Recent events (although it has been brewing for more than a decade) show the importance of protecting your privacy when using online services, particularly messaging applications.
For sure you are familiar with the popular ones: SMS, WhatsApp, Facebook Messenger, iMessage, whatever it is that Google is promoting as their messaging app at the moment, Telegram, Signal, and in some regions, Line and Viber. Each one has its own disadvantages: from being single platform (iMessage), to being owned by surveillance companies (Meta, Google), to having unvetted encryption protocols, and so on.
The search for the messaging application that is cross-platform, secure and protects your privacy continues. Personally, I am content with using iMessage for a majority of my family.
So what do I use for cross-platform messaging? At the moment, I am using Signal. Signal addresses most of the security and privacy requirements, and it is not owned by any company that collects data (metadata) for profit.
However, Signal fails in one (1) major area and one (1) minor area, at least for me. First is a major failure - Signal requires your mobile number, which is at the top of the personally identifiable information (PII) list. Mobile numbers are not that easy to replace, unlike email. Signal requires it, and whilst they announced that they will soon replace it, it is still vaporware at this point, with no target date in sight.
Second Signal issue, albeit a minor one, is that it is a US company, which currently does not have the best track record in ensuring the privacy even of its citizens, what more for those who are not protected by their laws.
Messages are protected by encryption, of course, but like email, the sender and receiver’s mobile phone numbers are out in the open (maybe be hashed, but available nonetheless) and can be shared with the US government. Using Signal is akin to using SMS - you only need to know the mobile number of the person to start a conversation, or to spam them, ergo convenient.
User on-boarding is very simple, download the app, create an account and login using your mobile number, and that is about it. You can start messaging. In most cases, those who are in your address book and with Signal accounts will be alerted that you have joined Signal.
I wish that Signal stops doing this. So far, all the other messaging apps I have listed above fall short of what you need for a safe and secure messaging application. So the search continues.
Right now, I have two (2) candidates - Session and Threema.
Both solves the major issue of Signal, Session and Threema do not need your mobile phone number - it uses an ID that does not identify users directly. However, Session uses a rather long alphanumeric ID, which might be an issue when sharing it with others.
As for my minor issue with Signal, Session is based in Australia, which is a friend of the US (so probably have the same issue with Signal being US-based). However, Session uses a TOR-like network, which is composed of different servers that route your encrypted messages, instead of a central server like Signal - Session is better, right?
As for Threema, well, it is based in Switzerland, a country that has far better privacy protection than most. In addition, Threema uses their own servers, i.e., they are not dependent on Amazon, Google, and other cloud companies.
Session and Threema look like perfect candidates as *the* messaging app. My issue with Session is that the ID is too long and not easy to share with others - in a way, this is good since it is difficult to match it to a specific user, but user-experience suffers. A balance needs to be done, but not without getting into some cryptocurrency play that Session is asking for to have a unique username that maps to the long ID.
My issue with Threema is the one-time USD5 barrier to entry. It is understandable that they’re a paid service, as opposed to mining your metadata and selling it or using it for targeted advertising under the cover of free, to sustain their services.
This, IMHO, is what prevents it from getting popular, but maybe that is by design. Should I settle for Session and get bogged down by the long Session ID or should I bite the bullet and pay for Threema or wait for Signal to ditch the mobile number requirement (as to when this happens, nobody knows)?