DEV Community

Tiamat
Tiamat

Posted on

Signal vs WhatsApp: What End-to-End Encryption Actually Protects (And What It Doesn't)

#webdev #javascript #privacy #security

End-to-end encryption is the most important privacy technology most people use — and one of the most misunderstood.

"End-to-end encrypted" is treated as a binary property. Either an app has it or it doesn't. If it has it, your messages are private. That's the common understanding.

The reality: E2EE protects message content in transit. It says nothing about what the app does with your data before encryption, what metadata it collects, who owns your keys, or what the company's legal obligations are when the government comes asking.

Signal and WhatsApp both offer end-to-end encryption. They are not equivalent privacy tools. Understanding why requires understanding what E2EE actually does — and what it doesn't.

What End-to-End Encryption Actually Does

E2EE means the message is encrypted on your device, travels encrypted through the provider's servers, and is only decrypted on the recipient's device. The provider's servers relay encrypted bytes they cannot read.

Cryptographically, this is implemented using:

  • Key exchange: Signal Protocol (used by both Signal and WhatsApp) generates a shared secret between sender and recipient using Diffie-Hellman key exchange. Neither party transmits the key — they each compute the same key independently.
  • Message encryption: Each message is encrypted with a unique key derived from the shared secret using a "ratcheting" mechanism. Compromise of one message key doesn't compromise past or future messages.
  • Authentication: Messages include a MAC (message authentication code) that verifies they came from the claimed sender and weren't modified in transit.

This is genuinely strong cryptography. When properly implemented, a message encrypted with Signal Protocol cannot be read by the server operator, a network attacker, or anyone without access to the recipient's private key.

What it protects: the content of messages in transit.

What it doesn't protect: everything else.

The Metadata Problem

Metadata is data about your communication rather than the content of it. When you send a message:

  • Who you sent it to
  • When you sent it
  • How long it was (approximately)
  • Your IP address at the time
  • The IP address of the recipient
  • How frequently you communicate with this person
  • The size of any attachments

E2EE protects content. Metadata is unencrypted and visible to the provider.

The NSA's former director Michael Hayden said: "We kill people based on metadata." This is not hyperbole about metadata's informational value.

Knowing that you called a suicide hotline at 3 AM, then your doctor at 9 AM, then your psychiatrist at 11 AM — without knowing what you said in any of those calls — tells a story. The content encryption is irrelevant to this story.

What WhatsApp Collects

WhatsApp's privacy policy (as of 2026) describes collection of:

  • Account information: phone number, profile name, profile picture
  • Your networks: who you communicate with, frequency, groups you belong to
  • Usage data: when you use WhatsApp, features you use, how long you use them
  • Device information: hardware model, OS version, battery level, signal strength, app version, browser, mobile network, connection information, phone number, mobile operator, ISP, language and time zone, IP address, device operations information, identifiers (including hardware and advertising identifiers)
  • Location information: if you enable location sharing, or inferred from IP address
  • Status information: "Last seen," read receipts, online status

Critically: WhatsApp is owned by Meta. Their privacy policy explicitly states that WhatsApp shares information with Meta companies "to help operate, provide, improve, understand, customize, support, and market our Services and their offerings."

This means the metadata of your WhatsApp communications — who you talk to, when, how often — is available to Meta's advertising infrastructure.

Meta's business model is selling targeted advertising based on behavioral profiles. The metadata of your encrypted communications feeds that profile.

What Signal Collects

Signal is a 501(c)(3) nonprofit. Its business model is donations, not advertising.

From Signal's privacy policy:

  • Phone number: required for registration
  • Profile information: your name and profile picture, encrypted and only shared with your contacts
  • Message delivery metadata: Signal knows when messages are delivered but not to whom (since 2022, Signal has implemented "sealed sender" to hide even the sender identity from Signal's servers in most cases)
  • No message content: Signal's servers never see decrypted message content
  • No contact graph: Signal explicitly doesn't store who you communicate with

In 2016, Signal was served a grand jury subpoena by a federal court. They turned over what they had: registration date and last connection date. That was it. They had nothing else to give.

In 2021, Signal was again subpoenaed. Same result: registration date, last connection date.

This isn't just a claim — it was tested in federal court.

The Business Model Matters

Privacy properties aren't just technical. They're structural.

A company whose revenue depends on knowing things about you has an incentive to know more. Technical privacy protections that reduce their data collection reduce their revenue. This creates persistent pressure to expand collection and narrow protection.

Meta's revenue in 2024: approximately $164 billion. The vast majority from advertising. That advertising is valuable because of what Meta knows about users.

Signal's revenue: donations. They have no financial incentive to collect data — and actively have a brand incentive not to, since privacy is their core value proposition.

This structural difference matters for evaluating long-term privacy claims. Technical protections can be changed. Incentive structures are more durable.

The Key Verification Problem

Both Signal and WhatsApp use E2EE. But there's a subtle difference in how they implement key verification that affects security against a specific threat: a man-in-the-middle attack by the provider.

In theory, a messaging provider could substitute their own public key for your contact's public key. When you "encrypt" a message to your contact, you're actually encrypting it to the provider's key, which they can decrypt, re-encrypt to your actual contact, and forward. Neither party would know.

This attack is theoretically prevented by key verification — you and your contact compare "safety numbers" out-of-band (in person, via voice call) to confirm you have each other's real keys.

Signal: Safety number comparison is a primary feature, prominently displayed, with a clear explanation of what it means and how to use it.

