tl;dr: The PRIVA SCORE for messenger services can reach a maximum of 330 points. Signal and Threema have the highest data protection level with over 200 points, while Telegram and WhatsApp only score mediocre - because both apps collect a lot of metadata, among other things. Discord has the lowest data protection level with less than 100 points due to a lack of end-to-end encryption, collection of a lot of metadata and the server location in the USA. An update shows that Signal can now be used without revealing the phone number and thus increases from 242 to 272 points, while Telegram is downgraded due to bond sales and falls from 145 to 140 points.
The PRIVA SCORE can be the calculation received a maximum of 330 points when evaluating messengers.
The assessment of the level of data protection is based on the way in which the most important Data protection features are fulfilled by the messengers. Signal and Threema perform best. They have the highest level of data protection (over 200 points) of the messengers compared here. Update! Signal can now also be used with an ID – similar to Threema – without revealing the phone number to the person you are calling. Signal therefore increases from 242 to 272 points.
Telegram and WhatsApp only score moderately (less than 200 points, more than 100 points) and are therefore not recommended. With Telegram, the End-to-end encryption in the chats and is not active by itself. Telegram collects many Metadata, including the IP address of the chat participants and is not complete open source. The Server location is Dubai – which is at least questionable in terms of data protection. There is also no Contact verification. Update! The business model is now also “red”.Bond sales worth 330 million US dollars without mentioning the source of investment lead to this devaluation. Telegram falls from 145 to 140 points.
WhatsApp is End-to-end encrypted, but collects a large amount of Metadata of the users, is not open source, cannot be used anonymously, the server are located in the USA (low level of data protection), the Access to contacts of the users is necessary for normal use and the Business model The Meta Corporation's website is, as is well known, largely advertising, which is synonymous with restricting privacy through reckless data collection practices.
At the bottom of the list (under 100 points) is Discord. The knockout criterion is the lack of End-to-end encryption. In addition, there are the shortcomings of Telegram and WhatsApp: Many Metadata collected, Discord is not open source and the Server location are the USA.
Explanation of data protection features
(Detailed description in Book)
E2E encryption ensures that only the person the user wants to communicate with can read this message on their device.
Handling metadata: Since metadata contains information such as time or location, conclusions can be drawn about the people involved in the conversation. A messenger that does not collect metadata necessary for transmission and deletes it as soon as possible protects users' data better.
Open source or auditing: For this function, a messenger whose code is openly accessible or has been audited is the better messenger because it can be independently verified how well the messenger protects users' data.
Anonymous usability: Registering with a telephone number or an email address is problematic because it involves personal data. Messengers that can be used anonymously are better messengers in terms of data protection.
Location of the servers or company headquarters: Some messenger apps operate servers in countries with weak data protection laws. In these countries, compliance with the high level of data protection of the European General Data Protection Regulation cannot be guaranteed.
The criterion is not entirely clear-cut, as the amount of data stored is more important than the location of the company. Unlike WhatsApp, Signal collects very little user data, even though the servers of both companies are located in the USA.
Optional contact access: This is about protecting the personal data of people stored in the phone's contact list. This issue is often criticized in the case of WhatsApp: The messenger can only be used effectively in a roundabout way without access to the contacts. Most users innocently grant access, whereupon the names and telephone numbers of the contacts are transferred to the Meta Group's US servers and compared daily. This is a violation of data protection law. This is because the user would have to inform all the people on their contact list about this use of their data. personal data and express a right of objection.
Centrality, federalism or decentralization: This is about the question of what the messenger’s server landscape looks like. For example, a messenger that is operated via a centralized server is easier to attack than if the messages can reach their destination via different routes – which is the case with a decentralized or federated connection structure would be the case.
Contact verification: This is about whether it can be ensured that the recipient of a message is actually the person addressed. This function protects the privacy of users so that personal messages do not fall into the wrong hands.
Deletion of messages: To protect personal content of messages, it may be useful to automatically or manually delete messages after a certain period of time on your own device and on the devices of other users.
Business model: The last criterion concerns the question of how the company behind the messenger makes its money. Some business models are transparent and not critical for data protection - for example, the Threema app is financed by a one-off fee of 5 euros. WhatsApp may be "free", but it belongs to the Meta Group. And its business model is known to be online advertising, which is why WhatsApp collects significantly more data from users than other messengers.
English 
Deutsch