Let's talk about WhatsApp
This post tackles the recent WhatsApp privacy concerns, looking at how its messages are kept private along with the data it collects about you.
What’s up with WhatsApp
WhatsApp have recently updated their privacy policy, and this has everyone talking, groups are being asked to migrate to Telegram or Signal, even Elon Musk has championed his support for Signal.
Facebook owns WhatsApp, having purchased it in 2014, and this is not the first time it has come under scrutiny. In 2016, the Information Commissioner’s Office (ICO) wrote to Facebook about its plans to share WhatsApp user data with concerns raised over lack of transparency.
In 2017, Facebook was fined $110 million for misleading the EU as it was revealed Facebook could identify WhatsApp phone numbers against Facebook users, this was later described as an unintentional error by Facebook.
What is changing?
Facebook offers shopping features to businesses and wants to share things like purchase history or product interaction with WhatsApp. This will enable businesses to interact with you via WhatsApp. E.g You may purchase something via Facebook and then engage with that business using WhatsApp, this is why you may have seen a privacy popup like the one below.
This does not impact your chats and interactions with friends and family.
Does this mean WhatsApp can see my messages?
No, chat messages are protected using encryption, this means your messages cannot be seen by WhatsApp or anyone else other than the person receiving the message. This works by using a technology called end-to-end encryption.
How does end-to-end encryption work?
Your phone generates a private and public key. The private key remains secret to your phone and is used to decrypt incoming messages, this key never leaves your phone. The public key is shared with your contacts, this is used to encrypt messages that are sent to you by others, only your private key can be used to decrypt.
Your friends and family will all have private and public keys working to ensure messages remain private. Think of it as a mailbox, everyone knows your postal address (public key) and can send messages but only you have the ability to open and read using your private key.
Messages flow through WhatsApp servers but because they are encrypted, WhatsApp cannot read your messages, they do not hold the private key and therefore cannot decrypt the passing messages.
Tell me more about end-to-end encryption.
To further understand how messages are kept private let's look at Adam and Batool, both install WhatsApp on their phones and this, in turn, generates their private and public keys, the following happens under the hood.
Adam and Batool share each other's public keys via WhatApp servers over the internet;
Adam then writes a message to Batool, his message is encrypted in the background using Batool’s public key that she shared with him previously.
The encrypted message travels through WhatsApp servers and reaches Batool’s phone, Batool then uses her secret private key to decrypt and read the message. This is shown below;
Adam also asks about his recent purchase with Company X who is selling items using Facebook and providing support via WhatsApp.
Messages are encrypted in the same manner as Adam’s chat with Batool, they are independent and do not impact Adam’s private messages with Batool.
What data does WhatsApp hold on me?
While WhatsApp cannot read your private conversations it does collect information about you, this includes;
- Phone number and mobile device ID.
- Chosen profile name.
- Information about how the app is running on your phone i.e if the app keeps crashing.
- GPS data when you share your location in a chat, estimate locations can also be identified via your public IP and phone area code i.e +44 for the UK
- Your contacts phone numbers.
More detailed information can be found on WhatsApp's privacy page here.
Has WhatsApp always collected this data?
Yes.
So Why has WhatsApp been in the news?
This is probably down to the poor way in which it communicated the changes, having a scary looking popup appear, forcing the user to agree before a given date will no doubt create anxiety.
As mentioned above, the changes are specific to businesses that use Facebook, these have now been delayed with WhatsApp allowing more time for users to consider the changes. In addition, WhatsApp has been working to clarify the changes having been spooked by the mass migration of users to Signal and Telegram.
Remember Facebook does not have a good reputation when it comes to data privacy, the Cambridge Analytica scandal is testament to this where personal data of millions was used without consent.
The following best highlights the data collection differences between Signal, Telegram, WhatsApp and Facebook.
GDPR and WhatsApp
The General Data Protection Regulation (GDPR) are a set of security and privacy laws put together by the European Union (EU) and the UK. It outlines measures on how companies handle your data with the goal of security and privacy of the user at hand.
Data that can identify individuals is subject to strict laws and security measures, for example, data handlers i.e WhatsApp must follow set guidelines otherwise face tough fines.
This is why WhatsApp operates under ‘WhatsApp Ireland Limited’ for EU and UK users and why some of the privacy changes will not apply to EU and UK users.
Should I move to Signal or Telegram?
The choice is entirely yours, it is down to your own risk appetite i.e how much do you care about where data is stored and how it is shared. However, if you were going to move then Signal would be the better option as it collects the least amount of data. Telegram does not encrypt messages by default, you would have to explicitly select ‘secret chat’.
In reality, it will come down to user demand, this recent episode can only be a good thing for competition but WhatsApp remains the most popular tool, your friends and family will not all migrate any time soon and as such you’ll probably be in a world where you have WhatsApp + one other instant messaging tool.
Many thanks to Joel Samuel for the peer review.
