Signal or Telegram? Here’s what we think.

After WhatsApp updated its privacy policy, there has been a voluntary exodus of users from the platform. The popular alternatives are Telegram and Signal. WhatsApp’s updated privacy policy enables it to share its data with Facebook and its affiliate companies, which has resulted in growing apprehension among the general public. Some striking implications are about how WhatsApp is now empowered to collect information about user’s IP Address, device information and also use data to target users with ads. Further, payment information will also be accessible to WhatsApp (in case the user avails the monetized version of the app) and can be shared with Facebook.  People’s apprehension of this privacy update is not unfounded given Facebook’s very sultry reputation when it comes to data protection and privacy of the users. So, Signal or Telegram? Here’s what we think.

We will compare both Signal and Telegram on the parameters of privacy, cyber security, and their features and utility. Before we begin, a big thanks to Bhagyashree Swami for all her help in writing this article.

PRIVACY

Telegram has been a popular messaging app for a while. It has been considered the direct rival to WhatsApp. Cold competition between the two applications has been an ongoing thing since long. Facebook removing Telegram’s Facebook page for no apparent reason is a not so subtle admission. Telegram has a detailed privacy policy and elaborate literature is available for the reader’s perusal. Signal is gaining good traction and has many articles explaining the app and its functioning. However, Telegram does a superb overall job with its privacy policy and FAQs, almost convincing you to join the application without thinking twice.

Information Gathering and storage

Telegram asks for users’ mobile number, basic account information (name, profile picture and about information). The privacy policy clearly states that users do not need to share their real names for screen name, gender or age or email address. Cookies are only used to provide Telegram services on the web and are not used for profiling or advertising. Telegram is specifically assertive that it does not use data for generating ads and it claims to be a non-commercial entity, monetizing only from 2021. Telegram’s policy provides for it to collect user IP address and device information- to prevent spam, abuse, and other violations- but also states that such data will be available with it only for a duration of 12 months. (Let’s think about tracing someone sharing child pornography on Signal for a context) Signal on the other hand is silent on these issues- mainly because it does not collect any data, apart from basic account information.

The personal data that you provide to Telegram will only be stored for as long as it is necessary for it to fulfill their obligations with respect to the provision of the services. Telegram states that its payment mechanism is facilitated by third party service providers and they will have access to user data. Telegram assertively states that it does not have access to user payment details or credit card information and no such user data is stored. However, Telegram can collect your shipping information but provides the option of deleting it upon request by the user. Signal on the other hand remains silent on these point as of now, including the data retention period.

Deleting Account

Deleting the account removes all messages, media, contacts and everything stored on the cloud in Telegram. In relation to secret chats, the data will be deleted maximum within 48 hours and a minimum time limit can be set by the user.  By default, if a user stops using Telegram for six months, their account will be deleted along with all messages, media, contacts and every piece of data. It also gives the user an option to determine the time period after which an account would self –destruct, once the user stops using it. Signal has no provisions to this effect.

Accessing a copy of your data

Telegram explicitly provides users the right to access a copy of all their personal data, the right to delete or amend personal data, to object and restrict and lodge complaint with the DPA. However, the same rights are not available with users of Signal.

CYBER SECURITY

Although Telegram claims to store user messages in its servers, heavily encrypting them and ensuring the encryption keys are not available locally, the end to end encryption of messages and calls are only available for ‘secret chats’- a way to interact with another Telegram user. This option has to be specifically chosen before initiating a chat. Once a user selects to start ‘secret chat’ with another user, a request is sent to such user and only upon the user’s acceptance, the feature is enabled. To the users who are used to the default end-to-end encryption feature of WhatsApp, this is inconvenience. Not to mention the fact that if one wants to have a professional/ business conversation with a contact, the action of initiating a ‘secret chat’ sounds very outlandish.

Signal on the other hand safeguards all calls and messages, including photos and status of the users with end-to-end encryption. Nonetheless, Telegram’s secret chat’s security is well tried and tested. Apparently, a few years back (2015) the Telegram team announced a $300,000 reward to anyone who breaks in. There were no winners- even if the contestants could act as the Telegram server passing information between users.

