead of an explanation, WhatsApp began to nonsensically counter with classic "you're the bad guys too" arguments, stating that even iMessage, Apple's similar app, has no privacy-related label. Only Apple made it public in the aftermath, embarrassing WhatsAppers quite a bit.
The problem with the labels could still be handled if WhatsApp hadn't simultaneously decided to release an unexpected change to the terms and conditions for all its users.
Its main motivation was to make it easier for Facebook's business customers to communicate and sell to WhatsApp users. WhatsApp has thus headed somewhere into the world of commercial services, towards shopping and above all towards Big Brother.
And that's wrong
The main problem with WhatsApp's recent policy update is that if you agree to it, Facebook will theoretically be able to use the data you share with WhatsApp. This includes hardware information, contact details, approximate location, purchase history, payment information, etc. And with all of this, there's also the fact that WhatsApp is not open to keep in mind. So everything "theoretical" is only theoretical, and unfortunately only the WhatsApp/Apple developers know the truth.
Facebook has a history of newsfeed manipulation and many other privacy loopholes. No wonder the news about WhatsApp sounds very disturbing to many people. But what are the real threats? And are we sure that Signal and Telegram are better? Let's find out.
If you look at the privacy labels of Signal, Telegram, and WhatsApp (Facebook), it's clear that WhatsApp and Facebook know the most about you. Signal collects zero data that could be linked to your identity — just a phone number to register. Telegram has your contact details and user ID (which honestly also isn't much compared to most messengers). However, we'll go into more detail on data leakage and data gathering in the section on encryption and security.
Outside of Telegram and Signal, there are many other encrypted messengers (such as Threema, which also doesn't require a phone number). But let's stay with Signal and Telegram and compare them with a short intro.
Intro to Signal
Signal is a private messenger created by the non-profit organization Signal Foundation. It has state-of-the-art encryption based on the well-described Signal Messaging Protocol. Even Elon Musk recommends it :)
It's been in development since 2010, but the first version of what we know as Signal came out in 2015.
Signal is tied to a phone number, which although can be considered a disadvantage in terms of privacy (however, it's nothing that can't be solved by an anonymous SIM card) but at the same time it helps a lot just the network effect of Signal – if you want to write to someone and you have them saved in your phone book, you already have them automatically saved on Signal.
Intro to Telegram
Telegram is a long-standing competitor of WhatsApp created by Pavel Durov, the Russian entrepreneur behind Russia's most popular social network VK (which he has since lost control of). People liked Telegram because it's fast, easy to use, and has cloud storage that allows unlimited file sharing of any size.
Encryption & Security
Although Signal and Telegram are considered safer alternatives to WhatsApp, I wouldn't be so sure about Telegram. And it might just be the encryption that's to blame. After all, Telegram is the only one of the messengers mentioned that doesn't support end-to-end encryption by default.
And what is end-to-end encryption? In layman's terms, end-to-end encrypted data is data that cannot be read by anyone except the participants in the communication.
In fact, WhatsApp was one of the first messengers to provide end-to-end encryption and popularized it among the masses due to its good network effect. But as we already know, WhatsApp has other vulnerabilities in turn.
Telegram is not end-to-end encrypted by default. Telegram doesn't use TLS/HTTPS either, but has its own server-facing encryption called MTProto. You can see the technical details of MTProto at this link. But basically, MTProto is a homemade Telegram thingy that is open on the client side.
For example, many security experts have stated that such Telegram "homemade encryption" is quite limited compared to Signal technology. However, they all seem to agree that Telegram's latest version of encryption is more secure than their old MTProto 1.0 (PDF).
All Telegram messages, including their history, can be cheerfully read in plaintext on the servers by anyone who has access to them, anyone who can successfully authenticate themselves there using your phone number, or anyone who can convince Telegram operators to give them the data – for example, by court order, or by threatening to arrest (or why not even martyr) family members. And since Telegram's founder is Russian, I don't think we need to doubt that something like this could happen.
Telegram does support a "secret chat" option (i.e. end-to-end encryption) which makes it possible to sort of "bypass" the Telegram cloud, but something like that doesn't apply to groups anymore! To put it simply – your communication with anyone is stored in both accounts, but in the case of groups this problem simply multiplies with each user.
