Login

Pattern Drive Private Limited

WhatsApp: How To Protect Your Identity From Meta / Facebook

Updated on: 28/12/2023

196 Views | 0 Comments

Whether it’s because you’re “forced” to use WhatsApp because of social pressure or because you don’t want to miss out on any club news, the goal of this post is to give you some tips on how to use WhatsApp in the best way possible. In my opinion, there are better ways to use WhatsApp than this, and that’s why I don’t recommend using it or want to encourage you to use it.

 

Table of Contents

1. WhatsApp Incognito

In the first article related to WhatsApp, we found that it is not enough to simply change the data protection settings within the app to limit data collection by Meta/Facebook. These have limited or no influence on data collection by Meta/Facebook, but rather influence what information you make available to other users. It makes more sense to limit permissions to reduce the data that Meta/Facebook can collect or process while using WhatsApp.

This article presents two approaches that make it possible to use WhatsApp “passively” so as not to miss important (club) information or the like. In this context, passive means that WhatsApp is not used as a communication platform, but rather is used to receive information. People who actively use WhatsApp and regularly communicate with their contacts should follow the advice from the first post. This article addresses all those who reluctantly use WhatsApp, but cannot not want to do without it, but would like to remain as unknown to Meta/Facebook as possible.

2. The Problem And The Solution

The general problems associated with using WhatsApp were already highlighted in the first part. Below we explain why using WhatsApp anonymously is a challenge and how it can still be achieved.

2.1 The Problem

Some users only use WhatsApp to receive important (club) information or similar not to be missed. You don't like using WhatsApp and actually want to remain anonymous to Meta/Facebook. However, this is difficult with an existing WhatsApp installation because Meta/Facebook most likely knows the person/user behind it. By linking the information collected in WhatsApp using big data methods, it is possible to assign it to a specific person. It is enough for someone to have the Facebook app installed in parallel on their device for Meta/Facebook to establish a connection without the need for special identifiers such as device IDs. The reason: Both WhatsApp and the Facebook app read the Google Advertising ID. This gives Meta/Facebook an identifier that they can can assign to exactly one person:

 

 

John Doe has installed the Facebook app, which regularly reads the Google advertising ID from his device [1] and forwards it to Meta/Facebook [2]. Meta/Facebook now has a unique identifier that can be assigned exactly to John Doe. So Meta/Facebook knows that the Google Advertising IDd57fa49c-45a8-4a60-8b53-2aad7bde9a73belongs to John Doe. John Doe has installed WhatsApp, which also regularly reads the Google Advertising ID from his device [4] and transmits it to Meta/Facebook [5]. Meta/Facebook cannot initially establish a direct connection to a specific person based solely on his telephone number [6], as Max Mustermann has not stored this information on Facebook. However, Meta/Facebook can make an attribution because it has received the following information via the Facebook app:

d57fa49c-45a8-4a60-8b53-2aad7bde9a73 John Doe

By linking and merging the data in the background, Meta/Facebook now also knows that John Doe uses WhatsApp [8] because the Google Advertising ID is identical. This allows Meta/Facebook to link all data generated during use with its identity.

2.2 The Solution

If we want to use WhatsApp without any personal reference if possible, it is necessary to change or disguise the identification features such as device IDs, telephone number, IP address, etc. in such a way that it becomes difficult or impossible to assign it to a specific person. This involves a certain amount of effort and restrictions.

Two variants are presented below, which do not prevent the transmission of identification features to Meta/Facebook, but change/disguise them in such a way that establishing a personal reference becomes more difficult or impossible.In addition to reinstalling WhatsApp, both variants also require a new phone number that is used exclusively for WhatsApp.

3. New Phone Number

In addition to the IP address, device IDs, email address, cookies, etc., the telephone number is often used as an identification feature or identifier. One or a combination of such identifiers can be used to establish a personal reference, as the example with the Google Advertising ID under point “2.1 The Problem” illustrates. It is therefore crucial to use a new phone number for WhatsApp in order to avoid already linking your current phone number to yourself.

There are various options available to get a new phone number. As a rule, it is easiest to register an additional telephone number with your existing provider. It is important to pay attention to both the cost and the terms of the SIM card. Below I will briefly explain the procedure using Congstar, which I use both privately and professionally. The procedure is likely to be similar for other providers.

3.1 Registration With The Existing Provider

In addition to my regular Congstar contract, I opted for the prepaid tariff “Prepaid as I want (2nd generation)”. When registering, the card is loaded once with €15 and the credit can then be used under Congstar's conditions. However, there is an important caveat:

Your prepaid card does not have a fixed term and can be canceled at any time.If your prepaid card has been topped up for more than 15 months, it will be canceled automatically.

