Here we go again: another messaging app, more illusions of privacy and security

Post updated — see below.

Simon Davies has an interesting take on the fallout from Facebook’s acquisition of WhatsApp.

In one of the most persuasive displays ever of the market power of consumer privacy, Facebook’s recent $19BN acquisition of the popular messaging app WhatsApp appears to have been given the thumbs-down by millions of users.

While it may be too early to produce a conclusive analysis, there are solid indications that the trend of new sign-ups to messaging apps over the past two weeks has overwhelmingly favoured the privacy-friendly Telegram app and has shifted decisively away from WhatsApp. Telegram has reportedly picked up between two and three million new users a day since the purchase was announced just over two weeks ago.

Davies says that “Telegram has built a range of attractive privacy features, including heavy end-to-end encryption and a message destruct function. As a result, many privacy professionals regard the app as the market leader for privacy.”

Hmmm… Davies points out that a German product test group recently criticised Telegram, on the grounds that

Telegram ist als einzige der getesteten Apps zumindest teil­weise quell­offen. Eine voll­ständige Analyse der verschlüsselten Daten­über­tragung war jedoch aufgrund der nur partiell einsehbaren Software-Programmierung nicht möglich…

…which I interpret as a view that judgement has to be withheld because the Telegram code is not fully open source — and therefore not open to independent scrutiny.

Anyway, intrigued, I downloaded the IoS version of the Telegram App to see what the fuss was about. The download was quick and efficient. The interface is clean. To get started you enter your mobile number and Telegram sends you a code when you then enter to confirm that it is indeed your phone. It then asks for access to your phone contacts which, it tells you, will be stored in the Cloud in heavily encrypted form…

Oh yeah? Can’t you just imagine the hoots of laughter in Fort Meade!

LATER: A colleague who is less linguistically-challenged than me writes:

I’m not sure that Simon Davis or you got the right angle on that report on WhatsApp and alternatives. It’s true that didn’t like it much, but their point about open source in the part you quoted is actually quite positive – it’s saying saying that it’s the only one of the apps they looked at that was even partly open source. A translation of the bit you quoted would be something like , “Telegram is, at least, the only one of the apps we tested that is partly open source. However, because the programming is only partly transparent, a complete analysis of its encrypted data transmission was not possible.” And the next sentence goes on to say, “But the testers can rule out the possibility that it transmits data unencrypted.”

That’s actually more positive than what they say in the corresponding section about any of the other apps, where they generally say they aren’t open source so that the testers can’t be sure that some data are not transmitted in unencrypted form.

Obviously that’s not a killer point for the German testers, however, because the only app they didn’t regard as having important problems is Threema, which isn’t open source.

What they didn’t like about Telegram is that:
* You have to choose explicitly to use encrypted transmission by choosing the “Secret Chat” option.
* The app automatically stores all your address book (contact) entries without asking you or asking the other people in the address book.
* In their conditions of use, users agree that the software house can store the user’s address book entries. No official address details (‘Impressum’) are given for the software house and there’s no contact adrdess where you can ask questions about data protection.

He’s put his finger on the biggest problem, in a way, which is not just that the App’s owners require you to upload your contact information in the Cloud, but that by accepting this requirement you compromise all those contacts without their knowledge or consent. This is the point that Eben Moglen was making in his wonderful Snowden lectures when he pointed out that acceptance of Gmail’s Terms and Conditions allows Google not only to read your own mail, but also that of your correspondents, none of whom have consented to that. (Though no doubt a slick lawyer will try on the argument that anyone who emails someone with a Gmail address implicitly gives his/her consent.)