WhatsApp encryption isn't the problem, metadata is

In this photo illustration, the WhatsApp logo is displayed on a smartphone screen.
(Image credit: Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Once again, WhatsApp is under scrutiny for allegedly putting the data of its over two billion users at risk. Two distinct—although entwined—stories made headlines lately and likely make you fear for your privacy. 

Let's go with order. On May 22, 2024, The Intercept disclosed the content of an internal threat assessment in which WhatsApp engineers discussed some vulnerabilities that could enable government agencies to "bypass our encryption."

Three days later, it was the time for billionaire Elon Musk to take the stage, claiming from his X account that the popular messaging app "exports your user data every night."

In both instances, the Head of WhatsApp Will Cathcart turned to the social media platform to clarify such allegations. He's right about something—WhatsApp encryption is secure and your messages are completely private. However, the two stories aren't about encryption but metadata. They aren't just about WhatsApp either, but there may be still something you can do about it—like using the best VPNs and other tricks to minimize the risk. 

Metadata matters

WhatsApp uses end-to-end encryption to protect your communications. It does so by scrambling the data into an unreadable form so that no one outside the sender and receiver can access it, not even Meta itself. At the same time, though, it regularly collects some seemingly less important details attached to your messaging activities—metadata. 

This information includes IP addresses, phone numbers, who you have spoken with, and when, among others. It may not look so important, but even such small digital traces can act as identifiers. For instance, it was exactly a piece of metadata—a Proton Mail recovery email—that led to the arrest of a Catalan activist.

As for WhatsApp's Privacy Policy, the app records a wealth of usage logs including "the time, frequency, and duration of your activities and interactions." Other identifiable data such as your network details, the browser you use, ISP, and other identifiers linked to other Meta products (like Instagram and Facebook) associated with the same device or account are also collected.

WhatsApp logs your IP address when you use the service, too. That's interesting because your IP can be used to track down your location. As the company explained, even if you keep the location-related features off, IP addresses and other collected information like phone number area codes can be used to estimate your "general location."

WhatsApp is required by law to share this information with authorities during an investigation. Law enforcement will analyze the data to find patterns—and that's something out of WhatsApp's control. "Even assuming WhatsApp’s encryption is unbreakable," the company memo revealed by The Intercept reads, "ongoing ‘collect and correlate’ attacks would still break our intended privacy model."

The flaw that could bypass encryption is then linked to "ongoing exploitation of traffic analysis vulnerabilities." Again, the metadata. This is nothing new, though, and the company clearly states it in its policy.

Did you know?

While WhatsApp has been aware of this threat since last year, The Intercept reveals it became a contentious point inside the company after April's revelations that Israel’s army allegedly uses a data-centric AI tool known as Lavender to automatically choose their targets.

So, why are WhatsApp engineers worried about it just now?

The issue is that surveillance techniques are getting always more sophisticated. WhatsApp’s internal security team identified many instances of so-called correlation attacks where a smarter analysis of encrypted data—linked to its very much visible metadata counterpart—can evade the app's privacy protections. 

Worse still, the same types of tracking, they note, work against other similar messaging apps as well.

"Today’s messenger services weren’t designed to hide this metadata from an adversary who can see all sides of the connection," Matthew Green, a professor of cryptography at Johns Hopkins University, told The Intercept. "Protecting content is only half the battle. Who you communicate [with] and when is the other half."

Although very different in nature, also Musk's allegation refers to metadata. This time to be under scrutiny is how Meta itself uses these precious details for commercial purposes.

Again, this is clearly stated in WhatsApp's privacy policy and terms of use. "We may use the information we receive from [other meta companies], and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings," reads the policy.

This means that yes, your messages are always private, but WhatsApp is actively collecting your metadata to build your digital persona across other Meta platforms. Let's face it, how many of us have an Instagram or Facebook account?

The threat level is clearly way different between the two stories. Yet, so-called surveillance capitalism de facto undermines your privacy and security as it enables much more effective targeted advertising, third-party attacks, and even political manipulation in some instances—think of the Cambridge Analytica scandal, for example.

The good news is that, despite how difficult it is, there are still options to cut some ties from this invasive business model.

How to boost communications privacy

As we have seen, strong encryption isn't enough to truly protect your communications and identity online. Another stark reminder that metadata matters, too. In case you still want to keep using your WhatsApp account, there are a few steps you can take to minimize the amount of metadata collected. 

For starters, I suggest using VPN software every time you access WhatsApp. A VPN, short for virtual private network, is a tool that spoofs your real IP address. This means that you'll be able to, at least, hide this piece of metadata and make it a bit more difficult to trace back your location. A WhatsApp VPN is also vital to use the app in countries where is banned.

I also recommend turning on WhatsApp's advanced privacy feature to minimize data collection. For example, starting from last year the app lets you hide your IP during calls. To turn on the option head to the Settings tab, click on Privacy, and then Advanced. Likewise, you can opt to disable link previews to avoid sharing your IP with third-party websites. You should also manage the app permissions accordingly to allow WhatsApp to collect only essential details. This means you should turn off all optional features like your precise location.

While these steps can help reduce the amount of metadata collected, it's crucial to bear in mind that it's impossible to completely avoid metadata collection on the Meta-owned app. Most importantly, perhaps, you cannot escape cross-platform tracking in case you're using other social media platforms from the group.

Signal logo on the AppStore displayed on a phone screen and Signal logo in the background are seen in this illustration photo taken in Poland on January 14, 2021.

(Image credit: Photo illustration by Jakub Porzycki/NurPhoto via Getty Images)

For extra privacy and security, I suggest switching to the more secure messaging app Signal. Completely open-sourced, it means that everyone can check out its code for vulnerabilities. 

Signal is owned by the Signal Technology Foundation, a registered non-profit that's very vocal against surveillance capitalism methods. As its Terms of Service reads, "Signal does not sell, rent or monetize your personal data or content in any way—ever."

In February, Signal officially abandoned phone numbers (the only identifiable data the app required to create an account) in the name of privacy. Most importantly, Signal has been implementing a technology known as Sealed Sender since 2018 to protect your metadata. It's worth mentioning, though, that some experts found some flaws in this system but it's arguably still a step forward in the right direction.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com