After 15 months without charging, the SIM card and thus the telephone number will be canceled. So using WhatsApp costs €1 per month if the SIM card is topped up again with €15 after 15 months. The conditions and terms of the SIM cards can vary depending on the provider, so it is advisable to find out about the right offer in advance. In addition to the variant presented, there are of course other ways to get a SIM card. Some of them are in a legal gray area.

3.2 Anonymous SIM Cards

Note: Matthias Eberlhas investigated how to get to anonymous SIM cards and whether the benefit justifies the effort.

In Germany you have to identify yourself with an official document when registering a SIM card. The problem, however, is that the regulations have so many loopholes that people who actually want an anonymous card can achieve this relatively easily. For example, it is permitted to sell used SIM cards that have already been registered without having to verify the identity again. Search offers are available on the Internet, and German cell phone shops occasionally offer already registered and functional cards upon request. Some countries such as Spain and the Netherlands are also known for often activating SIM cards without identity verification.

However, this is not necessary to protect yourself from advertising tracking by companies: the advertising industry does not have access to the registration data. A disposable SIM that is registered to your own ID card is sufficient to unlock yourself for app registrations or similar. It's ideal to do a few registrations with one card and then get a new one, as cards expire if not reloaded every few months. However, it is advisable not to do too many registrations with the same number, as the behavioral data of these accounts may be merged under the same phone number ID, which should be avoided. If the card expires, you should be aware that if the password is lost, the account cannot be restored. As a rule, SMS messages are no longer requested during ongoing operation.

3.3 Recommended Action

For long-term “passive” use of WhatsApp, it is recommended to purchase a conventional SIM card and keep an eye on the duration and costs. Since Meta/Facebook does not have access to the registration data, there is no risk of a link to your person. If WhatsApp is only used for a few weeks, disposable SIM cards or anonymous cards can also be considered.

4. Variant 2: New Telephone Number | Work Profiles

The second variant is aimed at those who only use WhatsApp and do not use any other Meta/Facebook services. However, if other services are also used, this requires more drastic measures to maintain anonymity towards Meta/Facebook. In this case, it is advisable to go straight to the third variant. This applies even if the Android work profile is already being used for other purposes.

The present approach is aimed at the “passive” use of WhatsApp in order not to miss important (association) information or the like. Search general information is usually distributed via group chats, communities or channels. This means: We mainly limit ourselves to receiving information, although communication is also possible. However, no contacts (with telephone numbers) are created and individual chats are avoided in order to prevent Meta/Facebook from drawing conclusions about contacts/people via the social graph.

4.1 Set Up Work Profile

A work profile can be set up on an Android device to separate work apps and data from personal apps and data. A work profile allows you to securely use the same device for work and personal purposes. You can manage your organization’s work apps and data, while your personal apps and data and personal usage remain private.

The work profile is misused because we do not separate private from business data, but our goal is to separate data, including contacts and identification features, such as the Google Advertising ID, between the main and work profile.profiles.

The The AuroraStore is installed in the work profile - either directly via the APK file (e.g. AuroraStore 4.3.5.apk) or via the F-Droid Store. Before WhatsApp is installed or started, it is recommended to use a new IP address. This can be done by reconnecting the router or by switching from the WLAN to the mobile network. We would like to prevent Meta/Facebook from possibly establishing a connection/link to the previously deleted account via the IP address. If WhatsApp was not previously installed on the device/household, this risk does not exist.

4.2 WhatsApp Registration

Register WhatsApp with the new SIM card. To do this, replace the SIM card in your device or use another phone to receive the verification code via SMS. Then start WhatsApp. When creating the new account, you enter your new phone number. As soon as you tap “Further”, WhatsApp will ask for SMS/phone permission. You should reject this authorization request with “Not Now” as it is invasive and unnecessary. WhatsApp cannot then automatically verify the number because there is no access to the SMS. Instead, you receive the SMS and then have to enter the six-digit code yourself:

 

 

Registration is now complete and the SIM card can be changed or removed. Before using WhatsApp, there are further steps to take into account, which are summarized for both variants under point 6 “Setting Up WhatsApp”.

5. Variant 3: New Telephone Number | Burner Phone | IP Obfuscation

If other Meta/Facebook services are used in the home in addition to WhatsApp, the use of a burner phone is essential in order to remain anonymous to Meta/Facebook. If a family member uses Instagram, for example, there is a high probability that Meta/Facebook knows the account owner or can establish a connection to a person. If the family member then logs into Instagram via their home internet connection, an IP address is inevitably/systemically transmitted to Meta/Facebook. This IP address, similar to the Google Advertising ID, serves as an identifier and makes it possible to establish links to people across apps and devices. When using WhatsApp at the same time via the same Internet connection, Meta/Facebook can use the IP address as an identifier, which makes it possible (for a certain period of time) to be assigned to a person/group of people. Variant 3 is aimed at those who use other Meta/Facebook services in addition to WhatsApp - whether personally or a family member does not matter.