Despite the flaws in end-to-end encryption, and despite the fact that the company has decryption keys available, Telegram claims that in order for messages to be decrypted, keys from different jurisdictions are required to do so. This is supposedly to prevent any attempts by law enforcement to access user content. No state should supposedly be able to simply force Telegram to decrypt the messages, because in no state is the key complete.
Whether Telegram's claims are sufficient to give us peace of mind is a matter for each of us to individually manage our risk. Technically, though, Telegram will always have access to the data backed up on its servers and stored in its cloud. And nothing changes that.
According to an academic research paper published in 2020, Telegram's MTProto 2.0 protocol, for instance, is fundamentally OK. Yet the paper adds that "further investigation" is needed "to consider this protocol suite as definitively secure".
Among other things, Telegram is also censored, especially the Android version from the Play Store. That's why we can't really verify whether some Big Brother has accidentally added a malicious code to the app.
Unlike Telegram, Signal does not make any attempts with its own funny encryption (by default it works on end-to-end principle) and all its technical details can be seen on this link thanks to very well described Signal Documentation.
All your Signal conversations are by default stored only on your device, and the same applies to groups. Signal servers don't see the membership of groups, their name and certainly not their content. That means Signal operators can't even answer basic questions like "is XY a member of this group?" or "what groups is XY in?".
Signal servers thus forward messages but do not see their content, unlike Telegram.
Signal also collects much less user data than Telegram. It generally only stores the date of your sign-up and last connection. We've already talked about the fact that Telegram stores who you talk to and when. But among other things, Telegram's metadata can also include your IP address (which can reveal your location). And that's what's very important when government authorities show up at Telegram servers with a court order.
Although you can start a conversation on Signal by entering another person's phone number, Telegram requires access to your contacts before you can send a message to anyone.
Thus, Signal is definitely a better choice than Telegram in terms of privacy.
Telegram has a slight advantage in this category on the network effect front, as it supports Windows Phone as well as Chrome extensions and a full web option. Both Signal and Telegram are essentially available on these platforms:
- MacOS (Signal, Telegram)
- Android (Signal, Telegram)
- Windows (Signal, Telegram)
- Linux (Debian-based distributions for Signal, 32-bit and 64-bit versions for Telegram)
Installation and usage
The installation process for both applications is quite simple. You download the software for your preferred platform, register with your phone number and enter the verification code received via SMS (in some cases Telegram will call you directly instead of SMS).
Both platforms require a first name to finalize your profile, but neither requires that name to be your real name. You can use a nickname or, in Signal's case, even an emoji. You'll then be asked if you want to enable app permissions, such as access to your contacts.
Signal then asks you to create a PIN. This step is optional in the case of Telegram, but recommended. It can be found under Settings > Privacy & Security > Passcode Lock.
Before you can activate the desktop version of Signal or Telegram, you need to set up your account via the mobile app. Signal has a QR code in the app to link other devices. Telegram provides a similar QR code, but you can also use your phone number and SMS verification code.
Until the beginning of this year (2022), Signal required you to create a new account when changing your phone number. Now it allows you to transfer the account to a new number, assuming you're still using the same phone. However, you can also transfer an account to a new phone that uses the same number as your old phone, as long as you're not switching from Android to iOS or vice versa.
Changing your phone number in Telegram is much easier and can be done directly in the app. Changing phones isn't a problem at all, as multiple devices can be logged into one Telegram account as long as they use the same phone number. But then you'll want to keep the Telegram password especially top secret :)
In this section, we'll look a bit at the specific Signal and Telegram features. In terms of chat options, however, both applications are quite similar.
As mentioned earlier, Signal's individual messages are end-to-end encrypted by default, while classic Telegram one-on-one chats are not. So if you want to protect your Telegram communication from Telegram itself, you need to start a secret chat.
Both platforms offer the possibility of group chats. Again, these are end-to-end encrypted on Signal, whereas they are not on Telegram. Importantly, there is no equivalent of secret chat for groups in Telegram.
Signal groups can include 1,000 users, while Telegram allows up to 200,000 members.
Voice and Video Calls
Both platforms have voice and video calling features. Encrypted Signal calls can be made individually or can include up to 40 users in a group.
