WhatsApp is the most popular communications app on the planet with over two billion users using it for messaging. Bought by Facebook in 2014, the service popularised the use of end-to-end encryption in day-to-day communications, introducing it as its default for messaging in 2016.
To do so it cooperated with Moxy Marlinspike’s Open Whisper Systems to integrate the Signal encrypted messaging protocol. Microsoft and Google have also used the protocol, widely regarded as the gold standard in encrypted communications.
Now Open Whisper Systems exists as Signal Messenger, LLC, and is part of the Signal Foundation. This rebranding has seen the foundation put more effort into its own app. The Signal Foundation's flagship Signal app provides fully-fledged and easy to use secure communications in its own right.
It has direct and group messaging, as well as one-to-one audio and video chat, and there are very good reasons to opt for secure messaging's Cool Original flavour over WhatsApp. In February, the European Commission advised its staff to do exactly that.
Here’s why you should use Signal for any conversation where privacy matters – even if that’s just giving your family the shared Disney+ password – and why your friends should, too.
1. Signal has more up-to-date security features
New security features come to Signal first. For example, Signal has had disappearing messages – which are automatically deleted after a specified period of time – since 2016 but the feature is still being tested with small numbers of WhatsApp users.
Other mainstream and beta Signal features that WhatsApp users don’t have include view-oncemedia messages, encrypted profiles, an incognito keyboard switch for Android to keep Gboard from sending your typing history back to Google, and backups that don’t default to unencrypted storage in Google Drive or Apple iCloud.
Signal also has a slightly broader range of clients, with a dedicated client for Linux desktop users – likely to appeal to those in the security and data analysis fields, while WhatsApp directs them to its web app.
2. Signal is open source
All of Signal’s source code is published for anyone to examine and use under a GPLv3 license for clients and an AGPLv3 license for the server. This means that you can see what’s going on inside it – or, more usefully, rely on the specialist expertise of people who review the code and know exactly what they’re looking for.
Because of this...
3. Signal has less potential for hidden vulnerabilities
As a larger platform, WhatsApp is more inviting to malicious actors to start with, but the fact that its codebase is a proprietary closed box means that it may take longer for dangerous vulnerabilities to be detected. Any application can and eventually will suffer vulnerabilities – Signal has resolved a few of its own.
But WhatsApp’s closed-source code (beyond its use of the open Signal protocol) means that there are a lot of potential targets that remain unknown until they’re exploited. A particularly worrying example was a vulnerability in WhatsApp’s VoIP stack, used by intelligence agencies to inject spyware in 2019.
4. You can run your own Signal server (but probably shouldn’t)
Another advantage of open source software is that you can play with it, if you’re that way inclined. You probably won’t want or need a Signal server of your own for either personal or business reasons. It’s designed as a mass communications platform and isn’t really intended to scale down, it’s a pain to build and there are currently no containerised versions for easy deployment.
But if you’re technically minded, you can learn a lot about how a system functions by building a test instance and poking it with a stick. It’s non-trivial, but community guides are available to help users get a Signal server up and running and some interesting forks exist, including a decentralised messaging system.
5. How much can you trust Facebook?
Perhaps the most compelling reason to use Signal is Facebook's long-standing lack of respect for its users' privacy. Facebook has an appalling history when it comes to data collection and handling, from the Cambridge Analytica affair to its practice of sharing data about users with phone manufacturers.
It’s already proved that it can’t be trusted with WhatsApp user data that should, under EU law, have remained private. In 2017, European regulators took action against Facebook for sharing the WhatsApp users’ phone numbers with its Facebook social network for advertising purposes. Firmly in breach of data protection regulations, it was an opt-out rather than opt-in system. Facebook had previously claimed such a mechanism would never be implemented.