What’s Wrong with WhatsApp?


WhatsApp is one of the most popular communications apps. As of July 2017, it boasted 1.3 billion active users globally. WhatsApp was acquired by Facebook in February 2014 for an eye-popping $19 billion.

WhatsApp’s growth has been driven by its ease of use around group messaging and file sharing across a diverse set of devices. This enabled WhatsApp to build a devoted following, both among teens and on-the-go business people who need to be able to communicate using the device they have at hand. Over time, WhatsApp added features, including the ability to make telephone and video calls. While these make it more appealing to business users, there are several security- and business-related factors that companies should consider before adopting WhatsApp as a communications tool.

WhatsApp Security Concerns

A watershed moment occurred in 2013 when WhatsApp and its parent company Facebook were shown in the Snowden disclosures to be cooperating with US Government requests for information about their users. To its credit, WhatsApp took initial steps to increase user privacy in response to the global uproar, beginning implementation of end-to-end encryption via the open-source Signal protocol and other measures.

Nonetheless, in October 2016, the Electronic Frontier Foundation (EFF) issued a warning identifying four key areas “where a user can dangerously overestimate WhatsApp’s security”:

  • Unencrypted backups, which potentially leaves unencrypted versions of messages sitting in the cloud.
  • Optional key change notifications, which notify users of an encryption key change only AFTER they send a message, leaving them vulnerable to a man-in-the-middle attack.
  • The WhatsApp web app, which provides an HTTPS interface, exposing the app to the all the malicious attacks that may be launched against websites.
  • Facebook data sharing, which merits more a detailed exploration below.

Facebook Data Sharing

Since acquiring WhatsApp, Facebook has, unsurprisingly, started to merge the two platforms. The first move was a shift in privacy policy, making it unclear what information WhatsApp may share with Facebook. We know phone numbers and usage information – of which users can’t opt out – purportedly for enhancing the user experience, are shared.

We also know that WhatsApp’s widespread collection and use of metadata is far larger in scale, more diverse, detailed and precise than its precedents.  While all metadata is valuable, WhatsApp metadata is particularly so. First, it includes well over one billion users’ cell phone numbers — the de facto identification number that ties together our digital footprints across mobile apps, the Web, e-commerce, credit cards and more. Second, WhatsApp metadata is combined with Facebook data that includes political views, health information, information about families, friends and acquaintances. Describing it as “mere” metadata misrepresents its value and potential danger.

This metadata is of significant value to both commercial and governmental organizations. Commercial use of metadata enables targeted advertising on social media. As we have written previously, companies like Facebook, “monitor online and mobile activity by collecting and analyzing our calls, texts, chats, location, websites visited, posts, likes, purchases, comments, articles read, our friends, their activities and much more.” Metadata-driven analytics can also be used to manipulate markets, change competitive dynamics, influence customers and more.

Similarly, governments use metadata not only for intelligence, law enforcement and other legitimate activities, but also to monitor, control and target citizens, dissidents, activists and others, and perhaps to influence elections. In the business world, this same data can be used for purposes that range from competitive intelligence to executive protection to kidnap and ransom security.

In the wrong hands, however, metadata poses significant widespread risk to both cybersecurity and privacy. Awareness of the risks is growing rapidly. Prominent cybersecurity experts Steven M. Bellovin, Matt Blaze, Susan Landau and Stephanie K. Pell published leading research on how our legal system fails to handle the challenges posed by new types of metadata. We are at the beginning of an important cybersecurity trend as control and security of metadata become a top cybersecurity and privacy priorities for businesses and consumers in 2017 and beyond.

WhatsApp Voice – Can it be Relied On?

Usability concerns have arisen as well- particularly since WhatsApp added voice capability. The first strike against WhatsApp is that its phone calls have poor sound quality.  Much of WhatsApp audio troubles comes from reliance on protocols such as SIP that do not perform well in many environments.

Layering encryption on top of voice communications adds significant processing during both outgoing (speaking) and receiving (hearing) processes, so poor sound quality afflicts not only WhatsApp, but many other secure calling solutions.

A separate and growing issue facing WhatsApp is that it is blocked in several countries permanently and in others periodically, and this list is increasing.

WhatsApp Built for the Consumer, But Not Necessarily for Business

In addition to its intrinsic security and privacy vulnerabilities, WhatsApp does not provide a business-ready solution with built-in features enabling high performance, oversight and management. For example, it does not provide enterprise-grade features for pushing out policies or pre-populating groups according to departments or other functional groups, whether formal or ad hoc. These things are time-consuming to develop and implement.

Businesses expect their secure communications solution to integrate into their IT environments, seamlessly via APIs to their ERP, CRM, Directories, and other systems. They require reporting and metrics on usage and more. Companies insist on training and support for employees, IT staff and helpdesk personnel. Many organizations must control where company data resides, something they cannot do with WhatsApp currently.

Another important consideration to businesses is flexibility of deployment models. As a consumer app, WhatsApp is available in a “one size fits all” model. But businesses operate in diverse environments subject to a broad spectrum of considerations. A SaaS model is ideal for some, while others prefer an on-premise deployment and others opt for a hybrid scenario.

While WhatsApp is a convenient way for consumers to chat with family and friends, it lacks business essential features. To protect their communications and user privacy businesses should look at applications that provide robust controls and are designed with the enterprise in mind.

This blog post was written jointly with Jason Straight, SVP, Cyber Risk Solutions and Chief Privacy Officer at UnitedLex.

Jason manages UnitedLex’s internal privacy program and leads the UnitedLex Cyber Risk Solutions practice. Jason has managed dozens of cyber security investigations and data breach events for clients in a wide variety of industries and settings. As a recognized expert in his field, Jason is a frequent speaker and author on topics relating to cyber security, privacy, data risk management and data breach response.