Discussing Privacy with Normies

I’m talking to someone who I need to communicate with, he’s a total privacy normie from what I’ve been able to gather. He’s frustrated that I don’t want to communicate with him through WhatsApp or Instagram. I don’t use either and I’m not planning on ever going back. He also offered Telegram as an alternative, but as I explained to him, Telegram is no longer safe since Pavel Durov’s arrest (it never really was, but I didn’t get into that).

I, on the other hand, have offered him several alternatives, all of which are open source and very secure, like Session. He doesn’t want to use them. He told me "for me it’s much more secure to have a call over WhatsApp or Instagram or any API that met the European privacy standards”

Does anyone have any resources at hand that could explain to him why neither facebook/meta nor any of its companies are secure? I feel like he would be a lot more open to some third party telling him, possibly in video form so he doesn’t have to put in the effort of reading, which I fear will put him off even further.

If anyone has something, I’d greatly appreciate it. I know I have plenty of information about this, but I don’t know where. I should do a better job archiving and compiling information, because you never know when you’ll need it.

Thanks to everyone in advance
It’s great to find a community of people who also care about privacy and security. Privacy = freedom.

WhatsApp isn’t so bad because it’s E2EE, they have non-E2EE AI integration now though which is annoying. The main thing is that WhatsApp doesn’t protect your metadata as much as apps like Signal do, proven by released FBI documents (although this is a bit old I need to look into some more recent research). There’s a lot more privacy footguns like the aforementioned AI integration and unencrypted backups (you can do encrypted backups too it’s just not the only option as it should be). WhatsApp isn’t terrible but there’s certainly better options.

Telegram isn’t E2EE at all unless you use secret chats, so you’d need to be sure of that before you try to use it as a secure messenger.

Mainly it’s just really annoying to have to have so many messengers, it adds a lot of attack surface and clutters up your phone (both telegram and WhatsApp now support passkeys so make use of that feature to keep your account secure). With the upcoming RCS E2EE support in iOS it should be a lot easier to have relatively secure messaging by default without having to negotiate what app to use first.

I looked it up and instagram seems to offer E2EE messaging now as well so that honestly wouldn’t be a terrible option either. It’s mainly going to be the metadata that’s the issue again.

Re Telegram, it’s a surprisingly common view among people who don’t really understand how any of this stuff works. I encounter it on a biweekly basis with people outright mocking me for using “grandma messengers” while recommending Telegram, which admittedly has done a bang up job promoting itself as “secure” WhatsApp or even Signal alternative to unsuspecting minds. It’s infinitely worse than WhatsApp with all its aforementioned downsides, and Durov arrest has little to do with it.

Here you go.

A bit of an aside, but I am eagerly awaiting this. Its what makes moving away from iOS difficult when my network is largely comprised of iOS users.

I would explain that the frustration on this goes both ways: your friend likely doesn’t want to use yet another app, and neither do you. However, I would try to find a compromise. i.e., Signal operates in Europe, is a non-profit, and Meta is a for-profit company owning Whatsapp . I would explain that just because the minimum of the law is met does not mean its the bare-minimum privacy you want.

But also don’t convince your friend to join an esoteric messenger apps - in the case of session, it is decentralized, and that is harder to secure and get right. Signal is likely the best in this situation.

They perceive no threat worth mitigating, and thus see us as being unnecessarily difficult

I have not found the right order of words to convince such a person that mass surveillance directly undermines their liberty

I doubt that, they might not just see the specific things you care about as much of a threat or they’re not used to thinking about things in terms of a threat model. It pays to see what they’re worried about and tell them how certain things can mitigate the problem i.e. a password on your phone prevents thieves from getting in and draining your bank accounts.

You should definitely reframe it as you solving a problem for them rather than asking a favor for you.

In my experience, I’m not sure you’re going to have any success with this.

Ask yourself from both sides of this conversation: “what does the other person want out of this interaction?” How do you think he’s perceiving you right now?

There’s a lot of factors here to consider and questions to ask. You say that you “need to communicate with” him. What does that mean? “Need to for work?” Guess what? At work (my last job, I mean), I used all the garbage communications methods: SMS, Teams, you name it. “The nail that sticks out gets hammered down” or something like that. Pick your battles. There was no way I was gonna convince my company to use Signal (I couldn’t even convince them to get off LastPass), and my ability to put a roof over my head was priority.

If you “need” to communicate with him but risk of getting fired or in trouble is unlikely, how sensitive is the data really? Are you transferring financial documents? Fair enough (see next paragraph). Is it just “run of the mill business stuff”? Again, pick your battles. You may win the battle by getting him to use Signal, but you may lose the war by making him hate you and not enjoy working with you anymore because you’re being so difficult and obtuse. I promise you, there are few things worse (in this context) than being the employee everyone hates. I’ve been that guy and it literally caused depressive episodes.

In the case of the financial documents example, are you hiring him, like an accountant for example? In my opinion, if you’re hiring someone, they need to shut up and do what you’re paying them for or else you need to go find someone else. So if your accountant refuses to use encrypted email, for example, find one who does.

Soft skills are just as important in spreading privacy as the tech is, in my opinion. Not to be rude, but it seems to me like you’re coming at this from a “trying to win the argument” angle. Like Fria said, reframe the problem. Don’t make it “my privacy vs his whatever.” Make it “us vs the problem.” The problem is that you both want to communicate securely but have different opinions on what counts as “secure.” So how can you guys tackle that together?

