Android

“WhatsApp has been sharing your data for years, whether that’s bad, you decide”

The Signal messaging app is seeing its user numbers explode after a WhatsApp controversy. Is this privacy-friendly app really going to be a WhatsApp replacement soon, and how does end-to-end encryption work? We spoke about it with security expert Donny Maasland of ESET Netherlands.

The Signal recipe

Due to the growing success of the chat app Signal, it is sometimes incorrectly seen as new, but in fact the software has been around since 2010 under the name ‘TextSecure’. It took until 2015 before an Android app called ‘Signal’ was released.

Yet we have all been using the software of the ‘Signal Foundation’, the former Open Whisper Systems, for much longer. The creators of this messaging service have been working for years on the Signal security protocol that other services such as WhatsApp have been using for a long time. The protocol ensures that apps are encrypted and cannot be read when intercepted by malicious parties.

WhatsApp and Facebook

But if WhatsApp has been using Signal’s security protocol for some time, why is the app privacy-unfriendly according to some? And why is everyone suddenly installing Signal as an alternative? Does that app have a future?

“Recently there has been a controversy surrounding the new privacy statement that WhatsApp is offering to users and the way WhatsApp shares data with Facebook,” explains Donny Maasland, Chief Technical Officer at ESET Netherlands. “In fact, WhatsApp has been sharing its users’ data with its parent company for years and Facebook is known to use that information for targeted advertising. That is the company’s revenue model.”

AW: But it’s not the very purpose of end-to-end encryption [E2EE] that no one can access your encrypted messages? E2EE works with a security code between you and the recipient of the message, and if those codes match, the information is encrypted.

“Thanks to the end-to-end encryption, no one can access your WhatsApp messages, but for Facebook itself it is possible by intercepting the information when messages are unlocked. WhatsApp also requests access to your contact list and so you know. also who you talk to and for how long.

Donny Maasland is Chief Technical Officer at ESET Netherlands

Unlike Signal, WhatsApp is also not open-source software, which means that you cannot peek into the code and see what exactly is going on behind the scenes. In principle, you can reverse engineer the app [ofwel de code ontleden, Nvdr.], but that is a lot more complex. “

Conscious with messaging apps

AW: In conversations about privacy that you have in a group of people, you always get to the point where someone says, “So what? I have nothing to hide.”

“A lot of people also consciously choose to use WhatsApp because the app is just useful. Everyone can decide for themselves whether this other side of WhatsApp is a problem or not. You can also just accept that you are followed online in such ways. .

I also use WhatsApp myself, but the way you use the app is also important. When I talk to colleagues via WhatsApp, we keep in mind that someone can read along. On Signal we tend to share more in groups. “

AW: Do you think it is realistic for smartphone users to learn such thinking? In other words, can we teach users to consciously think what they want to use which messaging service for?

“Some of the users could interact with the apps like that, but a lot of people just aren’t interested in them, and that’s fine. Sometimes people think that Facebook is a evil business, but this is simply the way the business pays its bills. Facebook has no bad intentions with your data, but the data is a requirement for the social media site to make money. It’s that simple. “

Use Signal correctly

AW: But anyone who is not comfortable with sharing so much with Facebook will automatically end up with apps like Signal, and we have seen that in recent weeks. The service saw its user numbers in the Play Store alone fivefold.

“Yes, and yet many people still use Signal in the wrong way. That end-to-end encryption in the app only makes sense if you also verify the security key between you and your conversation partner, but most people don’t. You should compare the codes to see if they match, and if so you can verify them so that Signal will notify you via a notification if anything changes to the codes. “

AW: Then why is it so important?

“This way you prevent yourself from becoming a victim of a ‘man-in-the-middle attack’. As the name suggests, it is a malicious person who gets between you and the recipient of a message and intercepts messages. criminal unlocks the message, reads it and forwards it to the recipient. You could potentially be the victim of such an attack if your security code suddenly no longer matches that of the recipient of the message. If you do not notice this in time the encryption makes no sense. “

AW: Are such attacks common?

“Hopefully not, but of course we don’t know for sure. It is true that such an attack is very complex to carry out, and it really should already come from companies or intelligence services, for example. have the right connections with telecom operators, among others. “

Safety versus functionality

AW: In our weekly poll on Androidworld, we talked about features we’d love to see in Signal. It is striking that the app has fewer features than competitors such as WhatsApp and Telegram.

“Absolutely, that is the core problem of internet security at the moment: the difficult trade-off you as a developer make between the promise of security and privacy on the one hand, and functionality on the other.

Signal does not have a web version, for example, but that is because with such a feature you expose your users to a lot of potential risks. Browser extensions are in fact possible doors through which data can be transferred. As a developer you then have much more control with, say, an Android app, and a desktop application also provides a bit more security. “

AW: Are there any features you are missing in Signal?

You see that the app was just made by techies, and WhatsApp, on the other hand, has a user experience team. If you send a high-resolution photo with WhatsApp, it will be compressed, but with Signal, you will send it in full size, taking up a lot of space on your device.

Another example: if I don’t use the Signal desktop application for a month, I have to log in again and I lose my calls. You can only restore them with local backups, which is safer but more difficult for the user. “

AW: Is there a happy medium between functionality and privacy for messaging services?

“You are always faced with a challenge if, say, as a developer of messaging services, you want to get people to switch to your app. You really have to convince people to switch, because often they don’t like change. Suddenly to start using Signal and if she does it, she gets stuck with problems and difficulties. In the beginning of WhatsApp you had that middle way, and that was the paying subscription form. It is no longer there. “

AW: Telegram is also going to advertise, but with non-targeted advertising.

“Yes, that is also what, for example, the NOS does on its website. It is indeed about advertising that is not personalized to the user. There may be a solution, but such advertisements do generate less money.”

AW: Do you think an internet security company like ESET can play a role in how you can educate users about how apps are secured and whether or not they respect user privacy? On iOS, Apple recently introduced privacy labels that inform users more about the data that apps collect, but there is no such function for Android yet.

“It is also questionable whether Google will add that function to the Play Store, because Google’s revenue model also largely consists of data collection. In addition, with ESET we also inform on the Online Safe knowledge platform that informs users about the safety of messaging apps.

AW: Thank you very much for this interview, Donny Maasland.

“You’re welcome.”

More Signal

Want to know more about Signal? Then keep an eye on Androidworld this week. This week is all about Signal. Discover our favorite articles here:

Do you have any tips or ideas?

Androidworld is the largest Android community in the Netherlands and Belgium. So we do this together! So do you have a question about the topic that we discuss during the theme week or ideas or tips? Let us know in the comments below this article (also check our new Android app).

You can also email us via this e-mail address or leave a message on Facebook, Instagram and Twitter. You can also ask us questions via this Telegram group or this Signal group. Would you rather send one of the editors a tip? Then you can!

Signal: private messaging app

Signal: private messaging app

Signal is a privacy-friendly chat app whose code has been made fully open-source. The messaging service does not collect data from users and ..

More info

Leave a Reply

Your email address will not be published. Required fields are marked *