The Biggest Problems with WhatsApp's Privacy Practices

WhatsApp is the most popular messenger app worldwide with about two billion monthly active users, dominating Facebook Messenger at 1.3 billion and WeChat at 1.2 billion users.

One of the features that win many people to WhatsApp compared to other instant messages is the end-to-end encryption, which is active even when using a multi-device. As a result, we can see more people have doubts about privacy in Facebook Messenger. (Although the author was asking users to switch to WhatsApp!)

If you like someone to overhear every word you say to your friend, Facebook Messenger is the best way to do it. It is part of a social media platform that collects vast amounts of observational data on its users as they use the platform; it is also used by children and enables users to search for people and then initiate contact with them.

A private conversation on Messenger or Instagram is different than those on Signal or Telegram. Those platforms know everything about you. They’re harvesting your data by default. With Messenger encryption, you may be whispering in your friend’s ear, and Facebook may not be able to overhear, but it’s watching everything else you do, and it can fill in the gaps. Facebook might shield your actual message content, but everything else remains fair game.

WhatsApp Messages Are Not End-to-end Encrypted

However, a new report by ProPublica claims that WhatsApp messages are not end-to-end encrypted, appending that Facebook inspects the content of messages on the platform.

Even though WhatsApp has featured end-to-end encryption since 2016, there are some circumstances in which the 1,000 contractors using Facebook’s special software can read messages sent from one user to another.

For instance, when somebody reports a message, even in a private chat, the AI algorithm will look for suspicious activity related to terrorism, child abuse, etc. Then it would pass on the reported message with four previous messages to an actual human for review.

The user then can be either blocked, dismissed, or put on the watchlist. Unencrypted messages from users in the “proactive” list can be read along with other user data such as:

• user’s groups
• phone numbers
• unique phone IDs
• status messages
• battery levels
• signal strength

The report also says that all of these practices are described in the users’ privacy policy, but you have to dig deep to find them. Facebook notes that these practices are based on users’ feedback and that they are sure users understand what follows after a report.

Final Words — Use Alternatives

As a security professional, it’s hard to encourage WhatsApp users to quit. WhatsApp originally has done more to generalize secure messaging than anyone else. But it was also acquired by the world’s most covetous personal data harvesting machine. And it was always inevitable that there would be a reckoning at some point, if not now.

WhatsApp has now faced down its 2021 privacy backlash — but it has done so by focusing on its security credentials, by playing down its data sharing with Facebook, and by ignoring its metadata harvesting issue.

WhatsApp’s privacy label is terrible. It’s the only leading secure messenger that harvests data associated with you, including:

• Device ID— for developer’s advertising and marketing
• Contact info, user ID, and device ID — for “other purposes.”

Other messengers collect your data to tailor functionality. WhatsApp is harvesting it for different reasons. In short, WhatsApp’s end-to-end encryption might not be as secure as the constant popups on the screen that may influence you to trust.

Thank you for reading. May InfoSec be with you🖖.

Previously published behind a paywall here.