WhatsApp Messenger is a Privacy Disaster

PUBLISHED 10 AUGUST 2019

Author: InvisibleUser Team

After talking a lot about how malicious popular instant messaging services are, we will now explain why WhatsApp is a privacy disaster.

We all use messaging services, like SMS, WhatsApp, iMessage, Google Hangouts and Facebook Messenger at work or for private conversations. Unfortunately, popular services are highly compromised when it comes to privacy. There are much better options. In this post, we will explain why WhatsApp Messenger is the worst chat client for privacy advocates.


WhatsApp Data Collection Overview

WhatsApp is arguably the most popular application for instant messaging. The estimated user count is around 1.5 billion users and they send around 46 billion messages per day. This immense popularity made SMS almost obsolete, to the disadvantage of telecom providers. The app is used for text chat, but also for sharing audio and video messages as well as VoIP calls. WhatsApp does not have the functions of a full-featured social network and is quite simple.

As we all know, WhatsApp was taken over by Facebook in 2014 and they are not especially well-known for caring about your privacy. WhatsApp has been criticised for sharing user data with Facebook. This includes your entire contacts and their numbers, which the app can read from your phone’s internal storage. On top of that, your own telephone number will be connected to your Facebook account forever.

Facebook ordered to pay €110 Million Fine for lying about Sharing WhatsApp Data

The linkage of your phone number to your Facebook profile was already technically possible at the time Facebook took over WhatsApp. Despite that, Facebook said they were not able to do so when applying for the fusion at the European Commission. In 2014, Facebook made these misstatements about the way user data will be shared between the systems of Facebook and WhatsApp. In 2016, WhatsApp changed their terms of privacy and announced exactly that. That lead to a fine of €110 million that Facebook had to pay to the European Commission.

That might seem like a large fine to you, but Facebook’s annual turnover is close to US$ 56 billion. They probably made enough money to cover those “expenses” with the ad revenue alone, which they received by selling your data to 3rd parties.


Why WhatsApp is a Privacy Disaster

Officially, WhatsApp declares that they use end-to-end encryption and even use the Signal protocol. That is the open-source protocol from Signal Messenger, but since the WhatsApp source code is not available for verification, we cannot be sure. Without access to WhatsApp server software, it will also be hard to find out if they actually implemented the double-ratchet protocol at all. WhatsApp is free of charge, so they would not suffer any financial damage by going open-source. Additionally, they do not have anything to lose anyway if their app is actually based on the open-source code of Signal (as they say), and not on some revolutionary proprietary technology they need to keep a secret. We therefore find it highly suspicious that Facebook refuses to release the source code. They must have something to hide.

Eavesdropping by Design

Security researcher Tobias Boelter also found a critical vulnerability in WhatsApp. Or should we say eavesdropping by design? When a message is initially undelivered, the software forces re-encryption. You (the receiver) are not asked if you want that and are not even notified about it. It all happens in the background. This step could potentially give WhatsApp access to cleartext messages, even if they use the Signal protocol as advertised!

How, you ask? Because they can use a key that belongs to the WhatsApp company or a law enforcement, for example. This key that they force on you is used for the re-encryption. That way, the message will still be encrypted, but in a way that enables WhatsApp themselves or law enforcement to open the message. The compromised key could be inserted by making you believe that the friend you chat with has changed his/her key. The iOS/Android app then automatically accepts the new key without notifying you, you cannot prevent that. Thereafter, the client encrypts all messages “in transit” with it, i.e. those marked with only one tick. This will also affect VoIP calls. The key is changed, so that police can eavesdrop on your communication. This is a full-blown man-in-the-middle attack!

The backdoor has been discovered by Tobias Boelter, but for technical reason it is only possible to demonstrate it for one message. It is actually very likely that it does not only affect a single message, but the entire chat session. This is a serious and wide-open security loophole in the software. WhatsApp is too big and professional for us to believe that it was an error and not intentional. So, it is not a bug, it is a “feature”. You can go to Verify Security Code in WhatsApp and check if the code used really belongs to you or your contact, but who tells you that this number code cannot be manipulated too?

Do no trust their End-to-End Encryption Claims

Let us get to the next reason why WhatsApp is a privacy disaster. There have been cases in the past where authorities have requested WhatsApp to reveal messages that a suspect has sent. It is absolutely possible that WhatsApp does not encrypt messages you send, directly on your device. They could instead receive a cleartext message on their servers and only then encrypt it for the recipient. There are reports that this is exactly the case.

This practice would give them a backdoor for later review of the messages, but no one except for Facebook knows. We simply do not have any way of finding out how a proprietary app works exactly. Proprietary software in general is fine, but in those cases where privacy is of utmost importance, we should better not trust a program for private communication if it is closed-source.

Additionally, you should be very careful with the Google Drive backup feature to store your chats in the cloud. This data is completely unencrypted. This lets Google browse your data and abuse it for advertising, but is also great entry point for police. Why let yet another data-hungry anti-privacy company get hold of your data?

We appreciate that all Facebook apps: Messenger, WhatsApp, Instagram, etc. will soon carry a “Facebook Tag”. Facebook does that to show the world that it owns those services, but it will also inform users that they are dealing with Facebook.


Use Open-Source Alternatives

In the previous article “Chat securely with the Signal Messenger“, we have reviewed Signal Messenger’s privacy features, in detail. Signal offers the exact same convenience features, but much more privacy, so please think about switching.

We are also of the opinion that Signal is even more user-friendly, because its functions are very transparent and the documentation from the Signal website explains them all in simple terms.

They also write interesting blog posts. An example is the article where they describe that secretly changing your keys is WhatsApp’s backdoor, not a bug in the Signal protocol.


Verdict

We hope that we could explain sufficiently why WhatsApp is a privacy disaster. The fact that WhatsApp is so ubiquitous, despite data collection and lack of trust in proprietary software, is quite remarkable. We do not believe, however, that it remains popular, because people do not care about privacy. It just shows that most people are not well informed about the risks. Facebook deliberately tries to make finding such information difficult and no one can identify all its data collection mechanisms without the source code.

Do not be distracted by the smileys and colourful stickers! There is a real privacy killer behind the green icon on your smartphone screen.

Take the same precautions against data collection by other services, Twitter and of course Instagram as another Facebook company.

Previous

Signal Messenger Guide on Mobile and Desktop

Next

You cannot trust Telegram Messenger