Tens of millions of you are now moving from WhatsApp to Telegram and Signal—with many using these apps for the first time. Beware, though, as this is a serious security issue. The latest threat to your WhatsApp messages may seem to be a useful setting, but it has an alarming, hidden risk. Here’s what you must not do.
WhatsApp’s fightback is underway—as it tries to stem the flood of users moving to Telegram and Signal. But users must understand the risks before they move across. Signal and Telegram are not the same. And this has just become much more serious, with a new move from Telegram that could put WhatsApp users at risk.
Earlier this month, alarmist headlines and viral social media posts warned WhatsApp users that Facebook was muscling in on their data. WhatsApp’s initial PR was woeful. By the time it gripped the messaging, as many as 50 million users had installed Signal for the first time, with twice that opting for the larger Telegram.
The crisis now risks becoming a catastrophe. The real threat to WhatsApp is that Signal and Telegram become mainstream, genuine alternatives.
Yes, Telegram already had a substantial user base, but its new installs tap into WhatsApp’s core, shifting it from its alternative audience of the past. And as Signal and Telegram build, the network effect risks accelerating this “digital migration” from WhatsApp.
Both Signal and Telegram are churning out provocative privacy-based marketing messages, playing to the anti-Facebook sentiment. They’re also releasing features and updates to plug gaps in their offerings. Ultimately, though, the trick is to make the move across as easy as possible, helping new users =bring their contacts along.
One feature both Telegram and Signal offer is “group links.” Users can create replica groups to those they have in WhatsApp, then message the WhatsApp group with a link to join the new group, install Telegram or Signal if they’re not already onboard.
Now Telegram is going a step further, facilitating the import of exported WhatsApp chat histories onto its platform. It’s now as simple as selecting “Export Chat” in WhatsApp and then selecting Telegram as the destination. All messages and (optionally) media are copied across, providing all that history in Telegram.
Starting today,” Telegram told its users this week, “everyone can bring their chat history—including videos and documents—to Telegram… The best part is that the messages and media you move don’t need to occupy extra space.
Older apps make you store all data on your device—but Telegram can take up virtually no space while letting you access all your messages, photos and videos anytime you need them.” This is not the “best part” of anything. It’s a serious risk you need to understand.
Unlike WhatsApp and Signal, Telegram is a cloud-based platform. With the exception of its niche “secret chats,” which need to be manually set up and only work between two individuals on one device each, all your messages are stored on Telegram’s cloud.
This means you can access those messages from as many devices as you want, and if you lose a device you don’t lose any of your content.
But it also means that your messages on Telegram are not end-to-end encrypted. This is a critical difference to both WhatsApp and Signal, which both offer that security. Telegram encrypts messages between your device and its cloud, and between its cloud and your contacts.
But Telegram holds the keys to this encryption. And while it has policies to secure those keys, this is nowhere close to end-to-end encryption, where you and your contacts can access content, but the platforms cannot.
The security risk with end-to-end encryption is on your device itself. This is called endpoint compromise. While messages cannot be intercepted in transit, once they’re received by a device and decrypted, they can be intercepted by a physical or digital attack on that device.
It is the biometric or passcode security on your device that keeps those decrypted messages safe. But as Telegram itself says, “we cannot protect you from your own mother if she takes your unlocked phone without a passcode.”
The same issue extends to the cloud. If you back up WhatsApp to Apple’s or Google’s cloud, then this is a copy of the decrypted chat history on your device. Apple and Google have the keys to your backup—it is outside WhatsApp’s end-to-end encryption.
Telegram’s founder Pavel Durov argues that this makes “WhatsApp dangerous… Users don’t want to lose their chats when they change devices, so they back up the chats in services like iCloud—often without realizing their backups are not encrypted.”
Telegram argues that its cloud is more secure than Apple or Google, “that’s one of the reasons why Telegram never relies on third-party cloud backups,” Durov says. But he also points out that “Secret Chats are never backed up anywhere,” because they’re end-to-end encrypted.
But in exporting a WhatsApp chat history to Telegram’s cloud, you are doing exactly what Durov assures does not happen with Telegram’s own end-to-end encrypted chats. This is a dangerous contradiction. Why offer to make your end-to-end encrypted WhatsApp chats less secure then Telegram’s (limited) equivalents?