WhatsApp is popular instant messaging and voice over IP application that has over 1.5 billion active users around the world. It was initially released in 2009. Facebook bought WhatsApp in February 2014 for 19.3 billion US dollars. When facebook acquired it, many users were motivated to try other services such as Telegram which saw 8 million downloads at that time. In the beginning it didn’t have any end-to-end encryption. On November 18, 2014, Facebook partnered with Open Whisper Systems to provide WhatsApp with end-to-end encryption from their instant messaging app known as ‘Signal’, an application similar to WhatsApp. By this encryption integration, facebook claims that your calls, messages, photos, videos, voice messages, documents and even your status updates are end-to-end encrypted. So how do messages get leaked, if ever?
Whatsapp Data & Conversation leak
The weakest link in this chain of sending messages through WhatsApp is your device itself. First, you must know that the backup of messages and media is stored in an un-encrypted form in your device or google drive should you choose to upload it there. If by a misfortune your device gets affected with malware, you also risk your WhatsApp conversations to get leaked as well.
One such incident is recently reported in India, where smartphones of several journalists, politicians and minority and human rights activists were infected by a spyware through WhatsApp security vulnerability. It was disclosed after Facebook sued an Israel based firm NSO group, which is known for developing spyware and surveillance software. However the government seems to be involved in this since NSO group claims that it only provide the means to do the surveillance but is never involved in the process after the software has been licensed to the government entity.
This attack was done through a seemingly normal phone call to a WhatsApp user which will also install a malicious spyware with it regardless of the user picking up the call or not. After the installation the spyware will also remove any logs that can trace back to it. In this way, affected users had no idea that their conversations, photos and videos were all subject to surveillance by their government. The incident was first reported in May 2019. However on Oct 29th, WhatsApp took legal action against the hack after investigation.
The independent investigation entity, ‘Citizen Lab’ of University of Toronto said:
“Not all vectors are publicly known. Once the spyware is implanted, it provides a Command & Control server with regular, scheduled updates designed to avoid extensive bandwidth consumption. Pegasus is designed to be stealthy and evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators.”
Information that WhatsApp disclose
A general user can request their information that is kept by WhatsApp as following:
Requesting a report about yourself
- Go to WhatsApp Settings > Account > Request account info.
- Tap Request report.
- The screen will update to Request sent.
More information can be read here.
Information for Law Enforcement
WhatsApp can reveal more thorough information on you through legal means while responding to Law Enforcement Requests which can include your ‘about’ information, profile photos and contact list. While WhatsApp does not store messages indefinitely your messages are briefly in their system during transit, which will be encrypted.
WhatsApp Trust Issues
Jan Koum is the co-founder of WhatsApp and was the CEO of WhatsApp company before it was sold to Facebook. Now with Facebook at the big seat, concerns for privacy have increased because of the past incidents of privacy breaches of which Facebook was the part or facilitator. With Koum gone, Facebook will likely increase the data collection and remains silent on the future of the service in terms of data collection and direct targeted advertisements to WhatsApp users. Facebook already have the advertisement system placed on Facebook app. It might only be a matter of time and opportunity to mine more data from their users through WhatsApp.
If you would like to avoid the privacy issues surrounding Facebook you can use some other alternative such as the app ‘Signal’. However, malware and commercial sophisticated spywares are out of the scope of everyone’s normal usage and security measures.