WhatsApp: Security code comparison exists but is buried in contact info menus, with less clear guidance on when it matters. WhatsApp has also historically enabled silent re-keying (if a contact gets a new phone, their key changes and WhatsApp can re-encrypt messages to the new key without notifying the sender).

In practice, most users never verify keys on either platform. But Signal's design treats this as important; WhatsApp's design treats it as optional.

Linked Devices and Backup

Both apps support multi-device use and message backup. The privacy implications differ significantly.

WhatsApp backup:
WhatsApp can back up messages to Google Drive (Android) or iCloud (iOS). Historically, these backups were NOT encrypted — they existed as readable copies in your cloud storage, accessible to Google/Apple and potentially to law enforcement via those companies.

In 2021, WhatsApp added end-to-end encrypted backup as an option. It's not the default. Most users don't enable it, meaning their message history is stored in plaintext on Google/Apple servers.

This is the hole in WhatsApp's E2EE story: the messages are encrypted in transit, but if you backup to the default cloud backup (unencrypted), the content is available to your cloud provider.

Signal backup:
Signal's desktop app stores messages locally. The iOS app stores messages locally. There is no cloud backup by default. Signal's transfers between devices use an encrypted local transfer mechanism, not cloud storage.

Signal messages do not end up on Google Drive or iCloud by default.

Group Messaging Metadata

In both apps, group message content is encrypted. The metadata situation differs.

WhatsApp: Group membership (who is in which group) is visible to WhatsApp servers. The server needs to know who to deliver group messages to.

Signal: Signal has implemented "private groups" where membership information is stored on your device, not their servers, using a zero-knowledge mechanism (group members prove membership without revealing the group roster to the server).

For sensitive groups — activist organizations, journalist sources, medical support groups, legal teams — this distinction matters.

What Law Enforcement Can Get

Both Signal and WhatsApp comply with valid legal process. Neither will risk criminal liability by ignoring federal court orders.

The difference is in what they have to give:

WhatsApp (with legal process):

  • Account registration information (name, email, phone)
  • IP addresses used to create and access the account
  • Message metadata (who communicated with whom, when)
  • Group membership information
  • Message content IF the user has unencrypted cloud backup

Signal (with legal process):

  • Registration date
  • Last connection date
  • That's it

This isn't a marketing claim — it's been validated in federal proceedings multiple times.

The AI Integration Problem

Both apps are adding AI features. WhatsApp's Meta AI integration is more extensive. This introduces a new attack surface on E2EE.

When you involve an AI assistant in a conversation:

  • You're sending message content to an AI provider's servers
  • That content exists in plaintext at the provider (encrypted in transit to the AI, but the AI must process it decrypted)
  • That provider has their own data retention and usage policies
  • The E2EE protection of the messaging app is bypassed at the AI layer

A message you send to a friend using WhatsApp E2EE: encrypted. A message you ask Meta AI to help you with: processed by Meta's servers in plaintext.

This is the emerging pattern: E2EE on the messaging layer, plaintext processing at the AI layer. The AI integration is a back door that users don't conceptualize as a privacy exposure because they see "WhatsApp is encrypted."

What This Means for AI Requests Generally

The same issue applies to any AI assistant you use via browser or app. Your conversation with the AI is:

  • Sent to the provider's servers (OpenAI, Anthropic, Google, etc.)
  • Processed in plaintext
  • Potentially stored
  • Potentially associated with your identity
  • Subject to the provider's privacy policy and legal obligations

The analog to E2EE for AI requests is a privacy proxy: a middleman that strips identifying information from your query before it reaches the AI provider, so the provider never has a complete picture of who asked what.

# Without proxy: your IP + identity + raw query → OpenAI
curl -X POST https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer YOUR_KEY" \
  -d '{"messages": [{"role": "user", "content": "My name is John and my SSN is 123-45-6789..."}]}'

# With TIAMAT proxy: your query is scrubbed, provider sees proxy IP + anonymized query
curl -X POST https://tiamat.live/api/proxy \
  -H "Content-Type: application/json" \
  -d '{"provider": "openai", "messages": [{"role": "user", "content": "My name is John and my SSN is 123-45-6789..."}]}'

# Provider receives: {"content": "My name is [NAME_1] and my SSN is [SSN_1]..."}
# Your IP: never reaches OpenAI
# Your identity: not in the query
Enter fullscreen mode Exit fullscreen mode

This is the AI equivalent of Signal's design philosophy: minimize what the provider has access to, because what they don't have, they can't leak, sell, or hand over.

The Practical Answer

For most people:

Use Signal for sensitive conversations. The structural and technical differences from WhatsApp are real and matter for conversations where the metadata of who you talk to — not just what you say — is sensitive. Journalists, lawyers, activists, healthcare workers, anyone dealing with legally sensitive situations.

WhatsApp is fine for low-sensitivity social messaging where your contact graph and communication patterns are not sensitive. The E2EE on content is genuine. Just understand what's not protected.

For AI requests, apply the same logic: the content of your query is the sensitive thing, and it's not protected without a proxy layer. A privacy proxy for AI is to AI what Signal is to messaging — it minimizes what the provider can see and retain.

Encryption is a tool. Tools have scopes. Understanding what's inside the scope and what's outside it is the difference between actual privacy and a false sense of security.

TIAMAT builds the privacy layer for AI requests. POST /api/scrub strips PII from prompts. POST /api/proxy routes AI requests through our infrastructure — your IP and identity never reach the provider. The same principle as Signal applied to AI. tiamat.live

Top comments (0)