WhatsApp: How Data Protection / Privacy Can Be Improved
- 28/12/2023
- Alex Smith
Updated on: 28/12/2023
211 Views | 0 Comments
The aim of this article is to provide instructions for those who are "forced" to use WhatsApp for various reasons - be it due to social pressure or not to miss any club news. In my personal opinion, however, there are clearly superior alternatives to WhatsApp, which is why I do not recommend or want to legitimize the use of this app.
Table of Contents
1. Market Dominance
With over 2 billion active users (as of January 2023), WhatsApp is undoubtedly the most frequently used messenger for both private and business communication. Although there are other messengers that compete with or are even better than WhatsApp in terms of convenience, user-friendliness, privacy and security, user numbers remain consistently high. The main reason for this is the late launch compared to WhatsApp, which has practically replaced the SMS function.
Although WhatsApp has an extensive list of privacy and security violations , these scandals appear to have had limited impact on the messenger's continued popularity. After such a scandal, there is occasionally a short-term migration of users to other messaging platforms. However, no serious competition to WhatsApp has yet emerged that could permanently threaten its dominance.
2. The WhatsApp Problem
Below I would like to briefly highlight the problems that come with using WhatsApp. The main argument is: WhatsApp belongs to Meta/Facebook, one of the largest data collectors in the world. For this reason alone, it is actually advisable to avoid using WhatsApp. An often mentioned counter-argument is:
But the content is completely end-to-end encrypted!
This is correct, but unfortunately it is also too superficial an observation. WhatsApp may not be able to track the content of chats and conversations, but that doesn't mean it doesn't collect any data at all. The article “The complex world of metadata” illustrates which invisible digital traces, namely metadata, are created in our online activity and how much they reveal about our lives, our habits and our interests.
Now the question arises: What (meta) data is collected by WhatsApp or passed on to Facebook (companies)? Below is a non-exhaustive list:
- Accurate and approximate location information
- Participant information (phone number, profile name, profile picture, status messages)
- The (social) network, i.e. all the phone numbers of the contacts from the address book (including non-users)
- Device and connection data
- IP address
- Device/model used
- Operating system used
- Battery level
- Browser used
- Language and time zone
- Identifiers from the system (including individual IDs for meta-company products linked to the same device or account)
- […]
- Mobile phone provider or information about the provider
- Usage information such as the frequency, timing and duration of activities
- […]
If you want to know more, you can take a look at WhatsApp's privacy policy. What's particularly worrying to me is the fact that Meta/Facebook knows where someone is (approximately) at all times:
General location information: Even if you do not want to use our features related to your precise location (see Information shared by you and WhatsApp with third parties), we use IP addresses and other information such as telephone area codes to determine your approximate location (e.g . B. the country).
From this (meta) data, not only can a comprehensive usage and behavior profile be derived, but also who is in contact with whom via WhatsApp and when (Social Graph). And this metadata is no less worthy of protection than personal data.
2.1 Special Feature: Chat Backups
By default, WhatsApp cloud backups are not encrypted. This means that photos, images, videos, audio files and any communication end up unencrypted in the Google or Apple cloud. The end-to-end encryption, which makes sense in itself, is bypassed and completely loses its meaning. This is annoying, but can be adjusted later via the settings:
- Open Settings
- Tap on Chat -> Chat-Backup -> End-to-End Encrypted Backup
- Tap “Turn on” and follow the instructions to create a password/key
- Then choose “Select” and wait for WhatsApp to create an end-to-end encrypted backup
The cloud backup is now also end-to-end encrypted and can only be restored if the correct password/key is provided.
Tip: Backup only when necessary
Creating backups in the cloud can make sense for some people. Another option is to deactivate the backup completely and only activate it when necessary, for example if you change your smartphone and want to move all existing chats.
2.2 Nerd Info About Local Backup On Android
By the way, local backups are possible with the Android version of WhatsApp. Depending on the WhatsApp version, the backup is encrypted with 256-bit AES - this can be recognized by the extension crypt12 that is appended to the file name of the message database (msgstore.db.crypt12). In order to read/decrypt the database, the appropriate key from the device, which is /data/data/com.whatsapp/files/keylocated in the path, is also required.
