Best Secure, Private WhatsApp replacement for GNU/Linux

Privacy was never taken so seriously even after Snowden exposed what governments world-wide does in name of protecting us from terrorists, bad guys, sometimes each other. It is only during these hard times that we are going through, privacy infringing IM applications are coming to light as more and more people reckon on these services for communication with friends, family or colleagues at work.

Let us discuss a couple of options for non-business users who seek secure messaging with added features like audio/video calls and other things. The qualifying applications has to have most functionality on GNU/Linux platform. So, if a specific service however secure it might be is left out, you know the reason.

WhatsApp being a member of family of Facebook Apps, must be avoided by all means for obvious reasons.

1. Signal.org

Jurisdiction – USA

Servers – USA

Official word on privacy/security/encryption – Signal utilizes state-of-the-art security and end-to-end encryption to provide private messaging and Internet calling services to users worldwide (“Services”). Your calls and messages are always encrypted, so they can never be shared or viewed by anyone but yourself and the intended recipients.

Audio/Video call support – Yes, not supported on GNU/Linux as of yet

Whether End-to-end encryption enabled by default? Yes, on all platforms

Whether server and client software FOSS? Yes

Phone number required for Sign up? Yes

Can communicate with others without sharing registered number? No

It is defacto the most secure instant messaging option for text and files. The lack of GNU/Linux with audio/video calls for GNU/Linux client is a bummer and make you ditch this and go with one of the other options out there. It started as a secure SMS app for mobile platforms and then it flew from there. It is only recently that they have added dedicated GNU/Linux clients, it cannot act as a standalone client and if linked to your mobile Apps only.

Snowden has openly vouched for it in the past. It is run by non-profit called Signal Technology Foundation in the States, land of the free. It has a very good track record of fighting against illegal government requests and are also vocal about it. You can expect nothing but robust transparency with state-of-the-art encryption with Signal. Try it out.

Not my favorite for GNU/Linux but works for text and files the best.

Other worth mentioning features, are encrypted group chats.

2. Telegram

Jurisdiction – Dubai

Servers – If you signed up for Telegram from the UK or the EEA, your data is stored in data centers in the Netherlands. Not sure about others, probably in the same place.

Official word on privacy/security/encryption – We only store the data that Telegram needs to function as a secure and feature-rich messaging service.

Audio/Video call support – Audio only on all platforms including GNU/Linux, video recently announced to be deployed by end of the year.

Whether End-to-end encryption enabled by default? No, optionally available on Mobile platforms only as Secret Chats.

Whether server and client software FOSS? Only client software

Phone number required for Sign up? Yes

Can communicate with others without sharing registered number? Yes, using usernames.

Telegram is a free and open yet powerful messenger service from Mother Russia that is quite popular among free/libre software enthusiasts, thanks to the open API and protocol service that is freely available by Telegram. You can use it to make your own tools if you like. There is no silly file size limits for media sharing either.

They recently moved the legal registration to Dubai to protect its consumers from government attacks on the integrity of infrastructure. It says a lot about their intention since they do not sell their services to ad agencies or offer any paid plans as of yet.

The main theme of this free messenger service is continuity like how iMessages bragged about. Telegram has been a robust cloud based messenger service since day 1. You can switch to and continue conversations from one device to another. Also, can save any kind of media to ‘Saved Messages’ which are available on all the devices linked to your account. This is the main reason why end-to-end encryption is not enabled by default on Telegram. But you can optionally enable it on any of the Mobile platforms that you like. Of course, you cannot expect that Secret Chat to be available on other devices owing to encryption like how Signal does. It raises some questions as to how does it travel across devices.

Other worth mentioning features are Channels which can be used for announcements. Further, Telegram has gotten so popular that it is being used for support in various companies. There is a fully functional web client that works out of the box from any modern browser.

The fact that the website is banned in countries including India, makes it a good choice for people from India for security and privacy. They obviously do not have any right to break the encryption or have over sight on our communications.

Telegram is a thriving candidate among many digital companies for communication and support is a good option for you to pick, esp. when you are not on Twitter.

If the video call was available, it would be a good fit for all. Certainly a more versatile cloud friendly service than Signal with support audio calls.

3. Jami – a GNU package

Jurisdiction – Canada

Servers – Canada [Own and others including OVH] & France [OVH]

Official word on privacy/security/encryption – Jami relies on standard secure protocols and end-to-encryption, preventing the decryption of communications over the network and thus providing a high level of security and privacy.

Audio/Video call support – Both, works flawlessly on GNU/Linux.

Whether End-to-end encryption enabled by default? Yes

Whether server and client software FOSS? Yes

Phone number required for Sign up? No

Can communicate with others without sharing registered number? Yes, using ID or usernames.

