Is WhatsApp safe to use?
dpa/picture alliance via Getty Images
New attacks on WhatsApp have suddenly accused Meta’s mega-messenger of harvesting user data to drive ad revenue. WhatsApp categorically denies these new allegations, although it didn’t help that a message of its own was seen to suggest the same.
The new attacks come from two high-profile sources. Few commentators have higher profiles than Elon Musk, especially when it plays out on X, a platform he owns. “WhatsApp knows enough about what you’re texting to know what ads to show you,” Musk claimed on the Joe Rogan Experience. “That’s a massive security vulnerability.”
These co-called “hooks for advertising” are generally assumed to rely on metadata: who messages who, when and how often, plus other data included within a user’s profile from other sources. That’s different to message content itself, which is protected by the end-to-end encryption that’s the default for all WhatsApp’s 3 billion users.
But Musk went further, suggesting somebody could use “that same hook to get in there and look at your messages.” The world’s richest person has an agenda with this latest attack on the world’s largest messenger: the launch of X Chat, his “WhatsApp Killer.”
“Not true,” WhatsApp responded to Musk’s attack. “Your personal messages are end-to-end encrypted, we can’t see them, and we don’t use them for ads.” The specificity of message content versus metadata is critical here.
WhatsApp’s security is underpinned by Signal’s open-source encryption protocol, which the Meta platform has taken and adapted for its own use. And it was Signal boss Meredith Whittaker behind the second of these new attacks.
Whittaker responded to WhatsApp’s backfiring X post, in which it said “people who end messages with ‘lol’ we see you, we honor you,” triggering a raft of responses suggesting its encryption must be therefore be compromised.
Whittaker picked up on WhatsApp’s post, suggesting “they see your metadata, they mean. At Signal? We see nothing.” But Signal has also faced down Musk in the past, refuting the billionaire’s claim that “there are known vulnerabilities with Signal.”
So, do you suddenly need to quit WhatsApp in light of these new attacks.
The reality is that content on WhatsApp is fully encrypted. There has never been any proven claim that content itself can be read by Meta, WhatsApp or anyone else. But you are using a Meta-owned platform, and that platform does know who you are. It does collect metadata on your use of the platform. And it does share data with Meta, which can be used to “show relevant offers and ads.”
While Signal does not collect metadata in that same way, it has a fraction of WhatsApp’s user base. And so my advice has not changed. For day-to-day messaging, use WhatsApp given its ubiquity. For sensitive content consider Signal instead. Avoid RCS as its not yet encrypted cross-platform and Telegram, as it is not end-to-end encrypted by default.
Also keep in mind that end-to-end encryption only protects your content in transit. It does nothing to secure your content on-device. If I have control of your iPhone or Android, I can read all your messages, end-to-end encrypted or not.
That’s why there’s so much controversy around new AI tools reading or even screenshotting content on device or client-side scanning being applied to secure messaging content. It compromises the security of the platforms involved.