3. Three Variants For More Data Protection
In this article I present one of three variants with which the use of WhatsApp can be made more privacy-friendly. Each variant increases the level of data protection and protection of privacy, but comes with a certain loss of convenience. The first variant assumes that WhatsApp is already installed on the device and is being actively used. The second variant, which requires a new installation of WhatsApp, changes the initial situation and offers more leeway. The third variant represents the most extreme form. The three variants are briefly presented below.
Note: Both the second and third variants are presented in the following article.
3.1 Variant 1: WhatsApp Already In Use [Android & iOS]
Many people are aware of the concerns about using WhatsApp. Nevertheless, they don't want to do without it, but are looking for ways to improve their data protection compared to Meta/Facebook. This can be achieved primarily by restricting permissions, as described in Section 4 of this post. This variant can be implemented for both Android and iOS. All other variants are only suitable for Android.
3.2 Variant 2: WhatsApp Reinstallation | Work Profile [Android Only]
Some users only use WhatsApp to receive important (club) information or similar not to be missed. You don't like using WhatsApp and actually want to remain anonymous to Meta/Facebook. However, this is difficult with an existing WhatsApp installation because Meta/Facebook most likely knows the person/user behind it. By linking the information collected in WhatsApp using big data methods, it is possible to assign it to a specific person. It is enough for someone to have the Facebook app installed in parallel on their device for Meta/Facebook to establish a connection without the need for special identifiers such as device IDs. The reason: Both WhatsApp and the Facebook app read the Google Advertising ID. This gives Meta/Facebook an identifier that they can assign to exactly one person:
John Doe has installed the Facebook app, which regularly reads the Google advertising ID from his device [1] and forwards it to Meta/Facebook [2]. Meta/Facebook now has a unique identifier that can be assigned exactly to John Doe. So Meta/Facebook knows that the Google Advertising ID d57fa49c-45a8-4a60-8b53-2aad7bde9a73belongs to John Doe. John Doe has also installed WhatsApp, which also regularly reads the Google Advertising ID from his device [4] and transmits it to Meta/Facebook [5]. Meta/Facebook cannot initially establish a direct connection to a specific person based solely on his telephone number [6], as Max Mustermann has not stored this information on Facebook. However, Meta/Facebook can make an attribution because it has received the following information via the Facebook app:
d57fa49c-45a8-4a60-8b53-2aad7bde9a73 = John Doe
By linking and merging the data in the background, Meta/Facebook now also knows that John Doe uses WhatsApp [8] because the Google Advertising ID is identical. This allows Meta/Facebook to link all data generated during use with its identity.
So what can we do to ensure that WhatsApp can be used without any personal reference? Then the identification features (device IDs, telephone number, IP address, etc.) - i.e. the information that allows Meta/Facebook to identify a person - must be changed or obscured in such a way that assignment to a specific person becomes difficult or impossible. With a little effort this is possible. The following components are required:
- A new phone number
- An Android phone with support for multiple profiles
The concrete implementation is then described in the following part.
3.3 Variant 3: Burner Phone [Android Only]
Variant 2 is effective if a person does not use any other Meta/Facebook services. However, if other services are also used, more drastic measures are required to maintain anonymity to Meta/Facebook. In such cases, the following components are required:
- A new phone number
- Burner phone: A device that is not linked to personal identity
- Orbot
The implementation of this variant is also described in the following article.
4. Variant 1: WhatsApp Already In Use
Since mid-2023, WhatsApp has been offering a data protection check that can strengthen both privacy and security. However, you should not have excessive expectations when it comes to data protection. The privacy settings have limited to no influence on data collection by Meta/Facebook, but rather on what information you make available to other users. Nevertheless, it makes sense to check the data protection settings.
4.1 Data Protection Check
The menu item Settings -> Privacy takes you to the data protection check. This is clearly displayed at the top of the screen. If you have already closed the banner, it will appear again after a certain time. There is no need to wait for the banner to appear again, as the following settings are all available within the app. However, they are not bundled as clearly as in the data protection check:
Start Check: The data protection check is activated by tapping on. Four central selection options then appear, which we go through one after the other:
4.2 Choose Who Can Contact You
Under “Groups” you can specify who can add you to chat groups. You can choose between
- All
- My contacts
- My contacts except...
It is recommended to select either My contacts or My contacts except....
It is advisable “Silence calls from unknown people” to enable the option. It is especially important to use this option for people who may not be able to recognize shock calls or scams like the grandchild trick. So if you look after the devices of relatives or other less tech-savvy people, you should activate this option.
In the section “Blocked contacts” you can specify which people are no longer allowed to contact you.
4.3 Maintain Control Of Your Personal Data
Under “Profile picture” you can specify who can see your profile picture. You can choose between
- All
- My contacts
- My contacts except...
- No one
Other than that, all the other options are acceptable depending on individual taste. It's not necessary that everyone you don't know has access to your profile picture.
As in the previous section, you can choose Last online/Online between
- All
- My contacts
- My contacts except...
- No one
This means only the selected contacts can see when you were last online. I personally recommend the setting “Nobody” because in my opinion no one necessarily needs to know when you were last online.
You can also specify whether your contacts can see whether you are currently online. Depending on which option you last online have already selected, this will affect this setting accordingly. Check the box next to “Last online.”
In the area “Read receipts” you can set whether you want to tell your conversation partner in an individual chat whether a message has been read - two check marks will then appear next to the message. If this option is deactivated, you will no longer receive a read confirmation, which is tolerable in my opinion. So I would use the read receipt “deactivate”. By the way, this has no effect on group chats - read receipts are always active here.
4.4 More Data Protection For Your Chats
Under “Standard-Message duration” you can specify whether messages disappear automatically after a certain period of time (24 hours, 7 days, 90 days). However, this setting only affects individual chats and only when they are newly created. In order for the function to take effect, existing individual chats must be deleted and communication restarted. By the way, this has no effect on group chats - the function is not available here.
To ensure that neither Google nor Apple can “accidentally” read your messages, it is essential End-to-end encrypted Backups to be activated. This important security measure has already been mentioned in section “2.1 Special Feature: Chat Backups”.
4.5 Make Your Account More Secure
WhatsApp has two additional security measures to prevent others from reading your messages. These measures are the:
- Fingerprint lock
- Two-step verification
When fingerprint lock is enabled, WhatsApp requires additional unlocking via fingerprint/Face ID etc. before use. This is an additional security feature that can be enabled as needed.
The one is far more interesting: Two-step verification. If someone tries to register on WhatsApp with your phone number, they will need a PIN, which you can set here. This security option should be enabled.
4.6 Other Settings
So far, some settings have not yet been taken into account in the data protection check. However, these should also be adjusted. These can be reached via Settings -> Privacy:
- Info: Who can see the info? The usual selection options (All, My Contacts, My Contacts Except... and Nobody) are offered here again.
- Status: Who can see the status messages?
- Live Location: Live location should normally be disabled by default. Here you can check whether it is still activated and whether you are currently sharing it with others.
4.7 App Permissions
The settings presented do not reduce the data that Meta/Facebook collects when using WhatsApp. So that Meta/Facebook receives less data/information, this can be achieved via permissions. Permissions on Android and iOS are settings that allow an app to access certain functions, interfaces and data on a device. These permissions are important because they allow control over what information an app can collect and use. For example, access to sensitive interfaces such as camera, microphone, contacts, location, etc. can be controlled via authorizations. This principle of permissions allows us to (somewhat) limit Meta/Facebook's data collection.
In the version (2.23.20.76) [now/at the time of writing (2.23.25.83)] WhatsApp (on Android) requests access to 74 permissions. Some of these permissions can be controlled by the user. You can use Settings (Android Device) -> Apps -> View all apps -> WhatsApp -> Permissions to adjust the permissions on Android.
A minimal configuration on Android would be, for example, as follows:
- Notifications
- Contacts
- Network (does not appear on every system)
Note:
Of course, it is possible to deny access to contacts, but in this case the functionality or useful use is severely limited. If access to contacts is blocked, no contacts or WhatsApp users will be displayed in WhatsApp. To chat with someone, you have to wait for someone to contact you within WhatsApp. In existing chats, instead of your chat partner's name, only their phone number will be displayed. Nevertheless, you can continue existing chats without any problems. If someone new registers with WhatsApp whose contact was not previously in your contact list, they will automatically not appear in the WhatsApp contact list. If you want to start a new chat with such a contact, you have to wait for them to write to you again.
The above setup allows participation in individual and group chats. However, certain limitations must be considered:
- No audio recordings, videos or images can be created or sent
- Sending files is also not possible
- The location cannot be shared with other participants
- Neither voice nor video calls are possible
- […]
My suggestion now is to choose the minimal setup and then decide individually how important a function is to you and whether you grant the corresponding authorization. In this case, WhatsApp will show you relevant information - here are some example screenshots of the Android version:
If you allow access to a permission, (meta) data can then be collected from Meta/Facebook. For example, if you allow access to the Location Permission, you can not only share your (exact) location with other WhatsApp users, but Meta/Facebook can also access this (meta) data. If you don't have location permission, Meta/Facebook can still determine your approximate location via the IP address, but this is a far less accurate method. Call list also requires direct access to and when registering SMS. However, access to these permissions can be denied and is not necessary, as we will see in the following article. However, if permission is granted, Meta/Facebook can access the call list at any time and also read the SMS. This doesn't necessarily mean that Meta/Facebook reads every SMS, but theoretically it would be possible.
On Android and iOS, a minimal setup would look like this (above image for android and below image for iOS):
Overall, WhatsApp can be somewhat more restricted on Android than on iOS. Therefore, it is possible that Meta/Facebook can collect more data/information on iOS than on Android.
Summary: Which permissions can be revoked depends on the individual usage. WhatsApp requires very few permissions to function smoothly. The fewer permissions you allow, the less (meta) data Meta/Facebook can collect.
5. Conclusion
Although WhatsApp is questionable from a data protection perspective, it remains one of the most used messenger apps. Concerns arise in particular from the transmission of telemetry and metadata to the parent company Meta/Facebook as well as the passing on of the telephone list without express consent.
To address their own privacy concerns regarding WhatsApp, users should not only be aware of the issues but also take appropriate measures to better protect their privacy. This may include reviewing the app's settings, restricting permissions, and being aware of what information you share through the platform. It is also advisable to consider alternative messengers or communication channels that are less privacy-critical if privacy is a particularly important concern.
In order to (somewhat) limit data collection by Meta/Facebook, it is not enough to simply adjust the privacy settings within the app. These have limited or no influence on data collection by Meta/Facebook, but rather influence what information you make available to other users. It makes more sense to limit permissions to reduce the data that Meta/Facebook can collect or process while using WhatsApp.
For those who need more anonymity compared to Meta/Facebook and have previously been reluctant to use WhatsApp, for example to receive important (club) information, you can look forward to the next article.
We call for a wrap-up here. Thank you for staying with us till the end. The purpose of this article is to explain how you can protect your data and privacy on the most used and prominent instant messenger, WhatsApp. We hope you found this read insightful. For more such informative topics, make sure to visit our Knowledge Based Section under the Cyber Security Category.
To stay connected with us, follow us on Facebook, Twitter, Instagram, and LinkedIn. Find us on Telegram to get regular updates on malware and malicious applications that might cause you great harm. If you are looking for cybersecurity consulting services or want to know more about our services, contact us through the contact form, drop in an email at [email protected], drop in a text on WhatsApp, or directly ring us at +91 907 396 3301.
You'll Love These Related Reads:
⫸ Latest Cybersecurity Predictions: What To See In 2023 & Beyond?
⫸ How To Hide Browsing History From ISP And Be Anonymous?
⫸ Data Sale: Are Your Data Being Sold To Third Parties?
⫸ Android Encryption: Why And How To Take This Step?