WhatsApp, Telegram & Co: Which chat apps should you be using from a data protection perspective?

WhatsApp and Telegram have shared a common fate lately, and that is: negative headlines. WhatsApp because of the planned changes to its terms of use and the resulting more extensive sharing of data with Facebook. On the other hand, Telegram is more often associated with conspiracy theorists, who use it to share their thoughts and opinions. However, there is also criticism from time to time around the topic of data protection, with both messenger services being guilty of having gaps in this area.

In this blog article, you will discover more about what gaps currently exist and be introduced to two alternative messenger services with better data protection practices.

Data protection comparison of WhatsApp, Telegram, Threema and Signal

Registration: A phone number is required to register with WhatsApp.

Encryption: The content of chats (including group chats) as well as status messages and calls are end-to-end encrypted. End-to-end encryption means that only the people communicating with each other have access to the contents of the communication. WhatsApp cannot, for example, read chats or listen in on calls. However, the metadata of the communication is not encrypted end-to-end, so that WhatsApp is able to know who, when and with whom etc., has been communicating.

Server location: Outside the EU, mainly USA.

Address book matching: WhatsApp automatically checks the user's local address book with its own database when a user registers. The data of persons in the user's address book who do not use WhatsApp are also recorded for matching. The consent of these people is not obtained. Due to the relationship with the parent company Facebook, this data can also be forwarded to Facebook. WhatsApp can only be used without restrictions if access to one's own address book is permitted.

Privacy policy: The privacy policy is also available in German. In principle, the GDPR does not stipulate the language in which the data protection declaration must be written. However, the data protection statement must be easily understandable for the data subjects, among other things, Art. 12 (1) GDPR. The comprehensibility also depends significantly on whether the persons are linguistically able to understand what is described in the data protection statement. In addition, it also plays a role to whom (customers in which country) the respective offer is directed so that a translation of the privacy policy into the respective national language can be provided.

Cost: WhatsApp is free of charge. However, the terms of use of WhatsApp are basically designed to allow the data to be passed on to Facebook and used for the purpose of personalised advertising.

GDPR compliant: WhatsApp is not compliant with the GDPR. In addition to the aforementioned points, WhatsApp, as a US company, is subject to the CLOUD Act. This means that US authorities are legally entitled to access WhatsApp's data.

Registration: Registering with Telegram requires the use of a phone number and for the user to indicate their first name (this, however, is not verified). The visibility of the phone number can be excluded for other users.

Encryption: The form of encryption depends on the chat functions used. For cloud chats, only transport encryption is used, which means that the messages are encrypted on their way to the server and from the server back to the receiving person but may be stored unencrypted on the servers. If this is the case, Telegram can theoretically access the stored data on the servers and track any chats' content, etc.

End-to-end encryption can be used for secret chats ("individual chats"). However, end-to-end encryption must first be activated by the user. Group chats, on the other hand, are not end-to-end encrypted.

Server location: Outside the EU; exactly where is unknown.

Address book matching: The address book is not automatically matched with the Telegram database unless the contact synchronisation function is activated. If this is set, the phone number and the first and last names of the persons in the address book are saved.

Privacy policy: There is no privacy policy in German.

Cost: Telegram is free of charge.

GDPR compliant: Telegram is not GDPR compliant.

Registration: There are various ways that one can register with Threema. It is not necessary to provide one's own phone number, email address and/or name. Threema can be used anonymously by having the option of generating a random Threema ID for use. Threema can therefore also be used without providing personal data and is also designed for this purpose. If desired, registration can also be done using the phone number, for example. This is then stored in encrypted form.

Encryption: All content is encrypted end-to-end.

Server location: Switzerland. Threema operates the servers itself.

Address book matching: Although data from the user's address book is matched, the data is not stored permanently. Matching the data is not required to use Threema.

Datenschutzerklärung: The privacy policy is available in German.

Cost: Threema costs a one-time fee of 3.99 euros. Threema is not financed by advertising or tracking but by the user fee.

GDPR compliant: Threema is GDPR compliant.

Registration: Registering with Signal is done with the phone number and a username; the username does not have to be a real name; it can be a pseudonym, for example.

Encryption: All content is encrypted end-to-end.

Server location: Outside the EU, mainly USA.

Address book matching: Matching of the data is not required to use Signal.

Datenschutzerklärung: There is no privacy policy in German.

Cost: Signal is free of charge. There is no advertising and/or tracking. Signal is an independent, non-profit organisation; funded by donations.

Source code: The source code can be viewed on GitHub.

GDPR compliant: Signal is not GDPR compliant because, as a US company, it is subject to the CLOUD Act.