Discord DAVE vs Signal, Telegram & WhatsApp: 4 Privacy Gaps
Discord's DAVE protocol encrypts calls end-to-end, but 4 gaps keep it below Signal's privacy bar. Here's what's covered—and what's still exposed.
Discord rolling out end-to-end encryption for voice and video feels like a genuine milestone for a platform that spent years prioritizing feature velocity over privacy. But "encrypted calls" is not the same as "private platform." The gap between those two things is exactly where the confusion lives. This piece walks through what Discord's DAVE protocol actually covers, how it compares technically and operationally to Signal, WhatsApp, and Telegram, where metadata still leaks regardless of encryption, and what the audit history tells you about each platform's real-world trustworthiness. No marketing language. Just the technical picture.
What Discord Actually Shipped
Discord's new encryption layer has a name — DAVE, short for Discord's Audio and Video Encryption — and it's not a marketing gimmick. The protocol is real, built on a legitimate IETF standard, and independently reviewed before broad rollout.
DAVE uses the Messaging Layer Security protocol (MLS, standardized as RFC 9420 in July 2023) for group key exchange, combined with WebRTC for transport-level encryption of the media stream itself. In practice, audio and video call content is encrypted end-to-end: Discord's servers facilitate signaling — connecting you to other participants — but cannot decrypt what you're saying or showing on camera. Cryptographic keys live only on participant devices.
Trail of Bits reviewed DAVE's design and implementation in late 2023. No critical vulnerabilities were found, though they flagged medium-severity issues around key confirmation that Discord addressed before the wider 2024 rollout. That's a reasonable security process.
That point is the central fact anyone excited about this announcement needs to hold onto. Your entire text history — years of DMs, shared files, sensitive conversations — sits on Discord's servers, accessible to the company. DAVE encrypts the call stream. That's it.
There's also a deployment caveat: DAVE is fully active for direct-message voice and video calls as of early 2025, with server-based voice channels on a rolling schedule. A small shield icon in the call UI confirms whether DAVE is active for your session. If you don't see it, update your client.
How Signal, WhatsApp, Telegram, and Discord Actually Encrypt
Not all E2E encryption is equivalent. Protocol choice, key exchange design, and scope of coverage create enormous differences in what "encrypted" actually means.
Signal
Signal runs on the Signal Protocol — a combination of the Double Ratchet Algorithm and X3DH (Extended Triple Diffie-Hellman) key exchange — and has been the cryptographic reference standard since roughly 2013. Every message, call, video chat, and file transfer is E2E encrypted by default. No secret mode to toggle.
What separates Signal from every other app here: sealed sender. Most messaging apps encrypt content but still reveal metadata — who is talking to whom, and when. Signal's sealed sender feature obfuscates the sender's identity even from Signal's own servers, limiting the platform's ability to build a communication graph. The server architecture was deliberately designed to minimize what Signal Inc. — now the Signal Foundation, a non-profit — can know about your activity.
Both client and server code are open source. Multiple independent audits have been conducted over the years by Cure53, Trail of Bits, and iSEC Partners. The non-profit structure removes the financial incentive to monetize user data.
WhatsApp uses the Signal Protocol — identical underlying cryptography. Content encryption for messages and calls is genuinely comparable at the protocol level. So why does the privacy comparison still favor Signal? Metadata.
Meta owns WhatsApp. The company tracks who you talk to, when, how often, call duration, device identifiers, IP addresses, and group membership. That metadata is highly valuable for Meta's advertising infrastructure and legally compellable. In 2021, WhatsApp's updated Terms of Service made metadata sharing with Meta mandatory for users outside the EU, triggering mass migrations to Signal and Telegram. Encrypted content doesn't help when the social graph is exposed.
Backup encryption is another gap. The option to enable E2E encrypted backups on iCloud or Google Drive now exists on both iOS and Android, but it remains opt-in — and most users haven't enabled it.
Telegram
Telegram's security reputation significantly outpaces its technical reality. Regular chats, group chats, and channels use server-side encryption — Telegram holds the decryption keys and can read your messages if compelled. Only "Secret Chats" are E2E encrypted, and those are device-locked: no cross-device sync, no desktop access from a mobile secret chat.
Telegram's in-house MTProto 2.0 protocol has received limited independent scrutiny compared to the Signal Protocol. Not proven broken, but not audited by major firms to the same depth. Pavel Durov's arrest in France in August 2024 and subsequent legal pressure on the platform to cooperate with law enforcement made the practical risk concrete, not hypothetical.
The comparison with post-DAVE Discord is striking: for voice and video calls, Discord's encryption is now stronger than Telegram's default mode.
