I get it… in today’s world, secure communication is a must. Be it for military, government, or high-level business operations. Yet, particularly when I work with government agencies, intelligence services, and military folks and hear the unique WhatsApp chirp it makes me shrug because that kind of communication instrument DO NOT belong in such extremely sensitive environments.
Convenient, swift, and easy-to-use applications such as WhatsApp, Signal, and Telegram tout themselves as secure platforms for communication and while that may be sufficient for consumers/private individuals the real question is: are they secure enough for sensitive and classified information?
Let us break down each app and explore some alternatives that may provide better security.
Spoiler: For those of you who require an airtight communication channel all the “prepackaged”, proprietary solutions mentioned herein are highly inappropriate. Due to the large variety of stakeholders in government/military communication (interagency, foreign diplomatic missions, etc.) and the foreign ownership of platforms (lack of control, oversight, transparency, etc.), the only feasible solution for governments and military communication environments are those highly individualized, self-owned/hosted unified communication solutions I help plan, create, and deploy. These then have the user experience, and convenience of WhatsApp, but the security you determine.
WhatsApp, owned by Meta (formerly Facebook), boasts about end-to-end encryption as one of its main selling points. End-to-end encryption refers to messages encrypted on the sender’s device and decrypted only on the recipient’s device, not even WhatsApp being able to read them.
However, WhatsApp has faced significant scrutiny:
- Metadata collection: While the content of messages is encrypted, WhatsApp still collects metadata — who you are talking to, how often, and when. For high-stakes communications, that metadata can be as valuable as the message content itself. Remember how the Ukrainians knew where the invading Russian forces were due to the cell tower triangulation?
- Sharing data with Meta: WhatsApp, being part of Meta, must share certain data with the parent company. This has raised red flags in situations where governments or third parties can request data from Meta either legally or otherwise.
- Backdoor fears: The belief that encryption can deliberately have backdoors due to pressure from governments persists but is not proven.
Given the strong encryption of WhatsApp, its connection to Meta and the gathering of metadata make it less fit for highly sensitive communications and should be banned outright from devices of government/military officials.
Signal
Signal is considered the most secure messaging application available today. Developed by Open Whisper Systems, Signal is open-source.
- Strong End-to-end Encryption: Signal uses the Signal Protocol, arguably the most secure encryption out there. Besides messages, it also encrypts voice and video calls.
- Minimum metadata: The most attractive aspect of Signal is that almost no metadata is stored. All that gets stored by Signal is when a user last came online, and that is also heavily encrypted.
- Open-source and audited: Being open-source enables constant review of the code by security experts, which increases its transparency and trustworthiness.
Signal enjoys the reputation of being amongst the most secure instant messengers, with rigid encryption and staunch commitment to users’ privacy. It is the first choice for secure communication and occasionally finds application in high-stakes environments. Keep in mind though that journalist Tucker Carlson assumes his Signal account was compromised before his interview with Vladimir Putin.
Telegram
It is popular due to its speed and features. On the other hand, its security model is very different from that of WhatsApp or Signal.
- Encryption in the Cloud: Telegram encrypts all of its standard messages in the cloud, whereby chats are stored on servers at Telegram unless users opt for “Secret Chats.”
- Secret Chats: The Secret Chats feature in Telegram uses end-to-end encryption, but users have to turn that option on manually. Due to this, many people mistakenly believe all chats on Telegram are automatically end-to-end encrypted, which is not accurate.
- Server-side encryption: Consequently, regular Telegram chats are encrypted between the user and Telegram’s servers; meaning, Telegram can access message data if compelled by authorities or breached.
- Ownership: While Telegram’s founders have often expressed support of privacy, Telegram is not quite as transparent as Signal when it comes to audits and its security architecture.
While Telegram has a secure option with its Secret Chats, the rest of its messaging system is not by default end-to-end encrypted, making it less secure for those seeking guaranteed privacy in every message. You also have to keep in mind the recent arrest of Telegram CEO Pavel Durov, and the fact that using communication platforms outside of your sphere of influence is prone to be shut down, or your communications being leaked to foreign governments.
Alternatives For Highly Secure Communication
WhatsApp, Signal, and Telegram are not good enough for environments that require military-grade or government-level security, where the stakes involve sensitive operations or classified data. Here are some alternatives designed with more security in mind:
1. Silent Circle (Silent Phone)
Silent Circle, originally created to provide secure communications for businesses and governments, offers a suite of tools designed for secure messaging, voice, and video calls.
