Quick Read:
- Instagram is the least private app online, with direct messages having low encryption and providers having access to all DM content.
- Messaging apps are the most vulnerable to privacy breaches, both from government and tech companies, with message services making up half of the top 10.
- Dropbox is the least protected cloud storage platform, with only service-side encryption.
Apple has just earned a win for end-to-end encryption, with the UK government dropping its demands for a ‘back door’ to user data.
However, a new study by a proxy company, Webshare, analyzed reliability and safety across the most popular platforms to identify the least private apps.
The analysis created a comprehensive, cross-category privacy index ranking widely used digital services, including VPNs, messaging apps, email providers, and cloud storage platforms, by both their technical privacy protections and their real-world resilience to government access demands.
The final index quantifies encryption coverage, transparency of the parent company, metadata collection, jurisdiction risk, as well as previous privacy breach incidents, and the extent of governmental access.
Instagram is the least private app online, with direct messages having low encryption and providers having access to all DM content.
The encryption covers about 30% of all activity, with no EE2E safety feature by default, while the provider has full access to the content of messages. Governments can also easily gain access to both the content and the metadata collected by Meta.
Dropbox ranks second, with a risk score of 85, 10 points below Instagram DMs. It is the most vulnerable cloud storage, providing end-to-end encryption to only 30% of all data stored, similar to Instagram.
Its transparency in questions of safety and data access is a little better than for Meta, but is still low, getting an index of 25.
OneDrive shares the score of 85 with Dropbox, having the same problems in ensuring data safety and getting third place. It shares similar statistics to Dropbox, collecting 6 different metadata categories and having 2 major incidents related to data safety.
Outlook ranks 4th on the list of the least private apps, with a similar score of 85. The only email platform on the list, Outlook, offers server-side information protection only, and Microsoft can access content with a warrant.
The company also collects extensive metadata from its users in addition to enterprise telemetry and subscriber records.
Messenger is fifth in the ranking of the least secure apps and platforms, scoring 80. It protects 60% of all data, twice as much as Outlook or Instagram DMs, but collects even more metadata from its users.
The metadata includes contacts, interactions, and IP addresses of the users. Its parent company, Meta, shows a history of compliance with US governmental demands.
Telegram, another messaging service, follows closely behind Messenger, with a score of 75. The encryption extends only to half of all personal data, but the app has fewer incidents than Messenger or Instagram DMs.
Telegram also saves metadata up to 12 months, and can disclose information to authorities upon governmental requests.
WhatsApp earns seventh position on the list of the least private apps, with a data burden score of 65. The encryption is much stronger in WhatsApp than on Telegram or Messenger, protecting 95% of all data with end-to-end encryption.
At the same time, the transparency reports are limited in their scope, and the metadata is shared with the parent company, Meta.
In eighth place is iCloud, with a score of 60. Apple was just able to resist UK backdoor demands, but the cloud platform still struggles with data safety, including retention of metadata and some of the data remaining unencrypted.
iMessage is ninth, with a score of 50. The data encryption on this messaging platform is pretty strong, protecting 90%, but still below WhatsApp’s safety measures. iMessage shares the statistics with iCloud, with data safety protocols developed by Apple.
ExpressVPN closes the ranking of the least private apps and platforms, with tenth place and a score of 25. The only VPN on the list shows much stronger safety protocols than most apps in the ranking, but it still has a track record of data safety incidents.
In addition, it still collects metadata from its users, even though limited to a single category about billing and account settings.
A spokesperson from Webshare commented on the study:
“Apple’s successful resistance to UK government demands for encryption backdoors sets an important precedent for how tech companies can push back against overreaching surveillance policies. This development may encourage other technology companies to adopt more assertive stances against weakening encryption standards. It is especially important for social media and media services that handle intimate personal data while offering minimal security safeguards. The precedent may encourage other technology companies to prioritize user privacy, helping to bridge the gap between the sensitivity of information users share and the level of protection they rightfully deserve.”
