Best Instant Messengers

There are many messengers of various security levels. Let's analyse them and find the best one. There are various criteria we have to consider, as well as usecases, which vary from person to person.

SimpleX

  • Uses E2EE (End to End Encryption)
  • Open Source (AGPLv3)
  • Federated/Decentralised
  • Private -> Doesn't need a unique identified (eg phone number) to register
  • F-Droid
  • Linux version
  • Can use TOR

SimpleX is the most private and secure messenger that exists currently. Contrary to the other messengers, it doesn't use unique identifiers (eg users/id etc) which could be used to track the user and even identify the user.

Conclusion: Most Recommended

Signal

  • Uses E2EE
  • X: Partially Closed Source (push notifications, updating, and other proprietary Google code)
  • X: Centralizado
  • X: Not private
  • X: Uses Google services/communicates with Google HQ
  • X: Insecure: No F-droid version, only google play or 'apk'

Signal is a messenger that has recently risen in popularity, and some cybersecurity "geniuses" promote Signal as a private and secure messenger. However, it is completely the opposite. The only redeeming factor is it's use of E2EE. Signal is partially closed-source, as it uses Google services, and communicates with Google (and NSA) HQ to recieve push messages. Signal is not found on F-Droid. Instead, you are forced to use Google Playstore, and the 'apk' they provide also contains proprietary code from Google. Signal uses centralized servers, and requires a phone number (commonly tied to a real life identity) to register. Even within the app, it hides Captchas etc. Signal has cooperated with US spy agencies and law enforcement, providing them with phone numbers.

Proton (the people behind Proton Mail/VPN/...) has written an article about the (in)securities of Signal. Proton mentions some additional problems with Signal.

They're correct. Signal doesn't protect your privacy because they can't secure the metadata (Who talks with whom, at what time, for how long, where, etc). And although it may not seem important, metadata are actually crucial pieces of information, even as important as the contents of the message itself. So much so, that CIA agents say "We kill people based on metadata".

Now, Signal "promises" that they don't harvest the metadata. But Whatsapp also "promised" that they won't let Facebook collect user data. It's evident how quickly they broke that promise.

The problem with Signal's "promise" is that they can't keep the promise. Any day, the US can order Signal to begin harveting the metadata, and share it with the CIA/NSA. And as Signal is in US jurisdiction, they will have to obey. And if they recieve a gag order, unless we have a new Edward Snowden, no-one will know.

So even without the government's orders, there are other issues.

Signal tries to use SGX to secure the metadata, but it's vulnerable to attacks. Signal also uses Amazon and Cloudflare for their servers/services. These companies do not respect your privacy. And, as they're under US jurisdiction, can be ordered any day to reveal the information.

Conclusion: NOT recommended.

Alternatives to Signal, in the case that you need to communicate with a signal user:

Molly: Molly is a Signal fork which fixes some problems:

  • Molly has a F-Droid repo
  • Removes proprietary Google code
  • Includes additional security features
  • Includes additional privacy features: Can be used with Unified Push to not be phoning Google HQ every couple of minutes

Conclusion: Much better than Signal, but still promotes (and uses) Signal's network, and requires a phone number to register.

Telegram

  • E2EE*
  • Open Source (GPLv2)
  • F-Droid
  • Very popular: it's likely that your friends are also on Telegram
  • Has lots of public channels; has aspects/functions like social media
  • X: Centralised
  • X: Not private: requires a phone number
  • X: E2EE not enabled by default.

Telegram is a very popular messenger used around the earth. Some cybersecurity "geniuses" fabricated/invented imaginary problems, but they are probably the same "geniuses" that recommend proprietary, insecure, and non-private messengers like Signal so... Well, when starting a conversation, if you click on "Create secret chat" then Telegram is More private and secure than Signal. Contrary to Signal, Telegram is on F-Droid, and is open source. Further, it doesn't use Google services for push notifications nor for updating. Also, Telegram is much easier to use (I've had so many bugs with Signal...) and has many public channels where you can find a lot of information.

Conclusion: For use as a private, secure messenger: Not recommended. Use SimpleX. However, if you cannot use SimpleX for whatever reason (eg friends only have TG), or browser public channels, it's not a bad option.

Alternatives:

Forkgram is a fork (hence the name) of Telegram with privacy and security improvements. It's found on F-droid, and is compatible with Unified Push for enhanced privacy and battery life. Mercurygram is another fork of Telegram with various privacy and security improvements (but also disadvantages). However, it hasn't been updated in a long time, so it is not recommended. It can be used with Unified Push, but sometimes the notifications don't come. It has:

  • Security improvements (using newer libraries)
  • Privacy features and improvements.

Session/Briar/Matrix/XMPP/Conversations etc

There are many many of these messengers, and even more forks and clients etc etc. In general, in terms of security/privacy they are better than Molly/Mercurygram, but have their problems.

Conclusion: Better to use SimpleX

Discord/Whatsapp/Skype/FB messenger/Insta etc etc

Proprietary code, they are not private nor secure. You can assume that every message is forwarded to google/FB/microsoft/FBI/NSA HQ

Conclusion: Avoid at all costs