In this short article, I will take you through a brief analysis of the whatsapp chat app when it comes to your privacy as the user, what loopholes can be exploited to compromise that, and what you can do to stay ahead of any malicious privacy breach attempt.
That whatsApp is one of the world’s most popular chat apps is a fact that cannot be refuted. It recently crossed the 2 billion user mark, and still counting. The Android app also crossed the 5 billion install mark on the Google Play Store and follows in the footsteps of its owner, Facebook.
The chat app has had its fair share of security issues with the recent and major one being that Jeff Bezo’s phone was hacked through an infected WhatsApp file, though it is a matter that is highly controversial. However, from the aggregate of the information I have on breaches and hacks revolving the popular chat app, Whatsapp doesn’t offer you a foolproof privacy and security.
For encryption, WhatsApp uses the open source Signal Protocol developed by Open Whisper Systems – open-source Software Company ran by security researcher and cryptographer Mathew Rosenfield. The same protocol is used by Signal (another privacy focused messaging app developed by Open Whisper Systems), Allo (discontinued), Facebook Messenger and Skype. Facebook can’t read your WhatsApp messages thanks to this end-to-end encryption.
It’s also worth noting that WhatsApp collects a lot of data from its users and the device it is installed on. This is not limited to the information users provide and third-party information. Information you provide as a user includes your account information, your messages, your connections and customer support, while the Information WhatsApp collects automatically include usage and log information, transactional information, device and connection information, cookies and status information. Third-party information include information other people provide about you, third-party providers and third-party services.
Facebook, the company that owns WhatsApp has come under intense scrutiny after declaring that they intend to merge its messaging platforms which include WhatsApp, Instagram messaging and Facebook Messenger. In a not so distant past notable spat between Facebook and European Union, the Union’s privacy watchdog fined Facebook for a data breach that compromised the personal information of up to 50 million user accounts. This was after Facebook allegedly gave misleading and falsified information to regulators that it doesn’t share WhatsApp phone numbers and Facebook data, and still went ahead and did it. In a very fascinating article in the Wall street Journal dated 9th September 2020 (just last week), Ireland orders facebook to stop sending user data to the U.S. This has come following concerns over the American government surveillance practices. So the question you and I should ask is: Is our privacy guaranteed on the whatsapp chat app that is fully owned and operated by Facebook, the same company that has of late faced so much criticism over alleged unlawful disclosure of user data to third parties? Let’s not labor on that. What can we do to at least enhance our privacy as we use this app for communication?
Disable Cloud Backups
Cloud backups are allowed on the app and are helpful when you get a new phone and want to restore your previous chats. The reason why you’d want to disable cloud backups either on Google Drive (Android) or Apple iCloud on iPhones is that these cloud services can easily provide your data when law enforcement authorities want it. There is nothing scaring about that, unless you are a criminal, but really, in this age and era when governments have become notoriously unscrupulous when it comes to breaching their citizens’ privacy, don’t be surprised if you found out that your business competitor has unfettered access to your sensitive information, all facilitated by your government. It’s unclear whether WhatsApp informs a user when their account is being searched. At least we know that its parent company Facebook lets you know that your account is under lawful search except the times when they’re ordered not to. Besides, media and messages you backup are not protected by whatsapp end-to-end encryption.
“There is no middle ground: if law enforcement is allowed to circumvent encryption, then anybody can.” – Amnesty International in an open letter to Facebook.
It’s worth noting that WhatsApp doesn’t have open law enforcement guidelines like Facebook. WhatsApp can easily collude with a third party like a government agency and install a pen register device that provides metadata which WhatsApp’s encryption doesn’t keep private. Other pen registers go as far as collecting more information such as device identifiers and IP addresses. The metadata WhatsApp collects is enough to help federal agencies figure out the behavior of a person of interest. Signal doesn’t store any such metadata – however, contact numbers are shared with Signal servers.
“The best practice is to purge this information (metadata),” – Neema Singh Guliani, legislative counsel with the American Civil Liberties Union (ACLU).
Early this year, it was revealed that WhatsApp was working on password protected backups. Before such protection is deployed, think twice before backing up your whatsapp communications data on Google drive, especially if you are not (or in future you will not be) in good terms with your government.
Set up Two-Factor Authentication
Two-factor authentication is a very important feature that you should not only enable on WhatsApp but also on all your online accounts. You can either choose text based, app based or hardware based (physical security key) 2FA methods. SMS based is easiest to setup and more adaptable for most users. Each time you want to verify your phone number on WhatsApp, you’ll be required to create a six-digit pin created with two-step verification on the app. Simply, open WhatsApp then head to Settings > Account > Two-step verification > Enable. You can then opt to add your email address so that WhatsApp sends you a link via email to disable the two step verification in case you forget your PIN. Once setup, WhatsAp will be irregularly prompting you to reenter the PIN. These prompts will come in handy especially if another person is trying to add your number to a new device without your knowledge.
Manage how people can interact with your account
One of the first steps is to disable read receipts. Next, control who adds you to Groups by heading to Settings > Account & Privacy > Groups and then opt out of the “Everyone” option which has been enabled by default to either “All of your Contacts” or “All of your contacts except the people you’ve blocked. This ensures that people who want to add you to groups randomly will have to send you a text message for your consent. You can also limit who sees your profile photo, about section, last seen, and live location. Another step you can take is disable notifications for both that appear on the lock-screen or the notification shade so nobody reads the message preview without having to open the phone or the app itself.