In the summer of 2016, WhatsApp made an unprecedented change. The Facebook-owned company turned on end-to-end encryption by default for all of the billion-plus people using it and in the process became the world’s biggest encrypted messenger. Since then the number of people using it has swelled to more than two billion.
The radical shift means that nobody at Facebook is able to read, or mine data from, the content of the messages you send. The only things that can access them are the two phones – acting as endpoints in the encryption setup – where the app is installed. For the encryption protecting your messages to be decoded, both devices must verify and exchange security codes as messages are transferred.
The encryption WhatsApp uses comes was originally developed by Open Whisper Systems, the group behind encrypted messaging app rival Signal. Even though WhatsApp’s end-to-end encryption does protect your communications – including files, images and calls – that doesn’t mean the service is as private as it could be by default. In fact, when it comes to WhatsApp versus Signal, we recommend the latter for people wanting the maximum security and privacy options.
However with more than a third of the world using WhatsApp, its popularity is unrivalled and you may not be able to drag all of your friends, family and groups across to Signal. If that milestone is still some way off, here are some tips to make WhatsApp as private as possible.
WhatsApp says your phone number from WhatsApp, device information (including the type of phone, mobile country code, and operating system), and some of your usage information (when you last used WhatsApp, when you registered and how often you message) are shared with other Facebook companies. Some of this data sharing has been controversial: in May 2017 the company was fined £94 million by the EU for combining WhatsApp phone numbers with Facebook data after it told regulators it couldn’t easily be able to do so.
Any data sharing may come under further scrutiny in the future as Facebook looks to merge the infrastructure between WhatsApp, Facebook Messenger and Instagram’s messaging. However, it’s worth stressing that the content of the messages you send isn’t shared, as Facebook doesn’t have access to them due to WhatsApp’s end-to-end encryption.
On top of this WhatsApp may also collect information about your phone’s battery level, signal strength and mobile operator. Location information, when you turn it on, is also collected and there are cookies that track your activity within the desktop and web versions of the app.
Turn off cloud backups
WhatsApp allows you to backup your chats and data as a handy way to move all your information to a new phone – although this doesn’t actually work if you’re moving from iPhone to Android. These backups work by storing your data in Google Drive or Apple’s iCloud, depending on which operating system you use.
WhatsApp wants you to backup your data – if you don’t have the setting turned on it’ll prompt you to start backing up every few months. But there’s a very good reason why you shouldn’t back everything up to the cloud. The backups of your messages aren’t properly encrypted. That means if they’re accessed by someone else, the messages can easily be read. The process sort of defeats the point of the initial end-to-end encryption.
For instance, a law enforcement request to Google or Apple can see them handover the backed-up chat logs and the messages revealed. This does happen too. In June 2018, former Donald Trump campaign chairman Paul Manafort, who is now a convicted felon and in home confinement serving a seven-year sentence, had his WhatsApp messages accessed through a federal request for his iCloud data.
Unencrypted backups on WhatsApp has been an issue for years and it’s one the company knows about: some reports state WhatsApp is testing password-protected backups, but these have not been widely rolled out or officially announced by the company.
Turn on two-factor authentication
You should be using two-factor authentication as much as possible – it’s even more important on accounts that hold your sensitive personal information, such as photos and messages. The security method involves adding an extra step to the process when you log in to an account. In most cases, this involves using a security code generated by an app, a code sent via SMS or a physical security key. (The last of these is the most secure way to protect your accounts with two-factor authentication)
Using WhatsApp is different to logging-in to your email. It’s likely that you’ll access the app multiple times a day – on average I open the app between 50 and 80 times per day. Entering a security code every time this happens would be impractical and frustrating. So instead, WhatsApp’s two-factor authentication, which can be turned on through the settings menu and then by tapping on account, uses a PIN.
WhatsApp will semi-regularly ask you to re-enter the six-digit PIN you create to access the app. It doesn’t say how often these prompts happen but they’re irregular enough not to be a barrier to using the app. The PIN will also be required any time there is an attempt to add your number to a new phone or device. When you’re setting the PIN there’s also the option to add an email address that can be used to rest the code if you forget it.
Stop people seeing your personal info
WhatsApp spam and social engineering attacks, devised to steal your personal information, exist. Every few weeks a new scam will circulate where attackers are looking to compromise accounts. WhatsApp has even threatened legal action against those to hit users with colossal amounts of messages.
There are a few steps you can take to limit ways people can interact with your account. These are all found through the settings menu, followed by tapping on account and privacy. At the most simple you can turn off read receipts, the two blue ticks that show when someone has seen your message and is now ghosting you.
More effective are the steps that stop people adding you to groups. Under the groups setting there is the option to limit who can add you to a group: by default, this is set as ‘everyone’. However, it can be changed to all of your contacts, or all of your contacts except some people who you block from doing so. Deciding to limit who can add you to groups doesn’t mean that you can’t join groups when people aren’t in your contacts. Instead, people wanting to add you to groups can request to do so via a separate message.
You can also turn off who can see your profile photo, the ‘about’ section, WhatsApp status, and the time when you last looked at the app. When in the privacy settings you should also check whether you are sharing your live location with anyone.
If you’re going for the most private approach, it’s also worth considering what information you might leak through your phone’s screen. New message notifications can include the entire message, or some of its content when they flash up on your screen. If these notifications also sit unread, anyone picking up your device may be able to read them without having to unlock the phone.
Notification settings sit outside the WhatsApp app. To change these you’ll need to go to iOS or Android’s settings and into the notifications options, where previews of messages can be turned off. It’s likely that you’ll need to do this for each app individually.#
Switch to Signal
If you’re looking for more privacy, switching messaging app is a big upheaval but could be worth the time and effort. As mentioned earlier, our preference for combining end-to-end encryption with greater levels of privacy is Signal. The app allows you to lock it and use facial recognition or fingerprint sensors to access messages, messages can be made to disappear after a certain amount of time and it’s possible to blur the faces of people in photos and videos