This spring, text messages got a lot more private. In April, the world’s most popular messaging service, WhatsApp, announced it would use end-to-end encryption by default for all users, making it virtually impossible for anyone to intercept private WhatsApp conversations, even if they work at Facebook, which owns WhatsApp, or at the world’s most powerful electronic spying agency, the NSA. Then in May, tech giant Google announced a brand new messaging app called Allo that also supports end-to-end encryption.

Making the news even better from a privacy standpoint is that both WhatsApp and Allo use a widely respected secure-messaging protocol from Open Whisper Systems, the San Francisco-based maker of the messaging app Signal.

To recap, there are now at least three different instant-message services that implement robust encryption: WhatsApp, Signal, and Allo. How is someone who cares about their privacy and security to choose between them?

In this article, I’m going to compare WhatsApp, Signal, and Allo from a privacy perspective.

While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud — and therefore available, in theory at least, to government snoops and wily hackers.

In the end, I’m going to advocate you use Signal whenever you can — which actually may not end up being as often as you would like.

What’s up, WhatsApp?

With more than 1 billion users, WhatsApp is the world’s most popular messaging app. Which is why it was huge news among encryption advocates when the company a year and a half ago announced a partnership with Open Whisper Systems to integrate the Signal protocol into its product. The rollout was gradual, starting only on the Android version of WhatsApp and only for one-on-one text communication, but by this past April, WhatsApp was able to announce it was using the Signal protocol to encrypt all messages, including multimedia messages and group chats, for all users, including those on iOS, by default.

So if a government demands the content of WhatsApp messages, as in a recent case in Brazil, WhatsApp can’t hand it over — the messages are encrypted and WhatsApp does not have the key.

But it’s important to keep in mind that, even with the Signal protocol in place, WhatsApp’s servers can still see messages that users send through the service. They can’t see what’s inside the messages, but they can see who is sending a message to whom and when. And according to the WhatsApp privacy policy, the company reserves the right to record this information, otherwise known as message metadata, and give it to governments:

WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect.

A WhatsApp spokesperson told the Committee to Protect Journalists, “WhatsApp does not maintain transaction logs in the normal course of providing its service.” However, the company makes no promises and could easily record and hand over metadata in response to a government request without violating its own policy.

When you first set up WhatsApp, you’re encouraged, but not required, to share your phone’s contact list with the app. This helps the WhatsApp service connect you with other users quickly and easily. A WhatsApp spokesperson confirmed to me that the company retains contact list data, which means that WhatsApp could also hand over your contact list in response to a government request.

Finally, online backups are a gaping hole in the security of WhatsApp messages. End-to-end encryption only refers to how messages are encrypted when they’re sent over the internet, not while they’re stored on your phone. Once messages are on your phone, they rely on your phone’s built-in encryption to keep them safe (which is why it’s important to use a strong passcode). If you choose to back up your phone to the cloud — such as to your Google account if you’re an Android user or your iCloud account if you’re an iPhone user — then you’re handing the content of your messages to your backup service provider.

By default, WhatsApp stores its messages in a way that allows them to be backed up to the cloud by iOS or Android. WhatsApp does let you remove your chats from these cloud backups if you go out of your way to do so, which I recommend you do, if you use WhatsApp to discuss anything sensitive.

Allo, World