The present approach is aimed at the “passive” use of WhatsApp in order not to miss important (association) information or the like. Search general information is usually distributed via group chats, communities or channels. This means: We mainly limit ourselves to receiving information, although communication is also possible. However, no contacts (with telephone numbers) are created and individual chats are avoided in order to prevent Meta/Facebook from drawing conclusions about contacts/people via the social graph.

5.1 Burner Phone

A burner phone is essentially a cell phone that only has the most basic features. It has no apps and cannot surf the Internet. Unlike the traditional smartphone, a burner phone is not connected to a multitude of accounts that could be used to record behavior for marketing purposes. Typically, burner phones are used with anonymous disposable SIM cards that are used to make only one or two calls.

For our purposes, we'll soften the definition of a burner phone a bit. WhatsApp is installed on our burner phone and is not thrown away after use. The main reason for using a separate device is to completely separate any potential identifying data/identifiers that Meta/Facebook has collected about us and our devices in the past/present/future and linked to us.

Which devices are suitable as burner phones? In principle, any Android smartphone that can run WhatsApp and Orbot and that is used exclusively for WhatsApp can be used. If the device has already been in use or has been retired, it should be reset to factory settings before installing WhatsApp. It is difficult to say whether the system is up to date. Ideally, all security updates should be installed promptly, but this is rather unrealistic for an (inexpensive) burner phone. If the use of the device is limited to the home environment or WLAN, the potential attack vectors are rather limited. In summary, current security updates are desirable for the planned scenario, but not a mandatory requirement, as is the case with devices for online banking, for example.

5.2 IP Obfuscation With Orbot

After putting the burner phone into operation or inserting the SIM card, Orbot is first installed. Orbot makes it possible to route all traffic or only selected apps over the Tor network, thus obscuring the IP address. In principle, this works similarly to a VPN, but with Orbot or the Tor network, trust in a VPN provider is not necessary. Rather, trust is an integral part of the Orbot/Tor network concept/architecture. By using Orbot, we can ultimately hide our IP address, which could serve as an identifier for Meta/Facebook - especially if other Meta/Facebook services are used in the household.

Orbot can be installed via either the Google Play Store or the Aurora Store. Since the Aurora Store will later be used to install WhatsApp, I recommend installing via the Aurora Store - either directly via the APK file(e.g. AuroraStore 4.3.5.apk) or via the F-Droid Store.

Once installed, Orbot is launched and configured to route only WhatsApp traffic through the Tor network. To do this, tap on Tor-Activated Apps[1], select WhatsApp from the app list [2] and activate the connection by clicking on START[3]. From now on, all traffic to and from WhatsApp will be routed exclusively through the Tor network. If Orbot is not active or there is no connection to the Tor network, WhatsApp cannot connect to the Meta/Facebook servers - this corresponds to the intended functionality, as the data traffic should only be routed via the Tor network:

 

 

Helping people circumvent internet censorship

Snowflake is integrated into Orbot. In addition to receiving/sending WhatsApp messages, the Burner Phone can also be used to help people bypass state censorship measures.

5.3 WhatsApp Registration

First, WhatsApp is installed via the existing Aurora Store. As already explained, a connection to WhatsApp or the Meta/Facebook servers is only possible if Orbot is active. To check, you can temporarily stop Orbot and then try to start WhatsApp. When registering, a message appears on the screen.

The registration process can only take place after Orbot has started again. When creating the new account, you enter your new phone number. As soon as you tap “Further”, WhatsApp will ask for SMS/phone permission. You should reject this authorization request by clicking on “Not now” as it is invasive and unnecessary. WhatsApp cannot then automatically verify the number because there is no access to the SMS. Instead, you receive the SMS and then have to enter the six-digit code yourself.

Registration is now complete. Before using WhatsApp, there are further steps to take into account, which are summarized below under point 6 “Setting Up WhatsApp” for both variants.

6. Setting Up WhatsApp

Regardless of the variant chosen, WhatsApp is now set up, which is identical in both cases. As a reminder: WhatsApp only serves as a source of information for group chats and communities. Interaction within these groups is permitted, but no contacts should be added to the address book and no individual chats should be started - otherwise there is a risk that Meta/Facebook can draw conclusions about you via the social graph.