It is developed by a prominent Qubec-based FOSS software developer or consulting firm from Canada called Savoir-faire Linux. It is also an official GNU package since 2016. Jami is free software for universal communication which respects the freedoms and privacy of its users. You can create a completely local account with no registration required. Everything is locally stored on your device. If you choose this setup, when you delete your application, everything is gone.

Jami provides all its users a universal communication tool, autonomous, free, secure and built on a distributed architecture thus requiring no authority or central server to function.

Jami optionally offers to register a unique username for an account. This name is stored on a public blockchain-based registry along with a public key. Once registered, the name cannot be transferred, deleted or changed.

Why did we mention servers if Jami is a truly distributed service?

Jami does not require a server to relay data between users. It gives a lot of benefits over other services in terms of privacy, scalability, no virtual bandwidth restrictions or file size limits.

Some configurable servers are still used for these cases, viz. push notifications, the OpenDHT proxy, bootstrap, name server, and TURN.

These are services hosted by the company to avail connections between peers. More can be read here.

Savoir-faire Linux offers a free public DHT proxy service and other services. This service does not store any logs or personal information.

Other worth mentioning features are screen sharing and conferences.

There is really nothing to complain. I wish there was more funds for advertisement as a lot of people are missing out on a great universal communication tool.

4. Threema.ch – Swiss Signal with web client

Jurisdiction – Switzerland

Servers – Switzerland

Official word on privacy/security/encryption – The messenger that puts security and privacy first. Privacy Is Worth Paying For. There is no such thing as a free lunch. If you don’t pay with money for a service, you pay with your data instead.

Audio/Video call support – Yes, not supported on GNU/Linux via web client as of yet [Video calls in beta since April 9th 2020].

Whether End-to-end encryption enabled by default? Yes

Whether server and client software FOSS? Only web client software and some parts.

Phone number required for Sign up? No

Can communicate with others without sharing registered number? Yes, using a random Threema ID.

Threema is an independent Swiss company hosting its own servers in Switzerland. From software development to customer support, everything is done in-house. The service is fully GDPR-compliant.

It focuses on privacy, anonymity, also is honest about privacy being something that is worth paying for. It is a completely paid service. Everything that is communicated using Threema is end-to-end encrypted. It is very transparent about the open technology used. A whitepaper on cryptography/security is published on the website.

It is meant for anonymous use with no account required bearing personal information like email or phone number just like Jami does.

Business solutions like Threema Work, Gateway and Broadcast are available.

There is no dedicated application that is available for GNU/Linux or desktop platforms. There is a web client called Threema Web that acts as secure encrypted tunnel to sync data from mobile devices. It is open source and can be self-hosted. It is also built with privacy and data security in mind. After the session is terminated, all synchronized messages are immediately deleted in the browser.

Open standards like SaltyRTC, an end-to-end encrypted signalling protocol are deployed. A web client from a paid service that we can self-host is so cool.

Threema is a service that is built with data protection and privacy in mind. Linking a phone number or email address is completely optional. It is one of the most serious messaging service that you get. Lack of audio/video calls support on desktop is not cool in 2020 like in case of Signal. Since I am paying for this service, I expect it to be fully functional on all platforms. There is a file size limit of 50MB too, which is quite low by today’s standards. If you care for Swiss jurisdiction or don’t like the fact that Signal is still in USA, Threema is a good choice for you especially when you get to host your personal web client on your infrastructure in your personal control.

Other worth mentioning features are that it can be used without access to/synchronization of address book, Contact lists and groups are managed entirely on users’ devices (no central storage of personal data) and no permission to read SMS history and device ID required on mobile devices. There is Handy Poll feature too.

Paying for a service is always not what an end-user expects today. But if you truly value your privacy, 3.99 CHF per license is not expensive. You can buy/gift it directly for Android devices and even download APK and use it on non-Google Android ROMs from https://shop.threema.ch/

Yes, Bitcoins along with bank transfer, Paypal and cards is accepted as expected.

Conclusion

A single solution cannot fit all, but for most Signal or GNU Jami depending on what you like interface wise should work just fine. For people for like cloud-based continuity should go with Telegram without any doubts, provided that they don’t do much of the video calls.

For me, I definitely like Threema out of the lot, being a Swiss based end-to-end encrypted IM, audio-video calling service with least personal data collection and their use of robust open standards in deploying the service. Being able to self-host the open source web client is cool and fun too. There is no issue with GNU Jami either but I prefer the slick interface on Apps and web client for Threema. Also, I like the fact that it makes us value our data by paying for a private service. It is something we all must get use to in near future. We are definitely spoiled by web giant who loot our personal data and make profit by selling it to the ad agencies online. It has to change.

What do you think? Let me know in the comments below.