The WhatsApp messaging app protects conversations, but it exposes certain information.
In a survey published on September 7, the investigative media ProPublica delved into the data that WhatsApp can collect on its users. The newspaper relies on confidential documents and ” dozens of interviews With former and current WhatsApp employees.
The company doesn’t really hide from collecting data, but it was recently fined in Europe for its lack of transparency. On the other hand, users are not always aware of the data they expose, especially since WhatsApp has built part of its success on its reputation for security.
Like its competitors Signal and Telegram, the messaging app protects communications with end-to-end encryption. Without going into technical details, this protection makes conversations unintelligible on any device other than those of the two parties. If an individual intercepts the message before arriving at their destination, they will only see an inconsistent series of characters whose meaning they will not be able to decipher.
But this protection of messages does not mean that the application remains entirely removed from user privacy.
WhatsApp collects reported messages
According to Pro Publica, “ more than 1,000 workers ”Hired by the Accenture company would devote their time to moderating the content exchanged on the app. As a reminder, they cannot analyze just any message, since they are protected by end-to-end encryption. On the other hand, they receive pieces of conversation, in blocks of 5 messages (texts, but also images and videos), resulting from the app’s reporting procedure. Child pornography, advocacy of terrorism, simple scams: all kinds of shady, malicious or even illegal content is passed through.
Concretely, if you receive phishing or threats, you can report the message to WhatsApp. A warning window will appear: ” the last messages from this contact will be sent to WhatsApp. The contact will not be informed “. All the reports made are aggregated in a large flow, then a first sorting step is carried out by automatic analysis software developed by Facebook. This kind of first sieve makes it possible to rule on obvious cases of abuse.
As soon as the system cannot resolve the ambiguity of a situation, the file passes to a human moderator. He will have three options: ignore the report, ban the account, or mark it as potentially malicious. Pro Publica specifies that each employee can rule on several hundred reports of this kind per day. In all, the teams analyze “ millions »Reports per week.
The existence of this reporting feature means that conversely, a person could forward messages that you send to WhatsApp to WhatsApp. It’s a reminder that even in an end-to-end protected conversation, messages are displayed unencrypted at both ends. If the sender or recipient decides to share the content, it is not the encryption that is called into question, but the relationship of trust between the two interlocutors.
In other words, WhatsApp does not collect your messages, but it can take a look at them if the other person sends them. The company is also pleased with this system, which, although invasive, allows it to reconcile end-to-end encryption and the fight against fraud (and in particular phishing).
A bit too talkative metadata
In addition to the reported messages, the application also has access to other information about the user, grouped under the term “metadata”. To explain this jargon, Pro Publica uses a comparison with traditional mail which applies well to the situation.
A message sent on WhatsApp could be likened to a letter, which could only be decrypted using a code established in advance and kept secret by the two correspondents. If the letter is intercepted, the thief will surely be able to open the seal, but he will not be able to read its contents, because he will not have the key to decrypt it.
On the other hand, a possible “bad guy” could read the information indicated on the envelope, like the address of the recipient of the letter. And he could thus go back to his future victim. Metadata is the equivalent of the information shown on the envelope. A number of these are essential for establishing correspondence.
WhatsApp must communicate the data it collects at the request of the justice
Others are dispensable, which is why other even more privacy-friendly apps (like Signal) try to keep their collection to a minimum. The reason ? The laws of several countries, such as the United States and France, allow the courts to obtain them in the context of certain investigative procedures. And if there is a way to get this information, there is a risk for the user that the company that collects it, monetizes it, or that hackers could take hold of it.
In detail, the metadata contains:
- The names and images displayed by the user on the app (and those of its groups)
- His telephone number,
- The status of messages (sent, received, read)
- The battery level of the smartphone
- The user’s time zone
- The language of use of the app
- The operating system of the smartphone (Android or iOS, and their version)
- The date of the last use of the app
- The Facebook and Instagram accounts that are linked to the phone number, if this is the case.
In short, a very complete cocktail of data, which is sufficient in some cases to obtain additional information on users, to target advertising or to identify them, for example. All while the content of messages is protected.
Recently, the metadata communicated by this system made it possible to identify a representative of the United States Treasury who sent BuzzFeed confidential documents exposing the worst practices of American banks. Nathalie “May” Edwards was thus arrested despite her act of whistleblower, in part because of her use of WhatsApp, says ProPublica.