WhatsApp offers end-to-end encryption for its messaging platform by default, but the platform itself is owned by Meta, known for its privacy-related scandals and appears to engage in an outstanding amount of data collection.

WhatsApp is also the most popular messaging app with over 2 billion users worldwide who transmit 100+ million messages daily. Despite its immense popularity, users who value privacy may be better served jumping to a more secure and private messaging platform. Those on the fence or who may need a push may also find this post helpful in their own decision making process.

In any case, the reasons listed in this post are valid privacy-related reasons for leaving WhatsApp for any of its privacy-friendly competitors.

1. WhatsApp is owned by Facebook/Meta

Facebook/Meta (referred to as simply “Meta” for the rest of this post) has a long history of acquiring and assimilating competitors. These acquisitions dwarf competition, promoting the excessive centralization of a number of resources – to include troves of user data.

Over the years, Meta’s notable acquisitions include:

• Instagram (2012)
• Oculus (2014)
• WhatsApp (2014)
• Giphy (2020)

In 2014, Meta (at this point in time, Facebook) acquired WhatsApp for $16 billion. At the time of purchase (and also as of writing), WhatsApp was (is) the most popular mobile messaging platform around the globe.

According to leaked internal Facebook documents, Meta closely eyed WhatsApp primarily because of their user engagement metrics, which were far superior to their own messaging platform, Facebook Messenger. Meta had detailed insights on WhatsApp, a quickly growing competitor in their market at the time and did not use this data to directly improve their own product. (For what it's worth, WhatsApp as an independent company was committed to end-user security and privacy.)

Instead, Meta "threw money" at the "problem" and sought to acquire and assimilate the competition. Meta's acquisition of WhatsApp effectively eliminated their closest competitor, consequently reducing user choice and further centralizing the messaging landscape. Arguably, Meta undermined the security and privacy the independent WhatsApp once stood for, as seen in the ever-growing length of WhatsApp's privacy policy and the numerous privacy scandals surrounding Meta itself.

Over the years, as WhatsApp has been assimilated into Meta, WhatsApp has also turned into another data collecting machine. Sure, user messages are still end-to-end encrypted within (some) reason and WhatsApp features have "expanded." However, in the acquisition of WhatsApp, Meta obtained another highly valuable source of data all under the guise of "connecting people" while adding incredible reading time to its privacy policy and terms of use agreement.

The bottom line is: All of the Meta companies function primarily on user engagement – the more users engage with their platforms, the more data becomes available for collection. The more user data Meta has, on average the more money they can make off each user – by selling highly accurate profiles of any given user. WhatsApp is but an extension of this...

Let's also not forget that Meta collects so much user data from its various platforms that, according to a leak from a Facebook Engineer, Facebook has "lost control of user data." Allegedly, this loss of control has resulted in Meta being unable to answer what is done with user data, where exactly user data goes, and unable to comply with various international privacy laws.

Allegedly, Instagram - another Meta company - was privy to detailed internal reporting citing the platform "knew Instagram was toxic for teen girls." Researchers at Meta found that Instagram is harmful for a sizable percentage of young users (under 22).

In 2021, a sizable amount of users migrated to alternative messaging platforms such as Signal after a poorly communicated update to WhatsApp privacy policy.

2. WhatsApp collects and sends tons of data to Facebook/Meta

WhatsApp collects an alarming amount of data - including metadata, personal identifying information (PII), payment information, and detailed device data.

WhatsApp's direct data collection is split into two primary fronts: 1) information the user provides and 2) automatically collected information.

According to the WhatsApp privacy policy (last updated JAN 2021) Information the user provides includes, but is not limited to:

Mobile phone number

Allegedly, WhatsApp forces the use of a sim-connected number to sign up and in some cases will not permit account creation with a voice over IP (VoIP) number. While this may cut down on abusive registration, it also alienates people who 1) aren’t willing to use a sim-connected number or 2) cannot acquire a sim-connected number for any number of reasons.