Discord (DAVE Protocol)
Discord encrypts the audio and video media stream end-to-end during qualifying calls. MLS is a solid modern standard with strong forward secrecy properties designed specifically for group key exchange scenarios. The closed-source client is the persistent trust limitation — you cannot independently verify that Discord's app correctly implements only what DAVE describes. Trail of Bits audited the design and reviewed the implementation, but ongoing verification requires trusting the distributed binary.
The Metadata Problem That Gets Buried in Headlines
Here's the counter-intuitive argument privacy advocates don't make loudly enough: for most real-world threat models, metadata is more dangerous than content.
If a government subpoenas Discord and receives a list of everyone you called, when, how long, with which accounts, from what IP address, across what servers — that is a detailed social graph. Encrypted call audio doesn't protect you if the metadata tells the story. This is the documented intelligence approach from the Snowden-era disclosures. "We kill people based on metadata," as former NSA director Michael Hayden stated in 2014.
Discord collects substantial metadata regardless of DAVE: account information, IP addresses, device fingerprints, server membership, call timing, friend lists, usage patterns. This is in their privacy policy and consistent with how any ad-supported or subscription platform operates. DAVE changes none of that.
Signal is the only app on this list that makes a genuine architectural effort to minimize metadata collection — sealed sender, minimal server logging, a non-profit that publishes detailed responses to government requests (the consistent finding: almost nothing to produce). I've read through Signal Foundation's published legal responses, and the gap between what Signal can hand over versus what Discord or Meta can hand over is not marginal. It's categorical.
This pattern repeats across privacy tools. Just as we've explored how headline features in password managers can obscure what the tool actually protects against, messaging app encryption announcements often describe the best case while leaving the metadata exposure unaddressed.
Audit History and Transparency: What the Record Actually Shows
| Platform | Protocol | Protocol Audit | Client Audit | Open Source? | Transparency Report |
|---|---|---|---|---|---|
| Signal | Signal Protocol (Double Ratchet + X3DH) | Yes — Cure53, iSEC, Trail of Bits (multiple) | Yes | Yes (client + server) | Yes — legal responses published |
| Signal Protocol | Yes (same audits) | No | No | Yes (Meta's broader report) | |
| Telegram | MTProto 2.0 (proprietary) | Limited — 2015 bug bounty only | No | Partial (client only) | Minimal |
| Discord | DAVE (MLS-based) | Yes — Trail of Bits, 2023 | Partial (design review) | No | Limited |
Signal's structural advantage: open source means continuous public scrutiny, not periodic point-in-time audits. WhatsApp uses a well-audited protocol in a closed client owned by a company with a direct financial incentive to maximize data collection. Telegram's MTProto has never received a comprehensive audit from a tier-one security firm — which isn't proof it's broken, but it's a meaningful omission for a platform that markets itself as privacy-first.
Discord's Trail of Bits engagement is genuinely positive for a company historically indifferent to encryption. Commissioning an external audit before wide rollout is the correct approach. The scope limitation matters though: the audit covers DAVE's design and implementation, not Discord's overall data architecture, text message handling, or server infrastructure.
Making security tool choices based on audit scope rather than marketing claims is a discipline that applies broadly. The same evaluation framework matters whether you're picking a messaging app or, as the long-term cost and feature comparison of 1Password and Bitwarden shows, a password manager that will hold your most sensitive credentials across years of use.
The Real-World Picture: Who Should Actually Care
Most privacy discourse treats this as a fixed hierarchy — Signal at the top, everything else below — and for high-risk users (journalists, lawyers, activists, people in authoritarian environments), that hierarchy is correct and non-negotiable. Signal is the only option combining comprehensive E2E encryption, genuine metadata minimization, open-source code, and a non-profit structure.
But most Discord users aren't journalists. They're gamers, hobbyists, and community members who coordinate raids and share memes. For that population, DAVE is a material improvement: Discord employees can no longer intercept voice conversations, and neither can most network-level eavesdroppers. That is a real change from 2023.
The person who should be most alarmed by Discord's announcement is not a Discord user. It's a Telegram user who believes they're on a "private" platform while conducting sensitive conversations in regular chats that Telegram can access at any time. That's the counter-intuitive reading: post-DAVE Discord is a more private option for voice calls than Telegram's default mode.
For text communication, the comparison is not competitive. Signal encrypts every text message end-to-end with open-source code running on infrastructure designed to know as little as possible. WhatsApp encrypts text but gives Meta the social graph. Telegram's regular chats are cloud storage with a messaging interface. Discord DMs are server-accessible. None of the alternatives to Signal come close for sensitive text.
