How secure is communication over WhatsApp?

September 3, 2023

WhatsApp has retained its status as an end-to-end encrypted platform. Paradoxically, it isn’t entirely private

How secure is communication over WhatsApp?


W

hen WhatsApp was first acquired by Facebook (now Meta), the former was quick to allay fears that the once secure, end-to-end encrypted application might not retain its privacy-first functionality. These assurances were rightly met with scepticism, given that the application was being acquired by a company known more for commodifying personal data than protecting it. For the large part, WhatsApp, under Facebook-Meta, has retained its status as an end-to-end encrypted platform. Paradoxically, however, it isn’t entirely private.

Last week, the Prime Minister’s Office issued a security alert for senior government officials in the wake of hacking attempts over WhatsApp. This is not the first time that WhatsApp was used to target Pakistani officials. It was earlier reported that top Pakistani intelligence officials were among the 1,400 targets of the infamous 2019 NSO Spyware attacks, which exploited vulnerabilities in WhatsApp’s audio call feature. The attacks resulted in Meta filing a lawsuit against the Israeli NSO group. These incidents raise questions both regarding the security of WhatsApp as a tool for sharing sensitive information and the over-reliance of the government on such imperfect tools.

The state’s reliance on WhatsApp cannot be overstated. Many in the government will tell you that the country runs on WhatsApp – everything from small businesses to communication between government officials takes place over the messaging platform. This means that the security of the state’s communication is dependent on the ever-changing policies of a privately owned, for-profit platform. While this is a cause for concern, the government’s efforts to develop alternative, home-grown apps carry with them a number of issues. For instance, ‘Beep Pakistan’ which has been touted as a “WhatsApp alternative,” has been developed by the National Information Technology Board (NITB) in collaboration with the Ministry of Information Technology and Telecommunications (MOITT). The application has yet to be open to public use but is unlikely to be open-source, leaving room for backdoors to gain access to user data. Indigenously grown applications in other contexts, such as WeChat, have resulted in criticism for restrictive privacy afforded to users.

It is important also to understand WhatsApp and its policies, given that it is the site of our professional and personal lives. WhatsApp is end-to-end encrypted, which means that a third party cannot intercept the content of the messages you send while it is being delivered. Think of it as a piece of mail sent by the person writing the letter (A) to their friend (B). The letter, if encrypted, cannot be intercepted while it is being delivered, be it by the post office, mail delivery personnel or anyone else apart from B. End-to-end encryption thus is an important bulwark against electronic interception, meaning that neither the state nor the company owning the messaging service can read the content of your messages. But there are two crucial caveats here.

End-to-end encryption does not guard the security of the messages from being compromised on either end. For instance, if B’s phone is stolen or hacked, the content of the message is accessible from their device. WhatsApp encryption does not protect the message from being screenshot and forwarded or protect it if the device of the sender or the recipient is hacked or compromised.

Furthermore, a closer inspection of WhatsApp’s policies reveals that Meta retains personal data such as phone numbers, device information and IP addresses. This policy caused controversy in 2021. However, it has been in place since 2016. So the content of your conversations, calls and messages is still encrypted; however, data surrounding it – metadata – are collected and stored. These policies are a reminder that WhatsApp, despite its branding as a secure application, is ultimately owned by a for-profit company that does not share its source code and will collect as much data as it can, given its profit model.

The ubiquity of WhatsApp, particularly across the Global South, and its complicated privacy policies make migration off the platform difficult. WhatsApp is used by businesses; it allows for an accessible way to stay in touch with loved ones and can be a place of community through groups. While it is true that our communication on WhatsApp is more secure than sending an SMS or making a call through our SIM, the promise of end-to-end encryption can make us complacent and overestimate our privacy, especially given opaque privacy policies. The application is not entirely safe nor private and is owned by a private company known for egregious privacy practices. In this context, many digital security advocates recommend open-source applications such as Signal that prioritise privacy and rely on donations rather than data-for-profit revenue models. There are trade-offs when using these apps; for instance, it is difficult for these privacy-first applications to moderate content or users in case of abuse, harassment or crime because they do not retain any data.

At the end of the day, security is not just about how robust technologies and policies are but how much end users trust an application. When WhatsApp tweaked its privacy policy in 2021, there was a lot of public panic about WhatsApp listening to our chats and calls. Most users do not have the time to read the fine print or split hairs about the difference between the content of conversations and metadata. WhatsApp is now an inextricable part of the critical infrastructure that we use to communicate with one another on a daily basis; its security and privacy are a matter of public importance. It is imperative that these technologies be private by default and prioritise security over profits.


The writer is a researcher and campaigner on human and digital rights issues

How secure is communication over WhatsApp?