Digits and Andromynas

WhatsApp is less private than it wants you to believe.

Although messages are encrypted during transmission, mobile applications store data on devices and cloud copies are also vulnerable.

The WhatsApp application on a mobile phone.
29/03/2025
4 min

BarcelonaThe Spanish Supreme Court has ordered Meta Platforms and Google to preserve and provide the WhatsApp messages of the State Attorney General, Álvaro García Ortiz, as part of an investigation into the disclosure of secrets related to the case of Isabel Díaz Ayuso's partner. Both companies have confirmed that they keep the prosecutor's messages and emails, even if he has deleted them from his phone.

This case has revealed a fact that many users are unaware of: deleting messages or emails from our devices does not mean that they completely disappear from the servers of technology companies, which can be forced to recover them through court orders.

The false sense of privacy on WhatsApp

Most users of WhatsApp, the most popular messaging app, believe that their messages can only be read by the recipient thanks to end-to-end encryption (E2EE). And while it's true that the content of messages is protected in transit, many users don't consider that they save a backup of their chats in the cloud (Google Drive for Android and iCloud for iPhone) so they don't lose them when they change phones.

The problem is that these backups aren't encrypted by default, which allows Google to provide judges with an open copy of the messages the Attorney General deleted from his phone. For this reason, it's advisable to enable cloud backup encryption in WhatsApp settings... if you insist on doing so, although it would be safer not to make these backups.

Furthermore, according to the Civil Guard, the WhatsApp mobile app stores data locally, which would allow for the recovery of deleted messages using forensic computer software.

Metadata: What WhatsApp does know about us

Meredith Whittaker, president of the Signal Foundation, has heavily criticized WhatsApp CEO Will Cathcart for claiming there's no difference between the two apps when it comes to privacy. While WhatsApp uses Signal's end-to-end encryption technology to protect the content of messages, it still collects vast amounts of unencrypted, relevant personal information in parallel.

"WhatsApp collects and hands over, on demand, vast amounts of intimate information that, unlike Signal, is not protected with end-to-end encryption," Whittaker says. This information includes location, contact lists, when you start messaging someone, when you stop messaging someone, who's in your group chats, your profile picture, and much more. Furthermore, while Signal is open source, allowing its claims to be verified, WhatsApp is closed source, and no one knows exactly what its code does.

Government Pressure Against Encryption

It is emblematic the FBI's demand on Apple to access the data on a murderer's iPhone. In recent months, several governments—including European ones—have been trying to get tech companies to open up a back door so that authorities can inspect potentially criminal content, from terrorism to pedophilia.

France has been on the verge of passing a law that would force encrypted messaging apps to create this back door that would allow the government to join any group or chat it wishes. This modification of the anti-drug trafficking law was ultimately rejected by the French National Assembly, to the delight of digital privacy advocates.

Meanwhile, the European Union has been trying for years to implement the Chat Control system, which would require platforms to scan all private messages for child abuse material. This proposal has been heavily criticized by privacy advocates and is still has not been able to be applied.

The UK has put so much pressure on Apple that the company has decided to withdraw its Advanced Data Protection (ADP) tool for British customers. This measure specifically affects nine categories of iCloud data that were previously protected with end-to-end encryption: iCloud backups, iCloud Drive, photos, notes, reminders, Safari bookmarks, Siri Shortcuts, Voice Memos, and Wallet Passes. However, Apple assures that other services such as iMessage and FaceTime will continue to be end-to-end encrypted globally, including in the UK, and that other categories such as Health and iCloud Keychain will also maintain their full protection.

The risks of 'backdoors'

The dangers of these have often been warned about. rear doors. In an article in Financial Times, the aforementioned Whittaker compared this situation to a government ordering a car manufacturer to secretly weaken the brakes on every car it sells, recklessly endangering the safety of millions of people.

Furthermore, it has been pointed out the case of the Salt Typhoon cyberattack, in which hackers linked to China accessed call logs, text messages, and other intimate information of millions of US citizens. How did the hackers do it? Thanks to the rear doors opened by telecom operators. The fundamental problem is simple: encryption is mathematics, and mathematics does not discriminate between a police investigator and a criminal: a back door is a back door, and if it exists, anyone can get in, cybersecurity specialists say.

The AI threat to privacy

There's been growing concern lately about how artificial intelligence is amplifying the risk of surveillance. Specifically, there's talk of the dangers of so-called autonomous AI "agents" on our devices, which would require access to large amounts of sensitive, potentially unencrypted data and could compromise the privacy of communications.

This situation has been compared to "putting your brain in a jar," as these agents would need access to our entire system, including our browser, credit card information, calendar, and messaging apps. Most experts conclude that the best way to protect data is not to collect it.

The weakest link is always the human.

Despite all the technical security measures, it's worth remembering that the weakest link in the privacy chain is always the human—the same human who doesn't enable encryption for backups or ephemeral messages. In 2018, Signal messages between Carles Puigdemont and Toni Comín, captured by a TV camera on the screen of the former minister's phone. And this week, top US defense officials They have mistakenly included a journalist from The Atlantic in a Signal chat where details of the bombings in Yemen were discussed.

stats