*Privacy Not Included review: WhatsApp

Wi-Fi

Review date: Sept. 8, 2021

Mozilla says

WhatsApp is one of the most popular messaging apps in the world with around 2 billion (yes, billion) users worldwide. The app is encrypted by default with end-to-end encryption for both messages and calls, which is good for your privacy. It’s also owned by Facebook which means Facebook can access some data WhatsApp collects on you for specified purposes, which may be bad for your privacy. When it comes to video, WhatsApp allows for one-on-one calls and group calling with up to eight people. Just beware, WhatsApp has had a pretty well known misinformation problem and well, misinformation stinks.

What could happen if something goes wrong?

Facebook-owned WhatsApp caused quite the kerfuffle early in 2021 when it complained about Apple’s app store privacy labels that show all the data an app links to you. It didn’t look good for WhatsApp, especially when Apple published the same info for their iMessage app. Then WhatsApp updated their privacy policy in a way that scared the pants off people, justified or not, which caused a huge jumping ship of WhatsApp users to apps like Telegram and Signal. And then Ireland hit WhatsApp with a record $266 million fine for an alleged lack of transparency over how it shares data with Facebook. So, what’s the deal? Is WhatsApp bad for privacy? From a technical perspective, no, not really. WhatsApp uses super strong end-to-end encryption for all texts, chats, and video calls, This is great! WhatsApp can’t read your messages or see your calls. The flip side of this is Facebook--a company infamous for its vast and questionably ethical collection of so much data--owns WhatsApp. This means that lots of metadata, things like purchase history, location, device ID, and more--can be captured and shared with businesses advertising on WhatsApp. People looking for a true privacy-centered messaging app can find better options, like Signal and Threema. Messaging aside, it's worth considering WhatsApp's role in spreading misinformation. In 2020, WhatsApp became such a major source of misinformation about the coronavirus that world leaders called out the app by name. WhatsApp did take steps to try and stop the flood of misinformation when it began limiting the number of times people could pass on frequently forwarded content to five chats at once. Misinformation is a problem these days, one everyone should be aware of and do their best to not make worse.

mobile Privacy warning

Security A.I.

Can it snoop on me?

Camera

Device: N/A

App: Yes

Microphone

Device: N/A

App: Yes

Tracks location

Device: N/A

App: Yes

What can be used to sign up?

What data does the company collect?

Social

Metadata, including contacts, information about your activity, including how you use our Services, your Services settings, how you interact with others using our Services (including when you interact with a business), and the time, frequency, and duration of your activities and interactions.

How does the company use this data?

There is a complex chain of how data moves between WhatsApp and Facebook Inc., and then to numerous third parties. If you use WhatsApp to communicate with businesses,the Facebook-owned messaging app can share a user's profile data with Facebook. The policy states 'We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customize, support, and market our Services.'. This information could be used by Facebook and its other products to make suggestions for you, personalize features and content, help you complete purchases and transactions, and show relevant offers and ads across the Facebook Company Products. Facebook claims to not sell its data, but it shares data with numerous third parties such as partners who use their analytics services, advertisers, measurement partners, partners offering goods and services in Facebook products, vendors and service providers, researchers and academics, law enforcement, legal requests.

How can you control your data?

The only way mentioned in WhatsApp's policy to delete personal data is to delete the full account. Deleting your account deletes your account info and profile photo, deletes you from all WhatsApp groups, and deletes your WhatsApp message history. It can take up to 90 days to delete the data. Copies of your information may also remain after the 90 days in the backup storage, 'to recover in the event of a disaster, software error, or other data loss event'.

What is the company’s known track record of protecting users’ data?

Needs Improvement

In May 2019, WhatsApp announced a security breach associated with a surveillance authority. It did not disclose how many users were affected. In 2017, co-founders of WhatsApp have left the company, one of them, Brian Acton, saying "I sold my users' privacy to a larger benefit, I made a choice and a compromise. And I live with that every day."