Telegram has end-to-end encrypted one-on-one video calls, as well as a voice chat feature that allows large groups to have conversations in which members can come and go. Telegram's group voice calls are encrypted from the client device (that is, your phone or your computer) to the server, but not from one end to the other. This means that anyone who has access to Telegram's servers can be listening in.
Signal supports the setup of so-called "disappearing messages". This can be set both in private conversation and in a group, and can be changed at any time. Disappearing messages ensure that everyone who sees a given message deletes it from the device after a certain amount of time (1 hour, 8 hours, a day, a week…).
Telegram has a similar self-destructing message option that is no longer just for secret chats, but for regular chats as well. For regular chats, again, be especially careful that the only place from which the message is actually deleted is exclusively the endpoint devices and not the Telegram servers.
And from this point on, the privacy features of Signal and Telegram are somewhat different. Signal has fewer of them, or rather, Signal has fewer gadgets.
For example, Signal has an image-blur tool that allows you to hide faces in photos and videos — useful if you're posting media from protests, for example. There's also a lock screen setting that requires your password or biometric access to open the app (Telegram has it too).
In Telegram, you can choose to delete payment or shipping information (which is notified in your conversations), cancel the sending of messages (which deletes them for both the sender and recipient), and automatically self-destruct your account if your account hasn't been used for a certain period of time.
Telegram also functions more like a social-media network with its "Channel" feature and a number of other gadgets.
Channels allow users to broadcast messages — including text, photos, videos, files and podcasts — to an unlimited number of subscribers. Communication is one-way, much like a radio station, and subscribers can't respond to Channel messages. Channels can be public or private/invite-only.
The discipline of gadget quantity from my point of view is clearly won by Telegram. It offers a variety of settings ranging from font size and colour themes, emoji, animations and notifications. If you send multiple files of songs to someone at once, the app creates playlists from them and runs them in its built-in media player. Users can create polls and quizzes, edit photos and videos, and use the "People Nearby" feature to view users who happen to be near you (and this is an example of a gadget that is definitely not privacy-friendly).
Signal is a much more simple application that primarily focuses on secure messaging of plain text, media and voice messages, although it has recently introduced, for instance, animated stickers. Overall, Signal is easy to use and doesn't require a lot of customisation to extract the most out of the app.
Update 2023 — how about Session?
Another interesting messenger to add to the collection is Session, which has decided to fix some of Signal's "bugs" (such as being tied to a phone number) and go even further with privacy. Session is not tied to any identity and to use it you just need to download an app that will generate your ID (similar to the way it is for the messenger Threema, but unlike Threema, Session is completely free).
Aside from that, another advantage of the Session messenger is the fact that, unlike Signal and other contraptions, Session is a decentralized project that is controlled by a community of people instead of one specific entity. Additionally, Session uses the Signal protocol, and unlike Signal itself, its messages are onion routed by default.
However, while it may seem like a better tool than Signal, Session, for example, does not support group calls, or even voice and video calls. In my bubble, moreover, Session doesn't have a very good network effect, and so far I personally don't see the point in using it as a substitute for Signal. If Session wants to catch up with Signal, it still has a lot of work to do, but the project as a whole is developing quite fast, tweaking bugs, and shortly before writing this article, it additionally came out with a desktop application, which has been lacking so far.
Another interesting project is the Simplex messenger. It has gone to a level with privacy that even Session or Signal have not yet reached. Simplex doesn't even have a phone number registration, but neither does it have a random user ID. In fact, this messenger uses the Simplex Chat protocol, which was designed to rotate messages without the need to identify users, making it impossible for Simplex servers to collect any metadata. However, we'd rather cover the larger technical details of Session and Simplex in a later article — among other things, there's been a bit of a boom with private messengers lately, and outside of privacy, the network effect and user experience in particular will show their future.
The choice between Signal and Telegram ultimately depends on everyone's individual preferences. If you're interested in privacy and security, Signal is the best choice. The truth is that Telegram has not yet given its users any reason to think that it is a good and reliable protection of their privacy.
If you want to be able to send encrypted messages only occasionally and use social network-style features and gadgets, then Telegram may be a better fit. Just keep in mind that if you want your communications to be end-to-end encrypted, you need to actively select Telegram's secret chat option.
And also keep in mind that there are more secure technologies than Telegram for playing with gadgets.