🇬🇧 🇪🇸 🇫🇷

Some considerations on possible alternatives to WhatsApp

Since there are committed alternatives supported by volunteers or non-profit foundations, we have excluded all services produced in purely commercial approaches.

Indeed, nothing excludes that a commercial company that is interesting today may be sold tomorrow to a GAFAM, as WhatsApp was sold to FB with our data. The problem being the concentration in the hands of a company, and on its servers, of a mountain of personal data, sometimes sensitive, and the danger of the destruction of privacy.

Any service that does not show how it works in detail (free software) has not received our trust.

Any service that passes our exchanges through its servers runs the risk that they will be hacked or bought one day, and therefore does not have our full confidence either.

Our criteria

Selected tools

  1. Jami   Web site
  2. Signal   Site web

The two tools chosen send messages from one user to the other without going through a server that can store them (neither in clear text nor encrypted). And they have been reviewed by academics.

Jami

offers the best technical and human guarantees for the confidentiality of exchanges between users. But the counterpart is that the link with each interlocutor must be created individually by exchanging an identifier of his or her choice (real name or pseudonym). Moreover, it still lacks some "basic" functions that we are used to: groups for chatting and conferences. This is currently under development. There are not a lot of stickers and other things to express one's emotions. And if you lose your main password, which nobody else has, the account is lost forever. On the other hand, you can use it on mobile and computer (Mac, Wind. and GNU/Linux), and make backups.

Humanly speaking, the service is part of the GNU Project, a project serving the [human] community since the 80's carried by idealists. It is the free software movement that inspired Wikipedia.

Technically, there is no server that follows the exchanges, and the users are "anonymous". It is a decentralised (distributed) system. The exchanges are truly confidential and will remain so. Explainations.

Commercially, Jami is developed by a free software services company (SFL) which sells its expertise in providing a confidential messaging service.

For these human and technical reasons, Jami can never be sold to a GAFAM.

Signal

is closer to our habits on WhatsApp. It is better known by the general public and will be all the more easily chosen by our entourage.

Technically, it is based on phone numbers. As a result, it is still possible to track (at Signal) who is in contact with whom, although we are fairly certain that there is no such tracking. But the exchanges do not go through centralized servers. The servers are only used to connect users.

Alerter Edward Snowden recommends the application, which he believes is one of the best ways to avoid mass surveillance programs.

The Electronic Frontier Foundation (EFF) has included Signal in its guide to self-defence against surveillance.

Commercially, Signal is halfway there: it is being developed by a commercial company that is funded by a foundation. The medium-term future is not guaranteed.

One can also follow

Tox, a bit like the principle of Signal but with an even more hidden message circulation (onion layer routing). Not yet completed.

Session, is also very promising and comes from a foundation but is still only text, no audio or video calls. Also uses onion routing.

XMPP Solutions, in fact, are also quite solid and interesting, but the programs to be installed have a different name on each device (depending on whether you are on Android, Apple, Wind. etc.), sometimes with different functions from one to the other, which doesn't make it easy to spread by word-of-mouth.

Silence, only offers the exchange of SMS and MMS messages, in a confidential ("encrypted") way.

Technically satisfactory products, but…

Commercial, therefore likely to be resold, to add advertising, or to restrict free use to make users switch to paid mode...

Olvid stands out with a very secure system in technical terms, but remains the flagship product of a company that seeks to sell its services to businesses.

Telegram, which has announced that it will start "monetising" the application in 2021. What's more, the server programs are not known. It would appear that the product is honest because it is used in various countries that are heavily censored and repressed, but we cannot tell.

More or less opaque commercial products and/or centralising huge user files

Citadel, FB Messenger, JioChat, Line, Skred, Skype, Threema, Viber, WhatsApp, Wire...

More technical considerations

As this is open source software, it is also possible to compile the two selected tools yourself. So if there was hidden tracking to servers, it would be relatively easy to get rid of it. And in both cases, the code has been revised.

State surveillance

Jami's non-centralised operation avoids the production of metadata that could be stored and then sold, pirated or required by a government.

Signal's operation requires the minimum amount of metadata: the sender's telephone number, and the date and time. The developers ensure that this data is erased and that only two timestamps are kept, the first for the creation of the account and the second for the last connection to the service, which are essential to ensure the service.

Signal is developed in the USA, so is subject to laws that allow US intelligence (various offices, see "CLOUD Act") to access the stored data, but they store virtually nothing. This is better than in France where they would have to store a certain amount of data for a year or two.

The company shows on its site how it has already responded to such a request by providing exactly two dates for a user.

Jami is developed in Canada, and is therefore not yet subject to US constraints, but agreements are under discussion. On the other hand, by their design, the servers really don't have much to offer to intelligence.