Can this product be used offline?

N/A

User-friendly privacy information?

In May 2021, WhatsApp found itself at the center of controversy regarding its privacy policy. The main change was regarding sharing data, including communication content with businesses, with the larger Facebook Group. Many privacy-conscious users thought that ALL their communication data will be shared with Facebook (which is not the case). But it is hard to blame them, since WhatsApp's policy is not an example of a crystal clear one, nor was the process of its implementation soft. WhatsApp has been bombarding users for months with persistent pop-up messages to force them to accept its new terms of use and privacy policy. We too, as millions of WhatsApp users, found it hard to get what exactly is this update changing, looking at the privacy policy and terms of use only. Thus, we consider these documents to be confusing on purpose. Only the purpose is still unclear.

Links to privacy information

Does this product meet our Minimum Security Standards?

Yes

Encryption

Yes

All messages and calls are end-to-end encrypted by default. Note that metadata is not encrypted and shared within Facebook Group.

Strong password

N/A

There is no password requirement to enter a call. WhatsApp allows users to set up a fingerprint lock or faceID as an extra layer of security, although this is not on by default, and for iPhones only.

Security updates

Yes

Manages vulnerabilities

Yes

Facebook has a bug bounty program for security vulnerabilities

Privacy policy

Yes

Does the product use AI?

Can’t Determine

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

News

WhatsApp tightens message forwarding restrictions to combat coronavirus misinformation

CNBC

Facebook’s WhatsApp has reduced the amount of chats to which users can share frequently forwarded content to just one at a time. The move, which expands on previous curbs, is aimed at stemming the spread of misinformation amid the coronavirus pandemic.

Five Things You Should Know About the WhatsApp Hack

Security Boulevard

The recent WhatsApp™ hack is pretty alarming: all the hackers had to do was drop a missed encrypted WhatsApp call to their target and—boom—spyware was installed. The hack didn’t require the user to do anything—even if the user didn’t pick up the phone the spyware would still be installed. But maybe what’s most important about it is that it shines a light on the myth that security is equal to end-to-end encryption.

WhatsApp Video Calls Will Soon Support 50: This Is Why 8’s The Limit For Your Security

Forbes

WhatsApp users were just given an awesome new feature—the ability to make end-to-end encrypted video calls for groups of up to eight. But it seems that eight is the limit if you want to stay secure, because once you add more people to your video chat, you’ll be redirected to the much less secure and private Facebook Messenger Rooms.

Signal Vs Telegram—3 Things You Need To Know Before You Quit WhatsApp

Forbes

As the self-inflicted WhatsApp backlash continues, millions have turned to Signal and Telegram instead. But how much do you know about these rival messengers? Given the headlines, you’d assume they’re both more secure than WhatsApp, right? Actually, wrong. So, if you’re considering a switch, here are three things you need to know.

WhatsApp launches disappearing photos and video for all your sensitive (and sexy) messages

Mashable

WhatsApp will now let you send private and disappearing photos and videos. So whether it's a steamy sext, something cute you'd like to delete later, or even sensitive content like passwords or financial details sent to someone you trust, WhatsApp is rolling out "View Once" photos and videos that will disappear from the chat after they've been opened.

WhatsApp faces $267M fine for breaching Europe’s GDPR

TechCrunch

It’s been a long time coming but Facebook is finally feeling some heat from Europe’s much trumpeted data protection regime: Ireland’s Data Protection Commission (DPC) has just announced a €225 million (~$267 million) fine for WhatsApp.

Disinformation Spreads on WhatsApp Ahead of Brazilian Election

NY Times

Over the past few months, the 120 million Brazilians who use WhatsApp, the smartphone messaging application that is owned by Facebook, have been deluged with political messages.

WhatsApp clarifies it cannot see your private messages

Mashable

But it does share your metadata with Facebook.

WhatsApp is having another go at explaining its privacy policy to users

The Verge

The company is trying to set the record straight on private messages and what’s changing