Umbrella Lane Research Projects - January 2021: WhatsApp and Online Communication Security
This month’s question:
How safe and secure are the various online instant messaging apps? Should Sex Workers stop using WhatsApp altogether?
At Umbrella Lane we always want to be looking out for our community in any way we can. That’s why we have multiple ways of communicating with our community members and why we always do our best to listen out for any news of online safety concerns that might impact Sex Workers.
We know that WhatsApp has become a common everyday tool for the majority of the Sex Worker community, it’s end to end encryption has reassured everyone using it that it’s a secure and private way to communicate.
However as time has gone on, more and more concerns have been raised about the direction WhatsApp is going in. Now we’ve reached the stage where some members of the community no longer feel it’s safe to use for sex work related communications. So Umbrella Lane has decided to take some time to try and find some information about the WhatsApp situation and what alternative communication tools the community could switch to.
What’s wrong with WhatsApp?:
Let’s start by looking at what exactly is wrong with WhatsApp to make people think about changing to a different app.
Everyone knows that WhatsApp messages are end to end encrypted - which means that the only people that can read those messages are the person that sends the message and the person that receives the message. It’s worth noting that although your messages are end to end encrypted, your backups might not be. If you backup your messages to your phone or cloud storage it’s likely that those files aren’t encrypted and could be read by anyone that accessed them.
Group chats can be found via internet searches (read more here: https://www.forbes.com/sites/kateoflahertyuk/2020/02/22/whatsapp-users-beware-heres-how-chats-are-available-to-anyone-via-google/?sh=2d02390b2d30 ). It’s possible to find links to join WhatsApp chats by searching online and even if they can’t join people can often find the name, image and description of the chat as well as the phone number of the person that created the chat.
“Even without actively joining a group, its title, description, image and creator's phone number are available for all,” the article reads. - taken from here: https://www.forbes.com/sites/kateoflahertyuk/2020/02/29/whatsapp-security-is-this-hidden-flaw-a-new-reason-to-leave/?sh=1d8f60dd5b90
WhatsApp has access to all of your contacts, not just those that use the app. You can technically opt out of it but the app then becomes far more annoying to use. So if you have clients numbers saved to your phone or your family/friends numbers saved to your phone and they don’t use WhatsApp but you do, then WhatsApp still gets to access those names and numbers that you have saved to your phone. “WhatsApp may not track what you are discussing, but they could know where you are discussing it, who with and for how long.” There is the potential (however slim) that WhatsApp may work with the Police and provide your data.
The coding of WhatsApp is private - this is bad because it stops independent people/companies from going in and testing that it’s secure and checking that the app doesn’t have any privacy issues. Telegram may also be an app to avoid. (taken from → https://www.vice.com/en/article/qj4qjd/whatsapp-data-security-issues)
Big companies within the EU are reportedly moving away from using WhatsApp in favour of other messaging apps.
Summary of WhatsApp negatives:
You have to give some personal details.
They don’t run off of their own servers.
Your data is used for targeted ads.
You need to give access to your contact book for the app to work.
Contact lists, groups, and user profiles are managed directly on a central server, instead of just being on your phone.
Doesn’t comply with the European General Data Protection Regulation (GDPR).
The source code isn’t open to the public so can’t be checked independently.
We don’t know when WhatsApp last had a security audit.
What alternatives are there?:
We’re not saying that any of these apps are perfect, they will all have their own issues. We’re merely putting forward a list of apps that have been suggested by those that have done their research.
Signal
FREE - Signal is suggested as a good replacement for personal conversations. There’s a mobile app and a desktop app so you can stay connected whilst on your phone or when you’re working on your laptop/computer. It’s end to end encrypted.
On Signal you can text chat, voice call and video call. You can also send pictures, gifs, videos and voice notes.
There are no ads.
It’s straightforward and easy to use.
Negatives:
Asks for some personal data.
Doesn’t own its own servers.
Doesn’t comply with the European General Data Protection Regulation (GDPR).
Last security audit was in 2014.
Used by:
Some community members
Some clients
The UL Staff Team
Discord
FREE (but has premium options) - Discord is another option and one that Umbrella Lane already has a community server set up on. It’s more likely to be used for personal communications but there is also the possibility to use it for business communication too. It has a mobile app and a desktop app, so can be used on your phone or on your laptop/computer. It’s end to end encrypted.
There are audio chat options, video chat options, text chat options and you can send pictures, gifs and videos. Documents can also be sent on Discord.
There are no ads.
A little more tricky to get your head around but with a lot more features available once you’ve gotten settled.
Negatives:
Not everything is end to end encrypted (video calls aren’t).
Asks for some personal data.
Discord does store your data and has said it will sell to third parties.
Used by:
Some community members
Some clients
The UL Staff Team
Threema
PAID (£2.79) - Threema is again similar to Signal, Discord, etc with end to end encryption but seems to go a step further by also not collecting any personal data. This gives you the option to use the app completely anonymously.
Their website says:
“Threema is the world’s best-selling secure messenger. It sets itself apart from others in the following respects:
Guaranteed privacy: Threema is designed to generate as little data on servers as technically possible.
Full anonymity: You are not forced to provide any personal information (such as your phone number or email address) in order to use Threema.
Open source: To provide full transparency, the Threema apps are open source. Anyone knowledgeable enough can confirm Threema’s security on their own.
Optional contact synchronization: It’s not necessary to grant access to the address book in order to use Threema.
Comprehensive encryption: In Threema, all your communications are end-to-end encrypted – not just text messages and voice and video calls but also group chats, media files, and even status messages.
Rich functionality: Threema is versatile and feature-rich.”
Available as an app and can be accessed via a web browser on your laptop/computer.
There are no ads.
Straightforward to use.
Check out this independent review of Threema for an indepth breakdown of the service ---> https://restoreprivacy.com/secure-encrypted-messaging-apps/threema/#:~:text=Threema%20is%20an%20end%2Dto,number%20to%20create%20an%20account.&text=And%20all%20of%20this%20is,end%20encrypted%20for%20excellent%20security.
Negatives:
You have to pay for it.
Relatively small number of users.
Does not support 2FA (two factor authentication).
No free trial.
Used by:
The UL Communications officer
Wickr
FREE (For up to 10 users but costs more for larger teams) -Wickr is suggested as a good option for business communications. There’s a mobile app and a desktop app so you can stay connected whilst on your phone or when you’re working on your laptop/computer. It’s end to end encrypted.
No ads and seems fairly straightforward to use.
Negatives:
Asks for some personal data.
Used by:
Some UL Staff
Wire
PAID - Wire seems to be mostly presented as a business solution but focuses on privacy and security. It features end to end encryption and has both mobile and desktop options.
No ads.
Negatives:
Asks for some personal data.
Used by:
Businesses
What about Telegram?
We’ve hesitated to include Telegram in our list of alternatives as there seem to be just as many (if not more) security concerns surrounding Telegram as there are around WhatsApp.
This article gives a very indepth overview of Telegram and why it might not be the most secure option ---> https://heimdalsecurity.com/blog/is-telegram-secure/#:~:text=In%20fact%2C%20Telegram's%20security%20model,same%20place%20as%20decryption%20keys.
But it is still a FREE messaging app and you’re welcome to check it out. Just be sure to do your homework and be careful what information you share.
If you want your conversation to be end to end encrypted then you need to start a “secret chat”.
Negatives:
Last security audit was in 2015.
Doesn’t comply with the European General Data Protection Regulation (GDPR).
Contact lists, groups, and user profiles are managed directly on a central server, instead of just being on your phone
Messages are stored on the apps servers.
Doesn’t own its own servers.
Personal data is collected.
Used by:
Some community members
The UL Communications officer has an account
Should you stop using WhatsApp?:
At the end of the day it’s entirely your decision.
Umbrella Lane are not online security experts, we can only do some research and present what we find to the community to let them make informed decisions.
We’re always aiming to provide accurate and up to date information and welcome anyone to reach out to us if they feel we have missed something or if information we have shared is no longer accurate.
At the time of writing this Umbrella Lane has no plans to delete it’s WhatsApp but may begin moving to other platforms as a precautionary measure.
Changing platforms and learning how to use new apps can be intimidating but the Umbrella Lane staff will always do our best to provide assistance or to connect you with other members of the community that are already using different platforms so you never have to figure things out alone.