As tens of millions of users move from WhatApp to Telegram and Signal—with many using these apps for the first time, there are serious security issues to avoid. And now there’s a new threat to the security of your WhatsApp messages. It’s a seemingly useful setting, but with a serious hidden risk. Here’s what you need to know.
WhatsApp’s fightback is underway—as it tries to stem the flood of users moving to Telegram and Signal. But users must understand the risks before they move across. Signal and Telegram are not the same. And this has just become much more serious, with a new move from Telegram that could put WhatsApp users at risk.
Earlier this month, alarmist headlines and viral social media posts warned WhatsApp users that Facebook was muscling in on their data. WhatsApp’s initial PR was woeful. By the time it gripped the messaging, as many as 50 million users had installed Signal for the first time, with twice that opting for the larger Telegram.
The crisis now risks becoming a catastrophe. The real threat to WhatsApp is that Signal and Telegram become mainstream, genuine alternatives. Yes, Telegram already had a substantial user base, but its new installs tap into WhatsApp’s core, shifting it from its alternative audience of the past. And as Signal and Telegram build, the network effect risks accelerating this “digital migration” from WhatsApp.
MORE FOR YOU
Both Signal and Telegram are churning out provocative privacy-based marketing messages, playing to the anti-Facebook sentiment. They’re also releasing features and updates to plug gaps in their offerings. Ultimately, though, the trick is to make the move across as easy as possible, helping new users =bring their contacts along.
One feature both Telegram and Signal offer is “group links.” Users can create replica groups to those they have in WhatsApp, then message the WhatsApp group with a link to join the new group, install Telegram or Signal if they’re not already onboard.
Now Telegram is going a step further, facilitating the import of exported WhatsApp chat histories onto its platform. It’s now as simple as selecting “Export Chat” in WhatsApp and then selecting Telegram as the destination. All messages and (optionally) media are copied across, providing all that history in Telegram.
“Starting today,” Telegram told its users this week, “everyone can bring their chat history—including videos and documents—to Telegram… The best part is that the messages and media you move don’t need to occupy extra space. Older apps make you store all data on your device—but Telegram can take up virtually no space while letting you access all your messages, photos and videos anytime you need them.” This is not the “best part” of anything. It’s a serious risk you need to understand.
Unlike WhatsApp and Signal, Telegram is a cloud-based platform. With the exception of its niche “secret chats,” which need to be manually set up and only work between two individuals on one device each, all your messages are stored on Telegram’s cloud. This means you can access those messages from as many devices as you want, and if you lose a device you don’t lose any of your content.
But it also means that your messages on Telegram are not end-to-end encrypted. This is a critical difference to both WhatsApp and Signal, which both offer that security. Telegram encrypts messages between your device and its cloud, and between its cloud and your contacts. But Telegram holds the keys to this encryption. And while it has policies to secure those keys, this is nowhere close to end-to-end encryption, where you and your contacts can access content, but the platforms cannot.
The security risk with end-to-end encryption is on your device itself. This is called endpoint compromise. While messages cannot be intercepted in transit, once they’re received by a device and decrypted, they can be intercepted by a physical or digital attack on that device. It is the biometric or passcode security on your device that keeps those decrypted messages safe. But as Telegram itself says, “we cannot protect you from your own mother if she takes your unlocked phone without a passcode.”
The same issue extends to the cloud. If you back up WhatsApp to Apple’s or Google’s cloud, then this is a copy of the decrypted chat history on your device. Apple and Google have the keys to your backup—it is outside WhatsApp’s end-to-end encryption. Telegram’s founder Pavel Durov argues that this makes “WhatsApp dangerous… Users don’t want to lose their chats when they change devices, so they back up the chats in services like iCloud—often without realizing their backups are not encrypted.”
Telegram argues that its cloud is more secure than Apple or Google, “that’s one of the reasons why Telegram never relies on third-party cloud backups,” Durov says. But he also points out that “Secret Chats are never backed up anywhere,” because they’re end-to-end encrypted. But in exporting a WhatsApp chat history to Telegram’s cloud, you are doing exactly what Durov assures does not happen with Telegram’s own end-to-end encrypted chats. This is a dangerous contradiction. Why offer to make your end-to-end encrypted WhatsApp chats less secure then Telegram’s (limited) equivalents?
Signal does not offer any form of cloud backup, specifically because this renders its end-to-end encryption pointless. Apple’s iMessage, meanwhile, has the cleverest option of all, extending end-to-end encryption across its “messages in the cloud.” WhatsApp does offer those backups, but for security reasons that option should be disabled within your settings—albeit you’ll lose you chat history if you lose your device.
And so, you should not export your WhatsApp chat histories onto any third-party cloud, including Telegram’s, without fully understanding that in doing so you remove the security that currently protects your content. In arguing that WhatsApp is not a secure repository for your messages, Telegram should not be suggesting that you make that content even less secure, without explaining the differences in detail.
There’s another serious issue here as well, of course. If you’re a WhatsApp user and take the view that the messages and attachments you have exchanged with your contacts are protected by WhatsApp’s end-to-end encryption and your contacts’ device security, you might want to bear in mind that all those messages could now be exported to Telegram’s cloud. And if you’re an employer whose staff use WhatsApp for work related discussions, then you face the same risk with your company information.
If you are switching from WhatsApp, please take the time to understand the differences between the alternatives. Your best solution is to retain WhatsApp while running other options in parallel, deciding what works best for you, and seeing their usefulness improve as more users move across. There is no rush here—WhatsApp remains secure and you have plenty of time to get this right.