WhatsApp, the world’s leading messenger with 2 billion users sending 100 billion messages each day, popularized secure messaging. But if you’re one of the hundreds of millions using WhatsApp on an iPhone, you’re in for an unwelcome surprise when you see Apple’s stunning new iMessage update.
WhatsApp used to be all about security. “Privacy and security are in our DNA,” it says, and it takes credit for delivering encrypted message privacy to the masses. But data security is complex—take a peek at the spidery patterns on an investigator’s desktop and you’ll understand: sometimes it’s not what we say that matters, it’s the when, the where and the who.
“Metadata—data about your data,” says Cyjax CISO Ian Thornton-Trump, “is almost as powerful as the actual data.” Who you know, who you message, when and how often. Who they know and message. What other activity can be tracked to your user ID. It is this metadata that drives Facebook’s information mining machine. And it’s why there has been such nervousness around its plans for WhatsApp as it drives monetization across all those users and integrates it with its other platforms.
And while your end-to-end encrypted content cannot be accessed, “your WhatsApp messages will not be shared onto Facebook for others to see,” it confirms, there is that metadata. “Facebook may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads.”
Cue Apple and its campaign to curb Facebook’s insatiable appetite for its users’ data. Much of this was debated last summer. As my colleague Kate O’Flaherty explained at the time, this is a genuine “game-changer” for user privacy—cutting the tracking IDs and location mapping relied on by advertisers. Tracking and cross-referencing browsing and social media activity is one thing, but what you do within the confines of apps is different—there you’re a captive audience. And the reason there’s now a messaging war for users is that these are the stickiest apps around.
If I can link you to various apps by your personal identifiers, your phone number or device ID for example, then I can tie your metadata to everything else I know. As WhatsApp says, its metadata “includes information about your activity… device-specific information… such as hardware model, operating system information, browser information, IP address, mobile network information including phone number, and device identifiers… We receive information other people provide us, which may include information about you. For example, when other users you know use our services, they may provide your phone number from their mobile address book (just as you may provide theirs), or they may send you a message, send messages to groups to which you belong, or call you.”
You get the point. Apple’s stunning response to this undercurrent of metadata collection has been its privacy labels, now live on the App Store. “On each app’s product page,” Apple explains, “users can learn about some of the data types an app may collect, and whether that data is linked to them or used to track them.” These labels launched last month and caused a furore between Apple and app developers whose data collecting practices were now heavily exposed. Facebook led this charge, taking out full-page ads to argue against Apple’s move.
The issue for WhatsApp is that when you claim security and privacy is in your DNA, you open yourself up to a heightened level of scrutiny. Suddenly, those concerns around WhatsApp metadata collection became more real. Now we could easily see that WhatsApp collects the contacts in your phone, commercial data where you use Facebook services, device-based identifiers, your IP address which provides your location unless you’re using a VPN, and your usage logs. All linked to you.
WhatsApp issued a statement in response to Apple’s privacy labels. “We must collect some information to provide a reliable global communications service,” it said, “as a matter of principle, we minimize the categories of data that we collect… we take measures to restrict access to that information. For example, while you may grant us access to your contacts to help deliver the messages you send, we do not share contact lists with anyone, including Facebook for its own use.”
WhatsApp was particularly excised at what it saw as inconsistency on Apple’s part, telling Axios that “labels should be consistent across first and third party apps as well as reflect the strong measures apps may take to protect people’s private information—while providing people with easy to read information is a good start, we believe it’s important people can compare these ‘privacy nutrition’ labels from apps they download with apps that come pre-installed, like iMessage.”
In a fairly stark example of being careful what you wish for, Apple has updated its website and that same level of privacy information for iMessage is now live, presenting a stunning contrast between iMessage and WhatsApp.
And while all WhatsApp’s metadata is classed as “data linked to you,” the only iMessage metadata linked to a user’s identity is their email address, phone number, device ID and search history. According to Apple, “data linked to you” means that “the data is collected in a way that is linked to your identity, such as to your account, your device or your details—to declare that data is collected but not linked to you, a developer must use privacy protections such as stripping any direct identifiers.”
In simple terms, all the additional data iMessage collects to monitor its platform and usage cannot be linked to individuals, whereas with WhatsApp everything links back.
How you feel about WhatsApp’s data collection will depend on your personal viewpoint on data privacy. Whatever that might be, though, give some thought to the changes coming to WhatsApp, particularly around business messaging and shopping, as well as tighter integration with Messenger and Instagram—albeit that will likely be delayed by the antitrust action against Facebook that has just flared up in the U.S.
WhatsApp is reportedly worried that users will not make the effort to check the privacy label for iMessage given it’s preinstalled. I think their worry should be that users will do exactly that. And while iMessage is better, it’s nowhere close to the class-leading Signal, which has only one item of metadata—your own phone number—and even that “is not linked to your identity.” As for Facebook Messenger—I’ve repeatedly advised users to switch to an alternative.
Kudos to Apple for these privacy labels, it’s a major step forwards against permission abuse, where apps take our data for no good reason. And if you’re an Android user, then the situation is much worse. Permission abuse is much more rife on the Android ecosystem, despite Android 11 finally starting to do something about it.
WhatsApp’s security is perfectly sufficient for almost all users. But metadata is a grey area and as we do ever more on these messaging platforms, its value will increase. This is your data and you’re entitled to ask why it’s being collected and processed. If you take the view that your data should not be harvested without good reason, then you now have the tools to compare the alternatives.