If you’re a WhatsApp user, you will have seen the alarming stories warning about the messaging platform’s surprise privacy changes, many suggesting you switch to alternatives. The good news is you don’t need to do that—WhatsApp is still okay to use. The bad news, though, is that you do need to change these critical setting to stay safe.
WhatsApp is changing. The messaging platform has suddenly confirmed changes first announced in October, that seem to open up sharing your data with Facebook. This last week has been the toughest for WhatsApp since the damaging spyware revelations in 2019. The idea that the world’s largest private messenger will share data with the world’s most ruthless data machine has prompted a backlash. Installs of rival messengers are soaring.
Time for some perspective. Your most private and sensitive data on WhatsApp, your messages, will remain private to you and the people you communicate with; messages are end-to-end encrypted as they’re sent—only you and the other side of each message can decrypt its content. Even WhatsApp has no means of accessing content in transit, while the messages on your phone are protected by the security of your device.
The issue is metadata—the who, when and where around your messages, as well as your contacts and information about your device. WhatsApp does collect too much data, much more than the likes of Signal, Telegram and iMessage. But when compared to apps like Facebook, Messenger, Google, Instagram, Snapchat and TikTok, it collects very little. So, unless you avoid those others, WhatsApp isn’t your biggest problem.
MORE FOR YOU
But, while these new headline changes are not the threat to your privacy and security that they may seem, there are real threats, real risks with WhatsApp. Yes, you can keep using the app, but you need to change your settings in order to do so safely.
First, you need to stop malicious content sent to you on WhatsApp from infecting your phone with malware by disabling the option to autosave images to your phone’s photo album or gallery. Image files can be crafted with embedded threats, and in a world of virally shared content, you don’t want to give all these unknown files access to your phone. There is also the rarer issue of specially crafted text bombs, which use special characters to crash your app and device. If this is a concern, you should disable message previews and take care before opening any messages from unknown senders.
Much more importantly, there are two issues that really do put your privacy at risk and which you should change. Unlike the new terms of service change, these settings do put your message content at risk.
Your biggest risk on WhatsApp is getting your account hijacked—this is an ongoing scourge that impacts a frightening number of people every week. And although an attacker taking over your account will not have access to your past message history, they will receive all messages sent to you while they control your account, and they will see your contacts in each of the groups you belong to and in those new messages.
The hack works by tricking you into sharing the SMS message that WhatsApp sends you when you activate your account on a new phone. It’s stupidly simple. They install WhatsApp and enter your phone number on their device, you get a text with a six-digit code, then they use an already hijacked account of one of your contacts to message you and ask you to send them the code they say was meant for them. As soon as you do, you lose your account.
You will get your account back—but it will take some time. And if the attacker adds extra security to your account, security you should have added yourself, then you can be without WhatsApp for a week or longer. This risk is stupidly simple to prevent. All you need to do is add your own PIN number in your app. Without this, an attacker can’t hijack your account, even if they get hold of that SMS code. It’s setting this PIN themselves, if you haven’t done so, that allows an attacker to make it more difficult for you to restore WhatsApp.
And finally, we come to the biggest hole in WhatsApp’s privacy—backups. While your messages sent over WhatsApp are end-to-end encrypted as they’re sent and protected by phone security when they’re received or saved, if you use WhatsApp’s option to back up your chat history to either Apple’s or Google’s cloud, then those backups are not protected by that end-to-end encryption. While there are no serious claims that your content is analyzed or datamined, it can be accessed by Apple or Google if required. It invalidates the point of the end-to-end encryption that makes WhatsApp secure.
I have hesitated to recommend switching off these back-ups, given the risk that a lost phone means a lost chat history. But given the clamor for Signal, which does not offer cloud backups given the risks, the time is right to disable this. The hope is that when WhatsApp finally launches its long-delayed multi-device option, you will have a backup for a lost device by turning to your other devices. This is how iMessage works, where a central, encrypted message store can be accessed by trusted devices.
And so, keep using WhatsApp—at least for the time being. As the platform explains in a new FAQ, published in response to the backlash it prompted with the forced change in terms, this is all about business services, helping companies use WhatsApp to message you and sell to you, and link back to Facebook as they do so. This is the real change that WhatsApp is making—commercializing the platform. It’s a serious change, the simple, secure messenger that Facebook acquired in 2014 will be surpassed by a more extensive social media platform. And depending on how this changes the nature and usability of the platform, it may prompt many more users to seek alternatives.
There’s a much bigger problem lurking in the near future, though, and it’s a big one. This will be much worse than anything that has happened so far. Facebook is midway through a program to integrate the backends of WhatsApp with those of Messenger and Instagram, its other messaging platforms. The idea is to create a vast, interoperable messaging giant that brings all its audiences together.
At a technical level, the challenge is to bring Messenger and Instagram, which have already part integrated, together with WhatsApp, which is the only one of the three with default end-to-end encryption. Facebook has talked in the past about extending privacy and security for the larger user base. But taken with WhatsApp’s commercial evolution, it looks much more like this integration will take a different direction.
You just need to take a look at WhatsApp’s data privacy label compared to the other two to see the scale of the problem. The stark reality is this integration could mean a much more serious to your privacy than we’ve just seen. So, yes, you can still use WhatsApp—but in the future that advice might change.