Keep in mind phone numbers (especially a sim-connected phone number) have shown to be effective identifiers. The chance of any given user changing mobile phone numbers is lower than a user changing email addresses or account usernames; this increased chance of remaining "static" is what has turned the mobile phone number into a highly unique and powerful identifier. Furthermore, powerful and unique identifiers enable highly accurate tracking mechanisms.

The more any user gives out their mobile phone number, the higher chance it may wind up somewhere the user didn’t necessarily intend it to be – whether as information leaked in a data breach, a scamming ring, or in the hands of an unscrupulous data broker.

Users should also note that the phone number used with WhatsApp is shared with Meta.

If you suspect your phone number is involved in a data breach, then a good resource to check is the Have I Been Pwned (HIBP) database.

Your contacts/connections

WhatsApp’s “contact upload feature” is just as it sounds – WhatsApp will ask for permission to access user contacts and continuously scan the linked contact app for new additions. Contacts that have WhatsApp (WhatsApp will know because presumably they have your contacts’ numbers too) will be suggested to the user.

Simultaneously interesting and disturbing is WhatsApp doesn’t necessarily need direct access to a user's contacts to suggest highly relevant contacts or "people you may know". WhatsApp (and Meta) have other ways of “knowing who you may know.”

Most commonly, WhatsApp will “know who you know” because someone in your phone’s contacts list - who also has your phone number – will share their contact list with WhatsApp. This is an enumerated third party WhatsApp uses to collect data about users:

WhatsApp can use location data history (are often are you near a particular device?), Wi-Fi connectivity (are you on the same network as a particular device?), and cellular towers (are you using the same cell tower as particular device?) to accurately guess who you may know.

Since WhatsApp shares data with other Meta companies like Facebook, WhatsApp may also use added friends/following list to suggest people a user may know – all without directly accessing user's contacts!

Automatically Collected Information includes, but is not necessarily limited to:

Usage and log information

Usage and log information includes how you interact with the application or “service,” when you interact with the application or “service,” duration of interaction, log files, diagnostic and crash reporting, and commonly used features.

Put simply, WhatsApp knows what features you use and how often you use them. While this isn't necessarily an issue, especially for the purposes of diagnostics and reporting, WhatsApp usage data and diagnostics are directly linked to the user:

What exactly does this mean? A definitive answer is tough to say. Given the other methods of "automatically collected information" WhatsApp uses, we can assume with reasonable confidence a few things:

• Combined with device data (below), WhatsApp knows exactly how, when, and for how long you interact with the app
• WhatsApp could use usage data as another data point for user profiling
• WhatsApp could "feed" usage data to its algorithm for any number of purposes (content moderation, bot detection, spam detection, etc)

The pressing issue with WhatsApp's handling of usage and log information is its link with users. Plenty of other apps may collect usage and log information for diagnostic and anonymous statistic collection purposes, however there is little practical reason for linking usage and log information directly to users.

Device information

Device information includes identifiers, hardware model, operating system information, battery level, browser information, language and time zone, and information on device operations as listed in WhatsApp's privacy policy.

When combined, this data creates a highly unique fingerprint - WhatsApp knows who you are and a great amount of information about your device. In fact, from this information alone, WhatsApp's AI algorithm can determine whether a user's account should be "thrown into the spam pile."

This type of device information collected likely allows highly accurate fingerprinting of a user’s device. If you switch devices, but use the same account – WhatsApp can tell; hardware model, operating system information, language, and time zone are enough data points to fingerprint a device. This is especially true when coupled with other numerous data points WhatsApp collects, such as creating/using/sharing a user’s unique “Meta Company Product” identifier.

On the iPhone in particular, a security researcher found that Meta Company Products (Facebook, Instagram, and WhatsApp) were “secretly” collecting iPhone accelerometer data – which can be used to also add to usage and log information, which is already tied to users, or to pinpoint locations over time. Accelerometer data can be used to pinpoint locations -- even if WhatsApp is not permitted access to device GPS location data.

Connection information

WhatsApp collects device connection data as well.

Connection information includes mobile network, connection information, IP address, signal strength, network connection information. Even more so, this connection data frequently includes information like IP addresses or cell tower usage, which can help in approximating a user’s geolocation with high accuracy.

Network connection information can and may be used to suggest “people you may know.” For example, if User X is on the same network called "Home Network 4" as User Y, then we can make an educated guess they may know each other - especially if this is observed over some length of time, as we can start determining patterns and make reasonable inferences from those recorded patterns.

The truth is, you may or may not know these people – but, according to the "algorithm," the probability is that you may know them in capacity if you are on the same network.

Location information

In its privacy policy, WhatsApp even explicitly states they use the area code of the phone number attached to a WhatsApp account to approximate user location:

For example, if User Y has registered phone number 1-404-123-4567 then we can reasonably assume:

• From the 1 in the phone number that User Y lives in the US or Canada.
• From the area code, 404, that the user lives/lived in/frequents the Atlanta, Georgia metro area.

Keep in mind WhatsApp reportedly does not permit the use of VoIP numbers - so creating or getting a number in a different area code not as easy.

However, WhatsApp can use a device's connection information, like an IP address, to also approximate a user's location - even if their phone number does not corroborate with their physical location. If you're behind a non-leaky VPN, then this can be less of a concern - assuming you're behind the VPN 100 percent of the time.

Even if you manage to be behind a VPN 100 percent of the time (which isn't necessarily feasible of itself), what if the WhatsApp app installed on a mobile device is indeed collecting accelerometer data? As mentioned earlier, accelerometer data can pinpoint users' locations with a high degree of accuracy. Users can elect to not install the app - but now we start inching into the territory of usability issues. A valid argument is that once we reach this point, versus mitigating, a user would be better off switching messaging platforms entirely.

WhatsApp collects specific location data from a GPS-enabled device when permitted. While a user can effectively deny GPS permissions to WhatsApp on their devices, doing so does not necessarily prevent WhatsApp from accurately inferring a user's location from other collected data points.

WhatsApp can use other data to approximate user locations with considerable accuracy. IP addresses can reveal general locations while also serving as a piece of identifying information. As mentioned earlier, WhatsApp can also use your mobile connection data to approximate your location by viewing the nearest cell tower to your device – which can give good results, down to a couple mile radius.

3. WhatsApp aggregates your data from third parties

Meta has always been about collecting data through various means, which includes incorporating data from off its various platforms. This can be seen on Facebook, their acquisition of Instagram, and the acquisition of Oculus. WhatsApp is no different.

While these third parties aren’t expressly stated, given Meta’s extensive data collection and history of user data abuses, we can still estimate with high confidence from where WhatsApp collects user data outside its immediate ecosystem...

Information Provided by Other Users

WhatsApp asks those who sign-up for access to their contacts.

Breaking this down further: a given user, let’s say User A, could not have WhatsApp, but another user, User B, does. User B has User A in their phone contacts and allows WhatsApp access to their contacts.

Now, WhatsApp (Meta) is "clued in" to User A and User B knowing each other – be it currently or at some point in the past. This data point can be used to serve ads, or to pivot and collect more data. This is all without User A’s direct knowledge, input, or expressed consent outside of reading WhatsApp's lengthy privacy policy, subject to change at any time.

There’s also WhatsApp’s unencrypted backup issue to consider in this context. User A may opt to encrypt their WhatsApp backups to the cloud, but User B may not. If User A and User B send messages via WhatsApp, messages User A sent to User B might still be exposed and read at will by third-parties with access to the User B’s unencrypted backup.

Advertisers

In addition to sending information to advertisers, WhatsApp also most likely receives data from advertising networks that exist outside of its own. While this isn’t explicitly stated, given Meta’s ad revenue and willingness to run ads that have pointed to known malicious domains, host/promote blatant misinformation, or point to scams.