– End-to-end encryption: Silent Phone offers end-to-end encryption with calls, messages, and file transfers.
– No metadata: Silent Circle does not keep metadata because leaks could happen.
Self-Destructing Messages: It also provides a feature to set messages for self-destruction.
While generally suitable for military, government agencies, and corporations handling highly sensitive information it’s a proprietary product with many factors outside of your sphere of influence, presenting a bucket full of avoidable risks.
-
Threema
Threema is another highly secure app known for its focus on privacy. Unlike most messaging applications, it doesn’t require users to link their phone numbers or email addresses, allowing anonymity.
– End-to-end encryption: Threema encrypts messages, voice calls, files, and status updates by default. – No Central Server Storage: Data is stored only on the device, and messages are deleted immediately after delivery.
– Open-source: Threema’s encryption can be independently audited.
It’s relatively secure as a form of anonymous communication for high-risk individuals.
3. Wire
Wire is an enterprise-focused secure communication tool developed by former Skype engineers. It provides encrypted messaging, voice, and video calling with a focus on business communication.
– End-to-end encryption: Wire encrypts all messages and calls for secure communications.
– Multi-device support: Unlike Signal, which locks users to a single device, Wire allows secure communication across multiple devices without compromising encryption.
– Open-source: Wire’s openness to independent audits enables its transparency.
Wire is generally ok for secure communications across numerous devices for business and governmental use with the German government currently evaluating it.
4. ProtonMail (ProtonChat)
ProtonMail is known for its highly secure e-mailing service, but it also has developed ProtonChat, a secure messaging service currently in development and focused on end-to-end encrypted communications.
– End-to-end encryption: Like ProtonMail, ProtonChat is expected to strongly encrypt messages and metadata.
– Swiss-based servers: Proton operates out of Switzerland, a country with strong privacy laws, which furthers the foundation of security.
– No third-party involvement: ProtonMail/Chat operates independently and does not share users’ data with major tech companies or governments.
Secure communications with an emphasis on privacy laws and jurisdiction.
Conclusion
While WhatsApp, Signal, and Telegram offer different levels of security, none is the perfect fit for high-risk, highly sensitive communications like military operations or top-level government. Of the three, Signal is the best with its strong encryption and reduced data retention.
Silent Circle, Threema, Wire, and ProtonMail are more appropriate solutions for users who require a certain level of privacy. Besides encryption, these alternatives are built with privacy, anonymity, and minimum metadata retention in mind, hence a certain degree of communication can be processed through them.
Security has multiple facets, though. It’s best to not only reduce security aspects to the encryption methods of a platform, but also how it treats metadata, device management, and external pressures via governments or organizations for more secure communication… And most importantly where they are headquartered, and their track record of dealing with government requests for the release of information.
Knowing of all the shortcomings you’re best served with creating and deploying your own unified communication network over which you have total influence.
Lars Hilse
Lars G. A. Hilse is an independent political/corporate advisor, and expert/witness in information security with a focus on the risks of cyber terrorism, and cyber warfare, and their impact on the security of critical, national/global infrastructurewith degrees in electrical engineering, and finance.
He maintains close cooperations withmilitary, law enforcement, and the intelligence community, and actively contributes to some of the most difficult, and notable cybercrime investigations.
He acts as a cyber-crisis-manager, and through his vast network is able to deploy highly specialised cyber-incident-response teams globally at breathtaking speeds.
In his capacity as an information security consultant he performs state-of-the-art risk assessments & mitigation directives, crisis response protocols, and establishes cyber security maturity models.
Among his other talents are intelligence gathering, accessing fortified infrastructure/networks, forensics, all with a focus on social engineering and other unorthodox access methods.
Since his first exposure to the internet at age 13, Hilse has constantly broadened his skillset in cybersecurity, focussing on cyber crime, cyber terrorism, and cyber defence.
Due to his precise foresight of all developments in the digital realm for over 25 years, he is repeatedly referred to as a global thought leader in cyber security, and digital strategy.
Hilse has privately funded research in cybersecurity worth over USD $1.000.000 since 2011. Some of the results hereof were the Advanced Cybersecurity Risk Assessment Checklist (ACRAC), and the advancement of several information security maturity models, and numerous papers and books (see below).
He acts as a political advisor among others to the European Parliament, proposing highly individualised, complex, multi-phase approaches in which a threat-landscape is established, risks identified thereien are mitigated, after which a (legislative) framework will reduce the potential fallout of cyberattacks.