In my testing and research, I noticed this data collection reality is something worth evaluating systematically across your entire digital footprint. Just as the privacy audit of wearable platforms from Fitbit to Oura reveals distinct risk profiles that their App Store listings don't capture, messaging platforms present a curated version of their data practices that buries the most important variables: who can access what, under which legal jurisdiction, and what the business model requires.
Platform Threat Model Summary
| Threat | Signal | Telegram | Discord (post-DAVE) | |
|---|---|---|---|---|
| Network eavesdropper on call content | Protected | Protected | Protected | Protected |
| Platform reading your text messages | Protected | Protected | NOT protected (regular chats) | NOT protected |
| Platform accessing call audio | Protected | Protected | Not applicable (no E2E calls) | Protected (DAVE) |
| Metadata / social graph exposure | Minimal | High (Meta) | Moderate | Moderate–High |
| Government compelled disclosure | Almost nothing available | Metadata available | Content + metadata available | Metadata + texts available |
| E2E backup encryption | N/A | Opt-in | N/A | N/A |
Discord DAVE vs Signal: Pros and Cons
| Discord (DAVE) | Signal | |
|---|---|---|
| Voice/video E2E encryption | Yes (qualifying calls) | Yes |
| Text message E2E encryption | No | Yes |
| Metadata minimization | No | Yes (sealed sender) |
| Open-source client | No | Yes |
| Independent audit | Partial (Trail of Bits, 2023) | Multiple, ongoing |
| Business model | Ad-supported / Nitro subscriptions | Non-profit donations |
| Government cooperation risk | Metadata + text content | Almost no data to produce |
| Community/server features | Full ecosystem | Minimal |
| Large group calls | Yes | Limited |
The tradeoff is genuine. Discord offers capabilities Signal was never designed for — persistent servers, community bots, hundreds-person voice channels, screen sharing at scale. If those features are load-bearing for your use case, DAVE is a meaningful step forward. If your requirement is private communication with a defined group of people, Signal wins every security dimension without exception.
Quick Checklist: What to Actually Do Right Now
-
Verify DAVE is active in your Discord calls. Look for the shield icon in the call UI during a DM voice or video call. If it's missing, update to the latest client build — 2025 releases have broad DAVE coverage for DM calls.
-
Enable encrypted backups on WhatsApp if you use it. Navigate to Settings → Chats → Chat Backup → End-to-End Encrypted Backup. Generate a 64-digit encryption key and store it in your password manager — not in a screenshot.
-
Audit your Telegram conversations. Which are Secret Chats versus regular chats? Anything you'd be uncomfortable with Telegram holding on their servers needs to move to Secret Chat or a different app entirely.
-
Download Signal for sensitive text conversations. Registration requires a phone number, but Signal now supports usernames — you can share your contact info without exposing your number. Free app, non-profit operator.
-
Do not conflate "encrypted calls" with "private platform." Discord's DAVE is a genuine improvement for call content. It changes nothing about Discord's data retention, metadata collection, or terms of service for text. Adjust your usage accordingly — Discord for community, Signal for sensitive coordination.
-
Define your threat model explicitly before choosing an app. "I don't want my gaming conversations recorded" is a very different requirement from "I need operational security against a capable adversary." DAVE satisfies the first. Only Signal satisfies the second.
-
Use both apps. There is no technical or practical reason you cannot have Discord for communities and Signal for private communication. Treating this as an either/or decision misses how most people actually use these tools.
Sources & Further Reading
Signal Foundation — Technical Documentation Library — The Signal Protocol's canonical specifications, including the Double Ratchet Algorithm paper and X3DH key agreement protocol, published and maintained by the Signal Foundation. Essential for understanding why the protocol became an industry reference.
Discord Engineering Blog — DAVE Protocol Whitepaper (2023) — Discord's own technical documentation covering the MLS-based design of their Audio and Video Encryption system, including protocol rationale, threat model scope, and a summary of the Trail of Bits audit findings.
Trail of Bits Blog — Trail of Bits publishes detailed post-audit write-ups for their security assessments. Their DAVE review and previous work auditing Signal, Zoom, and other messaging infrastructure provide a comparative baseline for what "audited" actually means in practice versus marketing usage.
Electronic Frontier Foundation — Surveillance Self-Defense — A regularly updated guide to secure communications tool selection mapped to different threat models. Covers Signal, WhatsApp, Telegram, and metadata risks in technically accurate but accessible terms, with country-specific legal context.
Schneier on Security — Bruce Schneier's long-running security commentary covers metadata vulnerabilities, platform trust models, and the practical limits of E2E encryption. Posts from 2023–2025 on Telegram's legal situation and the gap between cryptographic claims and real-world privacy guarantees are directly relevant to this comparison.