Thanks to WITNESS’ Mozilla Fellow Gabriela Ivens for contributing the section on cloud backups and to all WITNESS partners and human rights defenders who have shared experiences of using WhatsApp that informed this article
As we noted in our other WhatsApp focused blog post today, “Whats Up, WhatsApp?”, activists and journalists all over the world use WhatsApp to communicate and share sensitive human rights related media and information. While WhatsApp is not necessarily the most secure option, we think it’s incredibly important to share harm reduction tips for this app. WhatsApp is incredibly popular, it has end-to-end encryption, and it is sometimes even free or very cheap with mobile packages from providers in many countries. But WhatsApp is missing some important features, as we discuss below—and if you aren’t using it properly, you could be putting yourself and others at risk.
So you’re still using WhatsApp? Use it as safely as possible
WhatsApp has end-to-end encryption enabled for individuals and groups. That means that the contents of messages can only be read by those writing them and receiving them, and not by anyone in the middle- including law enforcement who may serve a legal request to WhatsApp for your data.
However, there are many ways that this encryption is not foolproof.
Security is a community issue
First, regardless of how great your own security is, you are also relying on the security of others you communicate with—and they are relying on you. As we wrote in the security and legal risks section of our guide to creating police violence databases, it’s important to talk about security with others, and to think about who is most at risk and how you can take special care with them. For example, you can protect the identity of especially vulnerable contacts, such as community leaders, by regularly deleting messages, videos, and images you may have received from them, and possibly even saving their contact information under a code name.
You may also want to have security agreements for group members. This is useful for groups of people who know each other, but especially for larger public groups. You could communicate expectations by having a welcome message you send every time a new person joins the group.If you are part of a group that includes journalists, you could include information about exactly how journalists can interact with group members. You could include information about the process for adding new members, expectations around deleting old content, and agreements about what you will or will not say in the group. For example:
Welcome to the group for organizing filming of the police in our neighborhood. Please do not add any new members without first getting approval of at least three other members. Please delete messages and media, especially videos, from this group chat after 3 days. Please do not use cloud backup for your WhatsApp messages. Please do not discuss physical locations in this group. Security is solidarity. Thank you for understanding!
Be clear on metadata
While WhatsApp does not have access to the contents of your messages, they do still collect subscriber information that can say a lot about who you are, who your friends and community are, where you are going, and when you are using the app. It’s not entirely clear what WhatsApp has access to, but their “Information for law enforcement authorities” page notes that they can provide to law enforcement “name, service start date, last seen date, IP address and email address,” as well as “numbers blocking or blocked by the user,” and “‘about’ information, profile photos, group information and address book.” One reporter reviewed court materials in the US and discovered requests for location data as well.
In fact, as pointed out by Himanshu Gupta and Harsh Taneja in an August 2018 article, “WhatsApp uniquely identifies each attachment with a cryptographic hash (a cryptographic text that is unique for each file) and whenever a downloaded attachment is being “forwarded,” WhatsApp checks if a file with the same cryptographic hash already exists on its server. In case the answer is yes, WhatsApp does not upload the file from the user’s phone to the server, and instead sends a copy of the file stored on its server directly to the final recipient. This implementation. . . demonstrates that WhatsApp can point to specific files residing on its servers despite the end-to-end encryption.”
The safest thing to do is to think of WhatsApp’s privacy as only applying to the content of those messages.
Facebook is connected to WhatsApp
WhatsApp is part of the “Facebook Family.” In 2016, WhatsApp changed its terms of service to note that it would start “connecting your phone number with Facebook systems.” WhatsApp has some special limitations in place in the European Union due to the General Data Protection Regulation, but elsewhere this data-sharing appears to be in place. This means that your contacts on WhatsApp can—and most likely will—be analyzed and connected with your contacts on Facebook. WhatsApp’s privacy policy notes your information may be used to make “product suggestions (for example, of friends or connections, or of interesting content).” This means that if you are in a WhatsApp group with someone, they may be suggested as a contact on Facebook. This can be particularly dangerous in a larger group with human rights related material floating around in it. You can lessen the danger by ensuring that your phone number is not associated with Facebook and you do not have the Facebook app on your phone. If you have already shared your number with Facebook or installed the app on your phone, your only option may be to use WhatsApp with a different number, especially since WhatsApp provides no way to opt-out of this information sharing.
Take Care of Physical Security
Digital and physical security are one and the same, and WhatsApp is a perfect example. WITNESS partners and human rights defenders around the world have experienced heightened attention on WhatsApp during physical stops. It is common practice for law enforcement to force people to open WhatsApp and share content and contacts. That information is then used to further harass other activists or members of marginalized communities, such as Rohingya people or residents of Brazil’s favelas.
