WhatsApp, the world’s most popular messaging app, is generally considered as safe but still presents data and privacy issues that journalists should be aware of. Reporters Without Borders (RSF) investigates the safety risks associated with this messaging app and how best to use it safely.

WhatsApp, owned by Facebook’s parent company Meta, is the world’s most popular messaging app with 2 billion monthly users and is also widely considered one of the most secure. It notably features end-to-end encryption (E2EE) on private chats, group chats, and even video calls, making direct government surveillance, with or without its management consent, much more difficult, which may be the reason why the app is banned in China since 2017.

However, Meta does not systematically reject government data requests and the American Civil Liberties Union (ACLU) has called for the company to be investigated over alleged access given to government surveillance groups. The app has further suffered from many data and privacy issues that journalists in particular should be wary of. 

Main risks

  • Sophisticated malware attacks. Malware is being widely distributed on WhatsApp through malicious links, third-party mods that alter or copy the app, and previously even through vulnerabilities in the video calling function. Malware is often difficult to detect because it operates silently in the background to record passwords and activities. This is of particular concern to journalists as spyware can nullify any preventative security steps being taken to protect sources or sensitive information.
  • Unencrypted saving and backup features. WhatsApp encrypts its content (video feed, messages, voice clips, photos, etc.) during the whole communication from one device to the other using end-to-end encryption. Nonetheless, the app also offers automatic content savings on devices whose drives are often not encrypted. Therefore, if any user decides to store or back up the content unencrypted, it can be accessed from their device. 
  • Metadata collection. Although the content of communications is secure, WhatsApp collects the data surrounding that communication, including IP address, time, duration of activities on the app, and potentially identifiers linking WhatsApp users to their other Meta accounts (Facebook and Instagram). In early 2024, a report revealed that state actors were already accessing such data to track persons of interest.

Recommendations to journalists

  • Manually delete sensitive content. Manually delete any content associated with sensitive activities. Ensure that they are deleted from the app and all devices linked to that account as each device will store a separate copy of each piece of content. 
  • Use disappearing messages. Chats can be set to automatically delete content after a certain time. While disappearing messages are a useful tool to remove sensitive discussions automatically, be aware that disappearing messages are still stored on connected devices, and that any “disappearing” content can first be saved, copied, and forwarded to bypass deletion.
  • Set multimedia content to view-once. Content set to “view once” as the name suggests can only be viewed once. This applies to videos, photos, and voice messages, but not text content. These messages can only be opened on a phone, must be viewed within 14 days of being sent, and cannot be saved or forwarded in any conventional way. However, WhatsApp notes there are certain limitations and by-passes to this functionality.
  • Encrypt WhatsApp content saving. Ensure that any device using WhatsApp stores associated data (images, voice messages, chat logs, etc.) in folders that are encrypted or password-protected. For on-line storage, journalists are encouraged to create encrypted backup accounts. If possible, use full-disk or full-device encryption.
  • Never dial unknown numbers. Some scam schemes trick users into dialling a number with a man-machine interface. This allows malicious actors to forward calls to their own devices, using this to send verification codes to themselves and ultimately taking control of the victim’s WhatsApp account.
  • Keep WhatsApp updated. Most of WhatsApp’s frequent updates are designed to improve its security features. It is therefore recommended to journalists to always use the latest version of WhatsApp, as out-of-date versions may still run but would present more security vulnerabilities. 
  • Turn on the two-factor authentication (2FA). WhatsApp has a two-factor authentication (or two-step verification) feature, which locks the app with a six-digit PIN and therefore helps protect the contained information even if a journalist’s device is stolen and accessed.

 

This article is part of a series on messaging apps: