Skip to main content

WhatsApp is still safe to use, despite story claiming otherwise

How to tell if you've been blocked on WhatsApp
(Image credit: Future)

Note: ProPublica updated its story on Sept. 8 to clarify that it did not mean to imply that WhatsApp's end-to-end encryption had been compromised.

Don't worry: WhatsApp is still safe to use, despite a major news story that may suggest otherwise. 

The non-profit news organization Pro Publica posted a story today (Sept. 7) entitled "How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users." It details how Facebook uses outsourced contract workers to review WhatsApp messages for potentially illegal or abusive content, and how Facebook complies with court orders to turn over metadata pertaining to specific WhatsApp users.

However, the story does not say that Facebook can read your WhatsApp messages. Rather, the Pro Publica piece says that what the content "reviewers" are seeing are potentially abusive messages that have been reported by WhatsApp users themselves, and that the metadata provided to law enforcement to comply with court orders does not include message content.

Here's a key paragraph, a third of the way through the story:

"Because WhatsApp's content is encrypted, artificial intelligence systems can't automatically scan all chats, images and videos, as they do on Facebook and Instagram. Instead, WhatsApp reviewers gain access to private content when users hit the 'report' button on the app, identifying a message as allegedly violating the platform's terms of service."

Those reviewers take a look at what is sent them before recommending action, such as possibly kicking a user off WhatsApp. The piece goes into detail about the difficulties of understanding what's in reported messages, especially those using lesser-known languages, and how it's not always easy to tell if an image actually depicts child sexual abuse or violence. 

Yes, Facebook complies with court orders

It also explains how Facebook cooperates with law enforcement when it receives a court order for a user's metadata — the user's name, phone number, avatar, device information and to log how many messages the user has sent, when they were sent and to whom they were sent. Legally, Facebook has to turn over what it has, and permit law enforcement to monitor activity on a suspect's device.

Apparently, that kind of WhatsApp metadata was instrumental in convicting Natalie Edwards, a former U.S. Treasury official who pleaded guilty to leaking information to Buzzfeed News. 

The FBI was able to see the number of messages sent between Edwards and a Buzzfeed reporter — elsewhere identified as Jason Leopold — on the day after the Buzzfeed article was published 2018, establishing that Edwards and Leopold were in constant communication.

WhatsApp could collect less metadata. For example, it could get only the user's phone number, and could skip the name or device information. But it would probably have to see which other numbers a WhatsApp account was messaging with, at least in the short term, which would still be subject to a court order and might be enough to establish a criminal case.

Still end-to-end encrypted

Still, neither the FBI nor Facebook could see exactly what Edwards and Leopold were messaging each other. That's because WhatsApp's end-to-end encryption, which uses the Signal protocol, prevents Facebook or WhatsApp from seeing the content of messages during transmission. 

The messages are decrypted only on the devices of the sender and recipients of the messages. The potentially abusive or illegal content that is reported to WhatsApp by its users is decrypted on the devices of the persons reporting it. 

The Pro Publica piece reports that such content is sent to the reviewer "in unscrambled form," although it's not clear whether the content is transmitted without being encrypted or whether the content is "unscrambled" only when being reviewed. 

Regarding the metadata case, the piece does not state whether the FBI was able to examine devices belonging to Edwards or Leopold for decrypted messages.

The upshot of the piece is that Facebook still can't read your WhatsApp messages, except when the recipient of your messages reports some of them as being abusive or illegal. You probably don't need to worry about that for now.

Facebook does collect a lot of metadata about WhatsApp users. If you're not comfortable with that — and I'm not sure I would be — then use Signal, Threema or another encrypted messaging app.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.