It is best practice to regularly delete WhatsApp messages after backing up any important content (more on how to do that below). You can delete a message from everyone’s phone for up to one hour after you’ve sent the message, but after that you have no control over what you’ve sent to others, and they have to delete messages on their own. Also consider the physical security risks that come with keeping or transporting the data you have exported or backed up locally and consider encrypting your devices, although we know encryption doesn’t help when you are threatened with physical violence or detention if you don’t give up your passwords.
Are they who you think they are? Verify contacts
First, it’s important to use common sense here. In large WhatsApp groups, you are likely to encounter people who you haven’t met offline. Use the normal methods you would use to determine who someone is, such as asking the administrator of a group or searching somewhere else like Facebook to see if you have mutual friends with that person. This is especially important because WhatsApp does have a security flaw that would allow someone with access to WhatsApp servers to join a group uninvited. If you’re dealing with a journalist in a large group, search for them online or ask them for links to stories they have written. In general, the best way to know who someone is is to meet them in person, and the next best way is to check with trusted mutual acquaintances.
Once you have determined that you know someone, it’s best to make sure you are actually messaging that person. WhatsApp end-to-end-encryption uses “keys” to verify that the message you are getting really comes from that person. When this works, it’s a very strong system. But there are important ways to make sure that it is actually working. First, you can verify that you are getting messages from the correct person by verifying their key. Check out EFF’s great instructions for WhatsApp key security on Android or iOs– the process takes only a minute.
Once you have verified someone’s key, you should also turn on security notifications to see if someone “changes their key.” This happens when people reinstall WhatsApp on a new phone, but it can also mean that someone is trying to impersonate your contact, so if you get that message you should check with people through another channel such as a voice call.
As PHD student Mustafa Al-Bassam pointed out on Twitter in January 2019, a recent essay from a British intelligence official makes it clear that law enforcement agencies are aware of the tendency to skip verification of contacts, and they will exploit this tendency if given a chance.
Don’t bypass end-to-end encryption with Cloud Backups
Do not enable automatic iCloud backups in iOs or Google Drive backups in Android. These backups are encrypted on Google or Apple’s servers, but this third-party storage of your messages renders end-to-end encryption in the app meaningless, because Google, Apple and anyone who can legally compel them or otherwise gain access, can read, download, or analyze your WhatsApp messages. Apple will provide iCloud data to law enforcement, and Google will respond to legal requests for data as well. By backing up via the cloud, you lose protection against court orders and subpoenas to gain access to WhatsApp data on third-party servers. If this were to happen it is possible that users would never even hear about it, depending on the kind of order used. For those using WhatsApp to communicate about on sensitive issues or with marginalized communities, this third-party storage of messages, videos, images, contact details, and detailed network information is a significant safety and privacy concern.
If you don’t want to backup your WhatsApp, but instead want a record of your chats and media for accountability or preservation purposes, you can export and save them outside of the app. WITNESS will be releasing a guide on saving copies of important content such as videos, images, voice, and chat messages from WhatsApp as soon as possible and we will update this post with a link to that guide.
WhatsApp made two changes for Android users that came into effect on this week. The first is that on 12 November, Google deleted any WhatsApp backups that have not been “backed up” in the last year on Google Drive.
The second update is that going forward, WhatsApp and Google will offer Android users unlimited, free storage of backups of WhatsApp on Google Drive without it counting towards your storage quota on Google Drive. While this may be tempting, as noted above storing this content in Google Drive defeats the point of having end-to-end encryption in the first place.
We strongly recommend that users never use Google Drive for WhatsApp backups. Instead, you can use a file manager on your phone to find the local backup as outlined in this tutorial from WhatsApp, and you can use our forthcoming guide to get contents of chats and media off the app.
Making WhatsApp better
There are some features missing from WhatsApp that would be really helpful for human rights defenders, and would improve privacy and security for everyone.
First and foremost, WhatsApp should add “disappearing messages,” meaning it should be possible to send messages that delete themselves after a set amount of time. This means you can rely less on good security hygiene from others.
Second, WhatsApp should allow users to opt-out from data sharing with Facebook at any time. This lessens the danger that unwanted connections will be made. Similarly, WhatsApp should simply make it clearer exactly what metadata it collects so that users can make informed choices about how they use the app.
Third, WhatsApp should enable “no knowledge” (also known as “zero knowledge“) encryption for backups, meaning these backups would still only be readable for users. If WhatsApp isn’t ready to do this, it should provide clearer in-app warnings that make it clear that iCloud and Google backups are not encrypted at the same level as messages protected by end-to-end encryption.
Finally, regardless of whether it makes improvements, WhatsApp should not get rid of end-to-end encryption.
Make sure to check out our other blog post today, “What’s Up, WhatsApp?” for suggestions around addressing misinformation on WhatsApp. Share your ideas with us on social media using the tag #WhatsUpWhatsApp or on our website.
13 November 2018
This work is licensed under a Creative Commons Attribution 4.0 International License.
1st update 20 November 2018: Added credit for Gabriela Ivens and thanks to human rights defenders.
2nd update 9 January 2018: Added more information about key verification and hashing of files.