Many people use WhatsApp to keep in touch with friends, family and colleagues, but not all users know that the social media platform Facebook, known as the data octopus, is behind Messenger. WhatsApp users can therefore not always be sure that metadata and contact numbers are not also transmitted to Facebook. Facebook's hunger for data has always been viewed critically by data protectionists and alternatives are offered by Signal and Co.
How is data protection on WhatsApp to be assessed?
WhatsApp has become an indispensable part of today's society and over two billion users use the practical messenger service. Few people worry about the area of data protection and what rights they are entitled to through the introduction of the GDPR. In particular, loopholes that WhatsApp and Facebook use with regard to the GDPR should be viewed critically.
The parent company Facebook has often been criticized in the use of personal data and the field of data protection, as the European standards are neglected. Facebook reacted to external pressure and unpleasant media reports and introduced end-to-end encryption on WhatsApp. This is a first step in ensuring that messages and phone calls cannot be received by a third party. At the same time, it is also possible to assign data protection priorities in the WhatsApp settings. Thus, the provider enables the data usage and the visibility for the other users to be clearly defined by the user.
Despite WhatsApp's best efforts, leaks related to data protection are known again and again. In 2017, the press communicated that a developer had succeeded in being able to read the online status of every user only via the WhatsApp telephone number. Communication protocols can thus be created from the data obtained, which endanger the area of data security on the Internet.
How does WhatsApp handle the existing data?
WhatsApp is a classic data collector, but theoretically, through end-to-end encryption, it is not allowed to access chats, sent images and received voice messages. Nevertheless, enough metadata remains for WhatsApp to collect and evaluate. This includes, for example, the profile pictures, data from invoices, general information of the user and the location data.
Of course, the right to information according to Art. 15 GDPR also applies to WhatsApp and thus the user can get an overview of the data collected by WhatsApp. WhatsApp sends a report with a request that shows all the recorded and stored data.
If you want to request a report from WhatsApp, this is relatively easy:
- The WhatsApp messenger opens
- Select the Settings item
- open the account
- request the account information
As a result of this action, the messenger service will send a report containing the information stored after about three days. The report is divided into the areas of user information, usage information, registration information and general settings.
Business customers in particular often back up their WhatsApp history. If this is done in the cloud, the effect of end-to-end encryption does not apply. This means that cloud service providers now manage the data that has accrued. The filing of chat histories can be deactivated on WhatsApp - under Chat, the item Chat backup, automatic backup, you can switch off the functionality of the automated back-up.
It should be noted in particular that all messages from WhatsApp that have not yet been delivered are stored on servers with an American location. In the area of data protection, experts generally prefer the use of European servers. WhatsApp guarantees that the data will be deleted after 30 days on the American servers as well, but if you ask WhatsApp more precisely, the company is rather covered.
Is it possible to live without WhatsApp?
Of course, there are enough alternatives to the popular messenger nowadays and with Threema, Signal and Wire data protection perspectives are offered, but the fact is that WhatsApp can demonstrate such a distribution and is therefore almost a basic requirement for communication.
Company user groups are also often operated with WhatsApp, so actively bypassing the WhatsApp interface is a problem for employees.
The time factor has given WhatsApp a decisive advantage - with WhatsApp a messenger service was offered that is easy to use and at the same time has a high level of functionality. These features have helped WhatsApp to grow rapidly and many users therefore see the area of data protection as secondary, as the advantages of visibility and reach outweigh them.
Other messengers have a hard time in the market, as a messenger only offers advantages if the social environment also agrees on a messenger type. Companies for which data protection is important create user groups for WhatsApp alternatives in order to comply with data protection requirements, but the private environment will continue to rely on WhatsApp. WhatsApp's supremacy could only be shaken by a global data protection scandal, or a competitor creates advantages for the user that make a change of messenger inevitable.
How does the data transfer behave with WhatsApp?
Signal - is Messenger a real alternative to WhatsApp in terms of data protection law?
Of course, many people are tied to WhatsApp, as in most cases the social environment is also active on the controversial platform. But many WhatsApp users are also aware that there are also secure alternatives that also focus more on data protection.
If you ask a data protection officer, he will refer you to Signal. Signal stands for security and a secure private sphere, which the disclosed source code suggests. This is particularly attractive because any security risks or spying actions would be noticed immediately.
Just like WhatsApp, Signal is a free service that was able to show end-to-end encryption right from the start, which was subsequently taken over by WhatsApp under pressure. In contrast to WhatsApp, Signal does not claim to be a profitable messenger service - Signal is run as a non-profit foundation. Financing is done exclusively through donations.
What data protection can Signal offer?
Of course, Signal also has to process data, but only the necessary data is collected and used here. If the authorization has been granted, the telephone number and the contact details of the user are used. Signal doesn't need any more data because Signal doesn't make a profit from data.
If you don't want to give your real name in Signal, this is entirely possible. Users have the option of using a pseudonym and even using an emoji is no problem.
If technical data is stored that is required to set up a call, no conclusions can be drawn about the user, as the data is secured using random authentication tokens and push tokens.
It is particularly important that the end-to-end encryption prevents messages and calls from being overheard by a third party. This also applies to audio and video calls, but also to group conferences with up to five users. This is an important criterion, especially for companies.
Message security at Signal
A special feature of Signal are "disappearing messages". A timer is defined here and messages can no longer be viewed after the selected period of time - they are deleted by the application. Messages are not stored on any external servers, but always remain on the end devices. The location problem of a server location that does not comply with data protection regulations does not apply to Signal. Message encryptions are automatically activated with Signal and do not have to be set manually, as with other providers.