This can be assumed with high confidence given that many advertisers are also in some form of the data brokering business. Advertisers are actually in the business of collecting and sharing data; Meta Audience Network is no different.

Other Third-parties

WhatsApp’s privacy policy explicitly states they receive information from both third-party service providers and third-party services.

Third-party service providers can include third-parties who help WhatsApp operate, provide, improve, understand, customize, support, and market – as referenced in their privacy policy (last updated JAN 21). These third-parties can also include other Meta companies, which are actually more than just Facebook or Instagram

This covers a wide range of potential organizations that may have some level of access to your data. For example, third-party services that help WhatsApp operate can include a cloud service provider; third-party services that help support WhatsApp can include outsourced customer support; third-party services that help market WhatsApp can include outsourced marketing companies, data brokers, and advertisers.

This range of potential organizations with some access to your data becomes exceptionally problematic for your privacy. Most problematic is your interactions with other organizations outside of WhatsApp – or even the Meta companies – could be up for grabs by WhatsApp. This doesn’t necessarily mean Meta is collecting sensitive data such as payment details or social security numbers (SSN), but does mean that WhatsApp knows which other entities you’ve probably interacted with in a business, professional, or casual manner.

Third-party services include third parties that are not directly related to helping WhatsApp provide its service. This can be considered a catch-all term for, well, any third-party source WhatsApp can collect data related to you from.

Reference their privacy policy, where they give good examples of the extent of data collection:

Specifically, “...for example, if you use the WhatsApp share button on a news service to share a news article with your WhatsApp contacts, groups, or broadcast lists on our Services...”

Independently, this may not seem like a big deal – but it’s important to understand that no data point solely exists in a vacuum. For example, if you are sending articles from the exact same news source to the same contacts every Tuesday, WhatsApp may combine this data point with collected metadata and location data. You may start seeing more ads related to whatever you’re sharing – especially around the same time or place you were recorded sharing the previous articles.

All of this to say – WhatsApp may be collecting data on you and you may not even have WhatsApp or any Meta Company account!

4. WhatsApp captures and uses unencrypted metadata

WhatsApp’s centralized design and closed-source, dubious implementation of end-to-end encryption exposes a considerable amount of metadata, making it available for capture and storage by WhatsApp servers. In fact, WhatsApp actively uses metadata in a variety of ways – including "feeding" vast amounts of data to its AI when messages are reported by any recipient of a message for “abuse.”

Metadata in this context is the data associated with messages, but does not necessarily exist in the message contents itself. Metadata is crucial but is often overlooked; it often includes, but is not limited to, who a message was sent to and when the message was sent. Metadata alone can be enough to build a reliable prediction model or social graph – or to analyze patterns. For example, even if WhatsApp can’t read your messages, WhatsApp knows who and when you’ve sent a message at a minimum.

If we couple these data points with location data, detailed app/service usage statistics, and device data, then we can analyze and glean a rather disturbing amount of insight:

• User A only messages User B from an iPhone X, every Tuesday, near the only Random American City location of “The Best Coffee Shop Ever,” around 4:00pm ET
• User B messages User A from a Windows 10 Dell Inspiron desktop computer, connected to “Home Wi-Fi” with IP address 99.12.445.6 every Tuesday at 4:10pm ET and then again around 4:30pm ET from a Samsung Galaxy S20 running Android 12 near a T-mobile cell tower within a 2-mile radius of the only Random American City location of “The Best Coffee Shop Ever.”

Here, we can probably guess that User A and User B meetup every Tuesday around 4:30pm ET at “The Best Coffee Shop Ever” location in Random American City.

For User B, we can also guess with confidence their internet service provider (ISP) from the IP address. We know User B uses WhatsApp from a known desktop on a network, “Home Wi-Fi,” so we can also reasonably guess that User B lives 15 minutes from “The Best Coffee Shop Ever” in Random American City.

Enough metadata data points collected over any significant amount of time can tell much of the “story,” without ever reading the contents of the message.