When it comes to data storage, Telegram’s encryption keys are stored in several data centers in different jurisdictions. Data generated in public channels and public groups is stored on cloud and remains encrypted while in transit and also at rest. Moreover, information is stored on servers using randomly generated authentication tokens, keys, push tokens, and other material. Contacts are stored on servers after cryptographically hashing. In case of Signal, messages/ message history is stored on the user device rather than servers (which also means no chat backup). It does not store your contacts While this ensures that a user’s data does not leave her device, it also means that there is no true cross platform availability of messages. E.g. If you text ‘John Doe’ using your Signal app on mobile, and then you wish to continue the conversation on the Signal desktop application, the message history won’t be available. You will have to start a new chat with John Doe.

Coming to the code itself, Signal uses the Open Whisper System which is an open source end-to-end encryption solution. However, although Telegram’s applications and some APIs are open sourced, the backend is not open source. (Telegram says it will eventually open-source everything- in phases)

FEATURES

Telegram scores quite high when it comes to easy accessibility to users. Users can use the app across many devices simultaneously. The app, when used on multiple devices, auto updates and works across devices and platforms independently. Both Telegram and Signal have enabled the calling feature through their desktop app- a feature which WhatsApp lacked.

Now let’s talk about some common features that a WhatsApp user would search for. In Telegram, you can delete any sent message at any point of time, without leaving a ‘this message has been deleted’ mark. It also supports self-destructing messages with an option to set the timer from 1 second to 1 week. Signal offers disappearing messages, with a time range of 5 seconds to 1 week. However, sent messages can be deleted only within the past 3 hours.

One area where Telegram hugely outshines Signal is in providing a platform to share large files. Telegram enables sharing of files up to 1.5 GB efficiently- an area in which WhatsApp and Signal fall short. Further, Telegram groups support 200,000 members; Signal only allows for 150 users to be part of a group at a given time. (Telegram channels can have unlimited subscribers) A major concern when it comes to Telegram is the issue of widespread spamming, or groups sharing extremist/ child pornographic material, which Telegram has not been able to tackle effectively. However, given that there is a drastic limitation on the number of members that can be added in the group and the file size that can be shared, this problem to a large extent is avoided in Signal.

With regard to the UI, although Telegram too was designed to resemble WhatsApp, Signal takes the front seat when it comes to giving users a similar experience of using WhatsApp. (*coughs* remember Jio chat?) Nevertheless, the author feels this to be a matter of personal choice.

Telegram also has a plethora of features like setting display pictures and bio, sharing files/ images without compression, etc., two-step verification, sync contacts, greater control over storage and downloads. Signal lacks most of them. It only has one additional feature- ability to be used as the default messaging app for sending SMS. However, not many people require that, at least in the sense that it offers no additional utility compared to the default messaging application (which cannot be deleted anyway).

THE VERDICT

Telegram has a unique advantage. It has been in popular use for quite some time, primarily because of its groups and channels. Switching to Signal is one additional step for most of the people. Plus, probably not many of your contacts are available on the platform. (Telegram lets you know when a contact joins speaking of which) If you are already using Telegram- you should probably continue with it without any worry.

In the world of security, the goal is to find the right balance between adequate security, access with convenience, and utility. Signal is a simple and solid app which gets the job done- which is texting while maintaining your privacy. However, it is too limited in features and is inconvenient at times. (see the desktop app example above) On the other hand, Telegram is feature rich, and gives you control over your privacy- to the level that you can even choose if you want your name to appear on a forwarded text. If you need to text something secretive, you are welcome to use the secret chat feature. The application also hits the rights chords if we judge its privacy controls/ policies from the perspective of data protection principles. Besides, it has a brilliantly written privacy policy which is exhaustive and does not shy away from touching upon even some weak points- it almost convinces you to join the platform. The level of transparency it maintains builds trust among users.

Even from a security point of view, its active participation in bug bounties and hacking contests instills a greater level of confidence in the users. Plus, it has not been breached, not at least yet- even though it does not use Signal’s widely acclaimed Signal protocol. (Only if you remember Pegasus; WhatsApp too used Signal protocol)

Adios, WhatsApp!

Found this article useful? Share with friends!

Bhavana Muralidhar

Bhavana is a Technology Law and Policy fellow at Daksha Fellowship’ 2021. She was a merit scholar and graduated top of her class with a degree in law. Her areas of interest include Technology Law, IPR, and Criminal law. She is also actively involved in public interest litigation and RTI advocacy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

×

Hello!

Select one of our representatives below to chat on WhatsApp or send us an email at [email protected]

× Need legal help?