It may also help toward that end (soft skills again) to explicitly say that you appreciate the options he’s offered. “Hey, I really appreciate you offering things like Telegram and WhatsApp, I promise I do. I recognize that you’re trying to be flexible and meet me halfway. But here’s why I’m worried those services aren’t secure enough for what we’re trying to do.”

Here’s a thought experiment: what are you gonna do if you just can’t convince him? Cause in my experience, you usually can’t. Maybe someday they might be receptive, but right now they’re not for whatever reason. So what then? Are you gonna cut ties and move on? Are you gonna give in and try to be that person in their life that they can go to with questions? Ask yourself that.

As others have suggested here, trying to convince an adult of anything is a fruitless endeavour and not worth pursuing. Assuming that this is more of a “friend”-type relationship, you can give some points for why you think privacy is important to you such as:

• would you care if a stranger was was constantly coming up to look through your window to see what you’re doing in the privacy of your home?

• would you care if in the future your health care premiums or life insurance were super high because your private communication history was shared with insurance companies that used it to profile you based on your drinking/drug taking/going out late/etc… habits?

If they don’t care about anything and are not agreeable then that’s suggestive of dark personally traits and/or low intelligence and you should be questioning why you want to communicate with this person in the first place.

You have to give them some real-world examples instead of hypotheticals. News stories or better yet if something happened to them personally that would’ve been prevented by the thing you want them to do.

This is going way too far, most people have other things going on and they don’t really want to have to worry about this stuff. It doesn’t mean they’re dumb it just takes educating and persuading like anything else.

In case you haven’t already come across it, OP, here’s a related thread on how to approach discussing privacy:

Maybe you can fetch some inspiration from there as well?

From what he offered, the best is Telegram (in Secret Chat mode). Far better than meta. It at least doesn’t track you.

But Signal is best chioce, it also well-known, why don’t you recommend it to him? Wy exactly Session?

Based in the opinions of this thread, basically you can’t “lockdown” someone to your options, like “you gotta use Session or else I’m not talking to you”, so being flexible is key in cases like this, and sometimes we just have to compromise a bit of our privacy to achieve this. If they, for example, offered you to communicate over Telegram and you want to avoid Meta, then choosing TG is the way to go because that way the other person is OK using an app they feel comfortable with and you are away from Meta.

I’d personally choose a messaging app that we both have in common because installing multiple messaging services may increase your attack surface, and as @nateb pointed out this depends on the type of communication you’re having with the other person too. I think WhatsApp is completely fine if the messages and their contents that you’re exchanging with the other person are not confidential or very normal. You can also exchange your security codes in WhatsApp with the other person to verify that the chat is E2EE as an extra security step.

The main problem with your question is you’re looking for answers that you want rather than the actual answer. Does anyone have any resources at hand that could explain to him why neither facebook/meta nor any of its companies are secure? Big tech companies like meta have all the resources to make their platforms more secure. Compared to Session which doesn’t have PFS (though this will be added soon), WhatsApp does have better encryption.

That being said, a group of Austrian researchers have discovered a huge security flaw in WhatsApp recently. If that raises concern, could you not convince your friend to switch to Signal? Seems like the easiest option and you can even tell them it’s so secure that Trump’s own national security team uses it to text war plans.

But what’s the actual problem here? Is it that your friend refuses to use Session? OR they refuse to move away from WhatsApp?

I always find not calling them normies works well. Selling security is hard, so I mostly focus on social issues like hate speech, radicalism, and monetization of anger.

I have just stopped using anything except Signal for personal messaging. I find it too taxing to chase around people to switch things, while in this way the only way to reach me is to install Signal. If asked I do find the “Why should I be forced to switch something you don’t even strongly feel about while you think it an inconvenience to switch to what I feel strongly about” to be a useful argument. So far it has been successful, and the ones who didn’t switch I catch up with in person

As for videos, I had the most success during whistleblower news cycles when the mainstream media is also peddling the fear against megacorps and US surveillance state.

Examples:

I disagree. There has to be a word that describes people who adheres to mainstream views among any particular interests. I’m sure we’ve been in situations where we want our friends or family to communicate with us under our own terms, but can’t because it’s not under their terms. And their terms are whatever normies are using i.e. WhatsApp.

Are you suggesting every single person in this forum was of low intelligence before starting their privacy/security journey?

Thank you! This was the kind of thing I was looking for.

You lost me at “proven by released FBI documents”. Also, someone posted a link below with a video detailing many of the things that are wrong with WhatsApp.

I’ll add my own: WhatsApp, Telegram and Instagram are linked to phone numbers an e-mails. The fact that both WhatsApp and Instagram aren’t open source means that there’s a chance for bad behavior that can go unnoticed with every update. But it’s facebook/Meta we’re talking about, of course they’d never engage in any wrongdoings!

Honestly, E2EE should be the least of anyone’s concerns when they look into an app. The first step should be the track record of the big tech corporations that operate them. There’s absolutely no reason for anyone to rely on WhatsApp or Instagram for private and safe communications knowing what we know.

Especially when great alternatives like Session exist.

I wouldn’t consider that “huge security flaw” as a “huge security flaw”, it’s just WhatsApp being WhatsApp.

I mean, at the end of the day that’s the idea… For example, Instagram needs to be closed-source because otherwise everyone could grab their code and make a privacy-friendly, no-ad version of the app, and obviously that’s not on Meta’s papers.

If you want an open-source[ish] Instagram you may need to use the web version[?].