In the case of WhatsApp, when compared to more private alternatives, the amount of metadata either available for collection or already collected is immense and includes a variety of sources - like information collected at initial account creation, data automatically and continuously collected, and data provided by a list of third parties. In the end, whether it’s data provided by you, a third-party, or collected directly by WhatsApp, this data is linked to you just as your message metadata is also linked to you.

5. WhatsApp encryption can possibly be circumvented

While based on the Signal Protocol library, WhatsApp and its messaging protocol as is, is ultimately closed-source. While it claims to be secure – primarily in its use of E2EE – there is no way for this to be audited by external forces.

Essentially, we have to take WhatsApp’s word that their specific implementation of the Signal Protocol messaging protocol is indeed secure. However, there are some indicators perhaps hinting that WhatsApp’s encryption can be circumvented:

1. WhatsApp’s definition of end-to-end encryption may be… flawed

The true security from E2EE stems from the security of the endpoints themselves. Specifically, the originating point should be the true originating point and the destination point should be the true destination point – and both should be secure.

Interestingly, WhatsApp’s report feature and how this feature functions can be thought of as a loophole to WhatsApp’s E2EE. Once a message is flagged – which can be done by any recipient of a message – the message itself gets sent to Meta for review.

Even more interesting is once a recipient of a message “reports” a supposedly offending message, in addition to the reported message, the four previous messages are forwarded to the WhatsApp review team. This WhatsApp review team is made up of an AI “algorithm” and human WhatsApp reviewers.

2. For a long time, WhatsApp stored backups unencrypted

Prior to an October 2021 update, WhatsApp stored backups – which included messages and contacts – unencrypted. This allowed for circumvention of WhatsApp E2EE; anyone with access to the backups also had unfettered access to any given users' message history.

This is not definitively saying “WhatsApp is insecure because it is not open source,” but rather a criticism of the status quo and its claims of being highly secure (and private, by extension). WhatsApp closed source nature exacerbates the potential circumvention of its E2EE claim - nothing is easily confirmed or easily verified.

Use a secure alternative to WhatsApp instead

If WhatsApp has so many privacy shortcomings, what should users do?

The best solution for reducing or eliminating WhatsApp’s access to your data is to stop using WhatsApp. Ideally, users would use a private and secure messenger in replace of WhatsApp and convince their contacts to migrate to these more secure messaging platforms as well.

However, in practice, this isn’t always feasible for users to completely drop WhatsApp. Even if users themselves make the switch – it might not always be possible to convince their contacts to also quit WhatsApp.

In these cases, hope is not necessarily all lost. If WhatsApp cannot be abandoned in its entirety, then privacy-conscious users have options for minimizing data collection employed by WhatsApp. Some basic steps and changed approached users can take to both help address WhatsApp privacy and security concerns:

• If possible, enable “secure” backups – this should encrypt backups uploaded to the cloud.
• Do not sync/upload contacts with WhatsApp
• Minimize use of the WhatsApp – which can include limiting use frequency and who you engage with on the platform
• Avoid transmitting sensitive information over WhatsApp
• Do not attach payment information to WhatsApp

Final thoughts

As previously stated, users are strongly advised to ditch WhatsApp for a secure messaging alternative where appropriate. If possible, users should also try to get their friends and family to switch to more secure and private messengers!

WhatsApp has numerous privacy concerns, ranging from the unscrupulous data practices of its parent company (Meta) to its handling and likely collection of user metadata. Users should remember that once data is captured by WhatsApp, it becomes next to impossible for users to control how it’s used or shared.

If it's not possible to switch from WhatsApp, then users should seek to mitigate some of the issues with WhatsApp as discussed in this post. Users can restrict WhatsApp permissions on their phones, limit their use of WhatsApp, enable encrypted backups at all times, and refuse to sync or upload contacts to WhatsApp service providers. Users should also avoid transmitting any sensitive information over WhatsApp.

With that said, stay safe out there!