6.1 Data Protection Check & Permissions

As explained in the first post, you should carry out the data protection check and reduce WhatsApp's permissions to a minimum. You can use Settings (Android/iOS device) -> Apps -> View All Apps -> WhatsApp -> Permissions to adjust the permissions on Android. A minimal configuration for this setup would be, for example, as follows:

  • Notifications
  • Network (not displayed on every system)

The above setup allows participation in group chats, communities and channels. However, certain restrictions must be considered:

  • No names are displayed for the contacts, only the telephone number
  • No audio recordings, videos or images can be created or sent
  • Sending files is also not possible
  • The location cannot be shared with other participants
  • Neither voice nor video calls are possible
  • [...]

My suggestion now is to choose the minimal setup and then decide individually how important a function is to you and whether you grant the corresponding authorization. In this case, WhatsApp will show you relevant information - here is an example screenshot of the Android version:

 

 

It is important to note that granting additional permissions allows Meta/Facebook to access certain (meta) information. It is therefore recommended not to grant any further permissions and to limit yourself to sending and reading messages.

6.2 Join Groups/Communities

To join group chats and communities, you usually need an invite link or an invitation from the admin/manager, while channels are public and can be subscribed to by anyone. For example, if you want to join the club group chat/community, someone has to invite you or send you an invitation link. It doesn't matter which channel (email, other messenger, etc.) you receive the link from. So ask the admin of the group chat/community for an invitation link.

Once you have this, open a browser in your work profile and enter the URL or invitation link:

https://chat.whatsapp.com/F1SQHYw347xN47NuX

WhatsApp will respond to the input and open the corresponding group chat/community.

Now you are part of a group/community/channel - but with the difference that Meta/Facebook does not know you or cannot assign you to a person. To keep it that way, you should only use WhatsApp for group communication and neither create contacts in the address book nor initiate individual chats that could allow conclusions to be drawn about contacts/people via the social graph.

6.3 Help: Someone Adds Me To Their Contacts

Even if one is very careful/prudent, there is a chance that someone's new phone number will be saved in their contacts. The fear is that Meta/Facebook can establish a personal connection again through this storage, as your own number is transmitted together with the stored name, address and all other attributes from the phone book. However, this is incorrect and a common misconception. In fact, WhatsApp “only” transmits the phone numbers from the address book and no other attributes. It is therefore not possible for Meta/Facebook to easily establish a personal reference in this way.

7. Special Function GrapheneOS [Variant 2]

Anyone who uses the custom ROM GrapheneOS can activate/deactivate two useful special functions for the work profile, depending on their requirements.

The first setting, work profile be made in the main profile under System -> Multiple Users -> “Allow running in background”. When enabled, this feature allows WhatsApp and other apps to run in the background, allowing WhatsApp messages to be received even when the work profile is not open. If this function is deactivated, all apps in the work profile are completely closed/stopped.Only after switching to the work profile, WhatsApp becomes active again and can receive messages.

The second setting, “Send notifications to current user,” can be accessed in the work profile at System -> Multiple users. When this feature is enabled, notifications will be forwarded to the main profile. This is useful if you have WhatsApp installed in your work profile but still want to be informed about new messages.

8. Conclusion

Two approaches to the “passive” use of WhatsApp are presented here, which are particularly interesting for those who want to maintain their anonymity compared to Meta/Facebook. What is crucial here is the change or concealment of identification features and metadata in order to make it more difficult or impossible for Meta/Facebook to establish a personal connection. This requires a certain amount of effort and is associated with corresponding restrictions.

However, I would like to emphasize that these technical solutions should not be seen as the preferred route. Rather, the first step should be to talk to those responsible in order to point out possible problems when using WhatsApp. Only if those responsible, be it the club board, parents or the institution, do not address these concerns and the approaches presented here be considered as possible solutions.

We call for a wrap-up here. Thank you for staying with us till the end. The purpose of this article is to explain how you can protect your data and privacy  as well as your identity on the most used and prominent instant messenger, WhatsApp. We hope you found this read insightful. For more such informative topics, make sure to visit our Knowledge Based Section under the Cyber Security Category.

To stay connected with us, follow us on FacebookTwitterInstagram, and LinkedIn. Find us on Telegram to get regular updates on malware and malicious applications that might cause you great harm. If you are looking for cybersecurity consulting services or want to know more about our services, contact us through the contact form, drop in an email at [email protected], drop in a text on WhatsApp, or directly ring us at +91 907 396 3301.

You'll Love These Related Reads:

⫸ Latest Cybersecurity Predictions: What To See In 2023 & Beyond?

⫸ How To Hide Browsing History From ISP And Be Anonymous?

⫸ Data Sale: Are Your Data Being Sold To Third Parties?

⫸ Android Encryption: Why And How To Take This Step?

Tags

Share

Leave a Comment

By Submitting you agree to our Terms of Service and Privacy Policy.