I Don't Like Any Messaging App
16th of May 2021
The Hated One just released a video discussing some of the problems with Signal, and I agree with almost everything he said, except for the recommendation to switch to Element.
Signal gets a lot of praise, and for good reason. It's mostly well designed. However, it's far from perfect. I've found it to be pretty stable (although messed up message ordering is annoying), unlike Element, but there are various missing features such as no support for message backups in the desktop application, something requested in a GitHub issue that has now been open for over five years! Not everybody wants to lose their messages when they switch devices Signal. It shouldn't even be a difficult feature to implement.
There's also the fact that you need a phone to even use the service, which was an awful design decision for a privacy messenger. The whole 'privacy != anonymity' argument to defend Signal is missing the point; namely, that a) you shouldn't give out your phone number to strangers on the internet, b) there's no need for this phone number requirement (lots of other services have managed with usernames just fine), and c) not everybody has a phone. I'll admit that c) is unlikely nowadays, but the recommended solution of using a Google Voice number is ridiculous when the same people recommending Signal advocate against using Google services.
To make matters worse, Signal's funding model is destined to fail. It doesn't take a genius to realise that donations from ordinary people alone won't be able to sustain huge amounts of bandwidth, especially when most people don't donate to open source projects. In response to this realisation, Signal decided to join the cryptocurrency craze. What a terrible idea. Firstly, Signal is a messaging app, not a payment app. Secondly, instead of integrating Monero, the best privacy respecting cryptocurrency, they decided to rip off Monero and make a new cryptocurrency that's worse (watch the Hated One video for details), all whilst cashing in when people make transactions.
It's honestly baffling why so many people defend legitimate criticisms of Signal as if they developed the app themselves. Stop burying your head in the sand and start thinking critically. The fact that support for usernames doesn't appear to be coming any time soon, the limited business model, the disparity between features on different platforms (e.g. backups on Android but not on iOS and PC), and now the integration of cryptocurrency indicates the flawed nature of the service. If you can't see that, it's time to get your eyesight checked.
With that said, all the current messaging apps have problems, and Signal is one of the better ones out there. For anybody wondering why, here's a summary of the current messaging platforms and why you shouldn't use them:
- WhatsApp: owned by Facebook. Need I say more? Avoid it at all costs.
- Facebook Messenger: the clue is in the name. It's also not end-to-end encrypted by default, certain topics of conversation get censored (e.g. piracy links), and there are feature disparities between the web and app versions.
- Zoom: arguably the worst service anyone can use. They outright lied about the security of their product, lots of security vulnerabilities have been found, it has ties to China, it has been banned by governments, and it's closed source.
- Skype: are you having a laugh? Microsoft handed over Skype data as part of the PRISM surveillance program, it's closed source, it's not end-to-end encrypted by default, and the UI is god awful.
- Kik Messenger: not end-to-end encrypted, closed source, you can't delete messages from the other person's device, there are adverts in the app, and it's full of bots.
- Telegram: not end-to-end encrypted by default, all messages are permanently stored on the server by default, there's no end-to-end encryption support in group chats, it doesn't use the Signal protocol (MTProto is much worse), it leaks metadata, secret chats don't sync between devices, and lots of infosec individuals have criticised its security.
- Element: buggy (thousands of open GitHub issues) and poorly designed for non-technical people (e.g. awful error messages, technical terms, etc). I'm talking about messages that never get decrypted. What's the point of a messenger that sends messages that are unreadable? I also believe there are metadata concerns, and some of the staff on GitHub are unhelpful and come across as rude.
- Keybase: acquired by Zoom, a company who blatantly lied about the security of their product. Enough said. No thanks. It's also likely a dead project now that the Keybase team is working on Zoom.
- Wickr: not open source, recently acquired by Amazon, based in the US, and the company seems to be happy to share some information with law enforcement.
- Threema: paid, the servers know who is talking to who, there are no self-destructive messages, you can't delete sent messages, and there's no desktop application (web only). However, it has been audited, is open source, there's no phone number or email requirement, messages are immediately and irrevocably deleted from the Threema server after being sent, encrypted chat exports are supported on both Android and iOS, and it has a few unique features like polls. This is arguably one of the better alternatives to Signal, but friends and family are unlikely to want to pay for the app.
- Session: apparently buggy (e.g. delayed messages, bad notifications, etc) and lacking in common features found in the other messengers (e.g. voice/video calls, pasting images from the clipboard on PC, etc). It's also tied to cryptocurrency stuff, which is always off-putting, and the company is based in Australia, a country that hates end-to-end encryption. However, it's open source and has now been audited. It could be good down the line but needs more work at present.
- Peer-to-peer apps (e.g. Briar): limited to a specialist audience for the most part. Many of these apps are also only available on one platform (e.g. Android). Furthermore, your contact must be online at the same time as you for messages to be delivered. Therefore, they're hard to recommend.
Let's hope Signal gets their act together and some of the above services improve enough to be recommended.
Note: Please contact me if I've missed something, managed to get anything factually wrong, or things have changed when you're reading this.