The Limits of End-to-End Encryption
You might be wondering why that matters if the data you send via the app is still end-to-end encrypted. Doesn’t that mean that your data is secure? Well, yes and no.
WhatsApp does still utilize end-to-end encryption, but it collects more metadata on you than apps like Signal. WhatsApp’s encryption doesn’t protect you from that kind of data collection—and all that metadata now gets shared with WhatsApp’s parent company Facebook.
That means if the servers Facebook stores your information on are breached, sensitive data could still be compromised. And recent news of a 500-million-user breach doesn’t exactly inspire confidence in Facebook’s data security measures.
As a quick refresher, end-to-end encryption is when information sent between two devices is secured from the moment it’s sent to the moment it’s received. Only the people involved in the message can see what it says—even the company hosting the app doesn’t have the keys to unlock the data.
WhatsApp, Facebook, and Data Collection
Users started becoming wary of the relationship between WhatsApp and Facebook back in 2016, when it came out that WhatsApp was sharing user’s phone numbers and analytics data with Facebook by default, contradicting the company’s previous stance on user data privacy. You could still protect your data, but only by manually opting out.
If users don’t agree to the new terms by then, they won’t be able to read or send messages on WhatsApp. They’ll still be able to get calls and notifications for “a short time,” but the account will be considered inactive. WhatsApp has warned users that their policy on inactive accounts—which is to delete them after 120 days—will apply, stating:
“You can still accept the updates after May 15th. Our policy related to inactive users will apply…To maintain security, limit data retention, and protect the privacy of our users, WhatsApp accounts are generally deleted after 120 days of inactivity.”
Coupled with this announcement was the launch of Apple’s new “privacy label” feature. The feature went live at the end of 2020, requiring apps listed in the App Store to show what data they collect on users. Users can now plainly see that, although WhatsApp does utilize end-to-end encryption by default on all messaging, it still collects metadata, including location data, contacts, identifying data (such as user ID), and purchases. And it shares all that data with Facebook.
Facebook Messenger’s list of metadata is even more extensive, and Facebook plans to integrate it with WhatsApp in the near future. So while messages may remain private, there’s still plenty of identifying information on users that could be compromised in the event of a data breach.
All of this has led users to abandon WhatsApp in droves for other messaging apps that offer more security, like Signal and Telegram.
WhatsApp vs. Signal and Telegram
Most people leaving WhatsApp are going to one of two apps: Signal and Telegram. Of those two, Signal is the one that provides better security.
Signal’s user interface is similar to what WhatsApp users know, making it an easy switch. It also uses end-to-end encryption by default on all messaging. Telegram only end-to-end encrypts one-on-one “secret chats,” and you have to manually set it that way.
Signal also only requires one thing from users: a phone number. And it doesn’t attempt to link that phone number to your identity. It doesn’t collect metadata like WhatsApp and Facebook Messenger, and your messages are all stored directly on your device instead of on a cloud server.
Group conversations are also end-to-end encrypted with Signal, which is something that’s not offered to Telegram users—Telegram secret chats can only be between two people, and all other messaging through the app is stored on the company’s cloud servers.
Signal is also run by a donation-funded company, meaning that they aren’t incentivized to collect data from app use for advertisers. The code that they base their encryption on is open source. Overall, Signal has a much stronger commitment to user privacy than WhatsApp and Facebook. And that commitment garnered such an influx of users that Signal temporarily crashed.
WhatsApp has, as expected, launched a damage control campaign to try and reassure users that their data is still safe. The company is leaning heavily on the fact that it still uses end-to-end encryption by default to assuage privacy concerns.
In an op-ed for Wired entitled “Encryption Has Never Been More Essential—or Threatened,” WhatsApp head Will Cathcart writes:
“In the past five years, WhatsApp has securely delivered over 100 trillion messages to over 2 billion users. During the height of the global pandemic lockdown, end-to-end encryption protected people’s most personal thoughts when it was impossible to come together in person.”
Cathcart goes on to point out that law enforcement and big corporations have increased pressure on companies to hand over user’s private data or to create backdoors that they can use to access user data, like messages, in the future.
But that doesn’t appear to be what has WhatsApp users concerned—they’re worried about the metadata collected, regardless of end-to-end encrypted messaging. And with metadata collection now required to use the app, people may not be so willing to trust it anymore.
WhatsApp is reportedly working on encrypted iCloud backups that would be password-protected. Once the feature goes live, iCloud users could make encrypted backups of their WhatsApp data that would require a password to access.
Since users would be able to encrypt their data before uploading it to the cloud, it would theoretically be safer. The update is still in beta as of this writing, but if WhatsApp can launch it soon enough, it may be able to regain some of its user base.