WhatsApp users have suddenly been warned that its security has been seriously compromised, and that a flaw in its encryption may have exposed their data. And separately, Elon Musk has also just publicly attacked WhatsApp’s security and data practices. So how worried should those 2 billion people be right now, and is this really a reason to quit WhatsApp and switch to something else?
In the world of secure messaging, perception can be everything, That’s why there was such a strong reaction from Signal to Telegram’s recent attack, and it’s why headlines suggesting that “WhatsApp Engineers Fear Encryption Flaw Exposes User Data,” now has many users seriously concerned.
Is this true? Has there really been a breach in the fabled encryption protecting all those billions of daily messages and calls? In short, no. This is something else—but it has worrying implications of its own. And in reality, it’s an issue that has lurked beneath WhatsApp’s glossy surface all along.
ForbesSamsung Issues Delayed Security Update To Millions More Galaxy UsersBy Zak Doffman
There are two separate issues at play here. But the thing they have in common is metadata—the who contacted who, when, and from where of messaging. This data is not encrypted. It can be captured and stored by the platform, should it want to, and it can be monitored at a network level by governments or carriers with the right access. Think of this as vacuuming up staggering amounts of metadata from everyone, and then searching for patterns—the world of intelligence communications agencies.
MORE FOR YOU
The Intercept, which broke this story, is closer to the truth when it reports “an undisclosed WhatsApp vulnerability lets governments see who you message,” referring to the latter of those two issues—network level monitoring or traffic analysis. “WhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities” it says WhatsApp’s engineers told its management, warning agencies are “bypassing our encryption... making it possible for nation states to determine who is talking to who.”
But hang on—we already know WhatsApp can collect all this information. It says as much in its published privacy policy, that it collects “information about your activity (including how you use our Services), how you interact with others using our Services (including when you search for and interact with a business), and the time, frequency, and duration of your activities.” And also that “even if you do not choose to use our precise location-related features, we use IP addresses and other information like phone number area codes, to estimate your general location.”
That is the first of those two issues. But if it's WhatsApp doing the collecting, then it can protect its users. That protection falls away if the analysis is outside its control. “Our at-risk users need robust and viable protections against traffic analysis,” the engineers warned.
But words are important here. The encryption is not flawed and has not been compromised. Metadata is not encrypted—at least not in the end-to-end way that we think of WhatsApp’s encryption. And that’s why WhatsApp can capture and provide such information if lawfully requested by a government agency.
“WhatsApp does not store message logs once the messages are delivered or transaction logs of such delivered messages,” it says—but “in order to comply with a valid legal request... WhatsApp may start collecting message logs and call logs for a particular user indicating who the communication was to or from, the time it was transmitted and from which IP address, and the type of communication.”
And as ESET’s Jake Moore warns, “with pressure from governments around the world to have more exposure to intelligence and police evidence, this is potentially where Meta have agreed to find some sort of middle ground. However, although the content of these messages remains private, it is worrying that so much other sensitive data can still be viewed and analysed.”
This story isn’t about the collection of that data, it’s about how it’s collected and shared—and by who.
With perfect timing, just as this WhatsApp metadata story has been doing the rounds, Telsa/Starlink CEO Elon Musk, fresh from his recent attack on Signal, has now warned his 185 million X follows about WhatsApp’s metadata mining practices. “WhatsApp exports your user data every night,” he posted. “Some people still think it is secure.”
Musk’s comments were in response to an X post suggesting “WhatsApp exports user data nightly, which is analyzed and used for targeted advertising, making users the product, not the customer.” Again, this risks confusing content security, for which WhatsApp is known, and data harvesting and analysis, for which Meta is known. This has always been WhatsApp’s Achilles’ heel.
But the optics won’t help WhatsApp, especially given the other story running in parallel.
There has been no claim that WhatsApp content has been compromised, and that means its encryption remains intact. We know there is a risk of endpoint (device) compromise to access content, but thus far any nation state that has broken the transmission crypto is staying very quiet about it.
Let’s assume the protocol—which is a tweak on Signal’s—remains intact.
This is about metadata. And that’s a matter of data storage and policy. WhatsApp says it can store metadata and Signal, for example, says it cannot. That’s one of the reasons why Signal is more secure.
But when it comes to network traffic analysis, the stakes are different. The implication here is that network monitoring at a massive scale can analyze IP addresses and other identifiers to work out traffic patterns between individuals without breaching the core encryption.
This in itself is nothing new. Relationship maps that implicate so-called clean skins because of the people they communicate with—if you message terrorists or criminals, you’re also probably worth a look. Such data processing also enables communication fingerprinting. It’s possible, for example, to tie a burner phone to an individual based on the unique comms patterns—if you can capture the metadata.
This is a serious concern. As The Economist reported also this week, “it is dangerously easy to hack the world’s phones...a system at the heart of global telecommunications is woefully insecure.” This refers to SS7, the appallingly insecure and archaic data exchange system connecting phone networks. And while this exposes unencrypted comms to full intercept, it also enables metadata to be captured at scale.
The way it’s written, this latest WhatsApp story suggests that government agencies have found a way to siphon or intercept WhatsApp metadata and pattern analyze this at scale. Perhaps in a way that’s more precise than just the “hoovering-up data” approach. One further allegation is that this has compromised those in Gaza and formed part of an Israeli target identification platform.
In reality, this is most likely just a clever application of age-old network data collection and analysis, using more powerful processing. Meta told The Intercept “WhatsApp has no backdoors and we have no evidence of vulnerabilities in how WhatsApp works.” And nothing in this story suggests that’s untrue.
Responding to The Intercept on X, WhatsApp’s boss Will Cathcart said that “there is no evidence of a vulnerability in WhatsApp and this article risks a ton of confusion for people who rely on end-to-end encryption... We debate possible or emerging threats internally - sometimes quite energetically - because that’s how we find ways to add even more security to WhatsApp.”
But as The Intercept’s Sam Biddle replied to Cathcart, “Meta appears to be taking the position that this is not a vulnerability in WhatsApp. I will now quote verbatim from their internal assessment of the situation: ‘WhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities.’”
So, let’s keep this stupidly simple. If you have reason to fear an agency of any sort tracking you, your location or your contacts, then probably don’t use a platform owned and operated by Meta, aka Facebook. “Other available privacy focused messaging apps offer ironclad protection which can be used by those favoring privacy over convenience,” Moore points out.
ForbesGoogle Chrome Under Attack-Do This One Thing NowBy Zak Doffman
So, should you be alarmed? Only if you have more than your content to worry about. And if that’s the case, then yes, you should switch to something else. WhatsApp won’t comment on the claim that it should do more to “mitigate” ongoing traffic analysis, and so millions of users with specific concerns should consider other options.
You can take actions to protect against traffic analysis to an extent—it’s a crude collection technique. Shield your IP address, change devices fairly regularly, be very wary of groups when you can't personally attest to the identities of all members, turn off all location tracking on your phone.
If you don’t take such steps, as Moore says, “communication and location data may seem futile but this can be merged together with other available information to build a bigger profile picture. Moreover, if this data is ever compromised, it can cause further damage to those involved so it is vital it is protected.”
I approached Meta for comment, and was directed to Cathcart’s post on X.
Updated 05/25 with Elon Musk’s comments.
