Users of WhatsApp have been alerted to a serious security risk since their data may have been exposed due to an encryption flaw. Elon Musk has also openly questioned WhatsApp’s data and security policies at the same time. This begs the question of whether WhatsApp’s two billion users ought to think about moving to another platform.
Users are really concerned about recent stories like “WhatsApp Engineers Fear Encryption Flaw Exposes User Data.” The main problem, though, is not a flaw in WhatsApp’s renowned message encryption, but rather a more complex issue with metadata—the information about who contacts whom, when, and from where.
Metadata is not encrypted, allowing it to be captured and stored by the platform and monitored by governments or carriers with the right access. The Intercept reported that “an undisclosed WhatsApp vulnerability lets governments see who you message,” indicating network-level monitoring or traffic analysis. According to WhatsApp engineers, agencies are “bypassing our encryption… making it possible for nation states to determine who is talking to who.”
“Information about your activity (including how you use our Services), how you interact with others using our Services, and the time, frequency, and duration of your activities,” according to WhatsApp’s privacy policy, is one of the metadata sets that are collected. Additionally, it estimates the general location of users using IP addresses and other data.
If WhatsApp collects this data, it can protect its users. However, this protection is compromised when the data is analyzed externally. “Our at-risk users need robust and viable protections against traffic analysis,” warned WhatsApp engineers.
Despite these concerns, the encryption itself remains intact. WhatsApp states, “WhatsApp does not store message logs once the messages are delivered,” but in response to valid legal requests, it may start collecting metadata such as message and call logs.
Jake Moore from ESET highlighted the issue, stating, “with pressure from governments around the world to have more exposure to intelligence and police evidence, this is potentially where Meta have agreed to find some sort of middle ground.”
Elon Musk has also criticized WhatsApp, tweeting, “WhatsApp exports your user data every night,” in response to allegations that user data is analyzed for targeted advertising. This has always been a point of contention for WhatsApp, known for its strong content encryption but criticized for its metadata handling.
The real issue at hand is how metadata is collected and shared. Meta claims there are no vulnerabilities in WhatsApp’s encryption, and WhatsApp head Will Cathcart emphasized there is no evidence of such a vulnerability. However, The Intercept’s Sam Biddle noted that internal assessments call for mitigation of traffic analysis vulnerabilities.
If users have concerns about their metadata being tracked, they should consider switching to more privacy-focused messaging apps. Moore advises, “Other available privacy-focused messaging apps offer ironclad protection which can be used by those favoring privacy over convenience.”
While there has been no compromise of message content, the handling of metadata by WhatsApp is concerning. Users who need to protect their privacy should take steps like shielding their IP address, changing devices regularly, and turning off location tracking.
“Communication and location data may seem futile but this can be merged together with other available information to build a bigger profile picture,” Moore warns.
Thus, it is vital to ensure this data is protected.