In the summer of 2016, WhatsApp made an unprecedented change. The Facebook-owned company turned on end-to-end encryption by default for all of the billion-plus people using it—becoming, in the process, the world’s largest encrypted messenger. Since then the number of people using it has swelled to more than 2 billion.
This story originally appeared on WIRED UK.
The radical shift means that nobody at Facebook is able to read, or mine data from, the content of the messages you send. The only things that can access them are the two phones—acting as end points in the encryption setup—where the app is installed. For the encryption protecting your messages to be decoded, both devices must verify and exchange security codes as messages are transferred.
The encryption that WhatsApp uses was originally developed by Open Whisper Systems, the group behind encrypted messaging app rival Signal. Even though WhatsApp’s end-to-end encryption does protect your communications—including files, images and calls—that doesn’t mean the service is as private as it could be by default. In fact, when it comes to WhatsApp versus Signal, we recommend the latter for people wanting the maximum security and privacy options.
However, with more than a third of the world using WhatsApp, its popularity is unrivaled, and you may not be able to drag all of your friends, family, and groups across to Signal. If that milestone is still some way off, here are some tips to make WhatsApp as private as possible.
Understand What WhatsApp Collects
WhatsApp says your phone number from WhatsApp, device information (including the type of phone, mobile country code, and operating system), and some of your usage information (when you last used WhatsApp, when you registered, and how often you message) are shared with other Facebook companies. Some of this data sharing has been controversial. In May 2017 the company was fined £94 million by the EU for combining WhatsApp phone numbers with Facebook data after it told regulators it couldn’t easily do so.
Any data sharing may come under further scrutiny in the future as Facebook looks to merge the infrastructure between WhatsApp, Facebook Messenger and Instagram’s messaging. However, it’s worth stressing that the content of the messages you send isn’t shared, as Facebook doesn’t have access to them due to WhatsApp’s end-to-end encryption.
On top of that, WhatsApp may also collect information about your phone’s battery level, signal strength, and mobile operator. Location information, when you turn it on, is also collected, and there are cookies that track your activity within the desktop and web versions of the app.
Turn Off Cloud Backups
WhatsApp allows you to back up your chats and data as a handy way to move all your information to a new phone—although this doesn’t actually work if you’re moving from iPhone to Android. These backups work by storing your data in Google Drive or Apple’s iCloud, depending on which operating system you use.
WhatsApp wants you to back up your data—if you don’t have the setting turned on, it’ll prompt you to start backing up every few months. But there’s a very good reason why you shouldn’t back everything up to the cloud. The backups of your messages aren’t properly encrypted. That means if they’re accessed by someone else, the messages can easily be read. The process sort of defeats the point of the initial end-to-end encryption.
For instance, a law enforcement request to Google or Apple can see them hand over the backed-up chat logs and the messages revealed. This does happen too. In June 2018, former Trump campaign chairman Paul Manafort, who is now a convicted felon and in home confinement serving a seven-year sentence, had his WhatsApp messages accessed through a federal request for his iCloud data.
Unencrypted backups on WhatsApp have been an issue for years, and it’s one the company knows about. Some reports state that WhatsApp is testing password-protected backups, but these have not been widely rolled out or officially announced by the company.
Turn On Two-Factor Authentication
You should be using two-factor authentication as much as possible—it’s even more important on accounts that hold your sensitive personal information, such as photos and messages. The security method involves adding an extra step to the process when you log in to an account. In most cases, this involves using a security code generated by an app, a code sent via SMS or a physical security key. (The last of these is the most secure way to protect your accounts with two-factor authentication.)
Using WhatsApp is different from logging in to your email. It’s likely that you’ll access the app multiple times a day—on average I open the app between 50 and 80 times per day. Entering a security code every time this happens would be impractical and frustrating. So instead, WhatsApp’s two-factor authentication, which can be turned on through the settings menu and then by tapping on account, uses a PIN.
WhatsApp will semi-regularly ask you to reenter the six-digit PIN you create to access the app. It doesn’t say how often these prompts happen, but they’re irregular enough not to be a barrier to using the app. The PIN will also be required anytime there is an attempt to add your number to a new phone or device. When you’re setting the PIN there’s also the option to add an email address that can be used to reset the code if you forget it.
Stop People From Seeing Your Personal Info
WhatsApp spam and social engineering attacks, devised to steal your personal information, exist. Every few weeks a new scam will circulate where attackers are looking to compromise accounts. WhatsApp has even threatened legal action against those to hit users with colossal amounts of messages.
There are a few steps you can take to limit the ways people can interact with your account. These are all found through the settings menu, followed by tapping on Account and Privacy. At the most simple, you can turn off read receipts, the two blue ticks that show when someone has seen your message and is now ghosting you.
More effective are the steps that stop people from adding you to groups. Under the Groups setting there is the option to limit who can add you to a group. By default, this is set as “everyone.” However, it can be changed to all of your contacts, or all of your contacts except some people who you block from doing so. Deciding to limit who can add you to groups doesn’t mean that you can’t join groups when people aren’t in your contacts. Instead, people wanting to add you to groups can request to do so via a separate message.
You can also turn off who can see your profile photo, the About section, WhatsApp status, and the time when you last looked at the app. When in the privacy settings you should also check whether you are sharing your live location with anyone.
If you’re going for the most private approach, it’s also worth considering what information you might leak through your phone’s screen. New message notifications can include the entire message or just some of its content when they flash up on your screen. If these notifications also sit unread, anyone picking up your device may be able to read them without having to unlock the phone.
Notification settings sit outside the WhatsApp app. To change these you’ll need to go to iOS or Android’s settings and into the notifications options, where previews of messages can be turned off. It’s likely that you’ll need to do this for each app individually.
Switch to Signal
If you’re looking for more privacy, switching messaging apps is a big upheaval but could be worth the time and effort. As mentioned earlier, our preference for combining end-to-end encryption with greater levels of privacy is Signal. The app allows you to lock it and use facial recognition or fingerprint sensors to access messages, messages can be made to disappear after a certain amount of time, and it’s possible to blur the faces of people in photos and videos. A full rundown of its privacy options are here.
This story originally appeared on WIRED UK.
More Great WIRED Stories
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters!
- The furious hunt for the MAGA bomber
- How to ditch those phone apps you never use—or wanted
- She helped wreck the news business. Here’s her plan to fix it
- This cobalt-free battery is good for the planet—and it actually works
- Is your chart a detective story? Or a police report?
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers