WhatsApp and user privacy: Your top questions answered

Last year, Facebook-owned WhatsApp rolled out end-to-end encryption for more than 1 billion users across the globe. Such type of encryption ensures users have a more secure platform to electronically converse with their friends without worrying about the government snooping or hackers trying to break into their private data.

With more than 200 million WhatsApp users, India is one of the biggest markets for it. An integral part of our lives, the messaging application is also used extensively for more responsive governance. That makes it even more important for us to understand its user policies.

What is end-to-end encryption? Why should it matter to you?

WhatsApp's end-to-end encryption feature essentially ensures that only the sender and receiver can read what has been sent. This means nobody in between, including WhatsApp, can read the message transmitted.

Basically, two keys, public and private, are generated when a user opens WhatsApp for the first time. The encryption process takes place on your smartphone. The private key remains with the user on the phone whereas the public key is transmitted through the server to the receiver. Then the public key encrypts the sender's message on the phone even before it reaches the server.

WhatsApp says the server is only used to transmit the encrypted message. Only the receiver's private key can unlock the message. No third party including WhatsApp can read the message.

"End-to-end encryption offers two important solutions: 1. No one, whether a hacker, a relative, the government or the application provider (WhatsApp) itself, can jack into your communications. 2. Even if the application provider's (Whatsapp) server gets hacked, hackers will not be able to read the customers' chats as each user's chats are encrypted with different keys," said Ankush Johar, Director at HumanFirewall.io, a human information security awareness and preparedness solutions provider.

Is your back-up data secured?

WhatsApp points out that the users are primarily responsible for their privacy when they choose to backup their data on iCloud or Google Drive.

"Basically, users have the ownership of their messages. When you perform a backup of your messages to third-party services, the data is not then on WhatsApp servers. We cannot read those messages. Backed up data are encrypted in transit including on iOS or Android, but it's not end-to-end," said Alan Kao, a Software Engineer at WhatsApp while addressing a Q&A session with the media on Monday. He also pointed out that Google and Apple take users' privacy very seriously.

Should you use third-party apps to customise WhatsApp?

Many users like to use third-party apps to customise WhatsApp themes, icons and even font. These third-party apps give the monotonous WhatsApp a makeover, but it's far from safe. A lot of users use third-party keyboard apps as well.

"We do take down third-party apps that pretend to be the official WhatsApp. In general, we recommend our users not to use third-party apps for WhatsApp as they compromise privacy and security," Alan said.

On asked whether a third-party app can give access to someone else, Alan replied that it depends on the operating system. "If you're using a third-party app that claims to change or modify WhatsApp's Settings, you're definitely putting your privacy at risk," he said.

"One of the key points we're trying to make is that the phone does the work to decrypt the message so it's very important that user keep in mind about the security of their phone and know what is installed outside WhatsApp. Because, the messages cannot be read by anyone in transit but the phone has to be protected as well," he noted.

On the issue of possible misuse or hacking through third-party keyboard apps, the WhatsApp engineer said that if a user has installed a keyboard app, which could potentially be vulnerable to hacking, WhatsApp cannot do much to protect the data. He further stressed that users' messages are encrypted in the transit. That's why it's very important to use trusted applications, he added.

Ankush explains, "With the rise of WhatsApp came a lot of third-party applications like Whatsapp+ that gave WhatAapp users additional functionalities like hiding their "last seen", tracking users when they are online, change fonts & wallpapers and much more."

"The apps were distributed as modified versions of the WhatsApp APK (Android Package format used for installing apps manually) on 3rd party app stores and websites although Whatsapp took various countermeasures that included even ending the subscription of users using such apps."

"The biggest risk with such 3rd party applications is, if hackers can alter WhatsApp's APK to hide your last seen, they can also add code to record your chats and send them to their own servers. A general user will never come to know what code has been added in a 3rd party application and as these apps are not uploaded on official app stores, no malware analysis is done on them, opening up the users to extreme risks," he pointed out.

Does WhatsApp track your data?

While WhatsApp claims it does not read the content of your messages, it does know whether your image is an image or a text. As you may already know WhatsApp periodically publishes reports on how many images or voice calls were sent on its platform. Earlier this year, WhatsApp revealed that 3.1 billion images, 700 million GIFs and 610 million videos were sent on New Year's Eve. That makes us wonder how does WhatsApp know?

"So, the messages include metadata that tell servers that the message contains text or video. This allows us to track whether users are enjoying the new feature or not. This helps create a better experience for our users," Alan commented while rejecting the notion that the metadata could possibly put users' security at risk.

Will WhatsApp add an in-app passcode or fingerprint authentication?

Alan acknowledged that the company has received a lot of requests for this feature. "But, I cannot talk about our future products, but we are looking for more ideas and suggestions from users," he said.

WhatsApp, however, on its FAQ section notes, "WhatsApp does not have any password system built into the app. If you wish to put a password lock, you will need to use a third party app."

What are the basic security measures WhatsApp users should keep in mind?

According to Ankush, here are some basic security measures that users must take:

1 Don't connect to public Wifi networks as hackers can use them to snoop into you communications

2 Don't scan untrusted QR codes as a hacker can use them to gain access to your WhatsApp account via WhatsApp web

3 Don't leave your phone unattended & unlocked.

4 Lock your device with Patterns/Passwords/PINs/Biometrics. Don't give your unlocked phone to untrusted people

5 Enable the inbuilt 2 step verification provided by WhatsApp

6 Enable the "Show security Notifications" option in the Account->Security menu in WhatsApp and when you get a notification that a contact of yours has had his/her encryption code changed, be cautious as someone could have hijacked their account. In such a case call them and confirm manually whether they have changed their mobile phone.

7 Regularly backup your chats on the cloud instead of storing them locally

8 Make sure your application is always up to date

9 If you see that WhatsApp web is activated in you notifications but you are not using it, disconnect the device immediately from the WhatsApp menu