WhatsApp has regularly been regarded as one of the safer messaging apps, thanks to the service’s offering of end-to-end encryption in its chats. Now, however, the Narcotics Control Bureau (NCB)’s drug probe in the Bollywood film industry has raised a narrative that was unlikely to be linked in any way to actor Sushant Singh Rajput’s demise – online privacy. Given how the NCB has succeeded in recovering old, deleted messages that were also seemingly end-to-end encrypted, this has raised questions regarding how safe WhatsApp conversations really are, and what privacy risks do you really have, even after WhatsApp’s encryption promise.
Forensic traces of deleted messages
While WhatsApp gives you an option to delete a message forever, it so happens that the messages in question are, in fact, not entirely deleted forever from everywhere. According to reports, WhatsApp keeps a log of your conversations locally on your device, which works as a “forensic trace” to log data, according to cyber security service provider, McAfee. It is this log that is regularly exploited by numerous third party apps, which offer a way for you to see messages that have been deleted.
It is this log that is reportedly not encrypted, and this represents a security flaw that can be exploited by malicious spyware tools. Last year, the Israeli ‘Pegasus’ cyber espionage tool wreaked havoc by tapping into people’s phones, breaching privacy and tracking all WhatsApp conversations. One of the factors that allowed Pegasus to enforce such a breach is the fact that WhatsApp’s end-to-end encryption works between when a message is sent, and when it is received. This protects your conversations from being intercepted in transit – in other words, your chats cannot be tapped. However, once the source devices are corrupted, there is a strong chance of your message being read.
Across the world, numerous investigation agencies and legal bodies have been known to use such undisclosed tactics. In the wrong hands, this can prove to be catastrophic for the privacy of users. It is also important to note that no messaging service, even the venerable Signal, would be entirely un-hackable. In WhatsApp’s case, its massive popularity makes it an even greater target for spyware tools.
What you can do
As a user, the best you can do is implement general cyber hygiene protocol. Do not click on any unknown link, which you are not sure about. Even if you receive a random link from a familiar contact, attempt to verify why you have been sent the link first. This is the very first step to ensure that you do not accidentally download malicious tools such as spyware on your phone.
You can also turn on security notifications on your phone. This is a WhatsApp feature that you can turn on from accessing the Security tab under ‘Account’ in Settings. Using this allows you to verify that your conversation with your contact is encrypted, and you will also be notified in case the contact’s linked number or device changes. This can essentially allow you to preemptively find out if your contact’s WhatsApp account may have been compromised.
You should also turn on two-factor authentication, which will ask for an extra verification code when your WhatsApp account is being set up. Additionally, add biometric authentication to restrict direct access to your messages by third party applications. Beyond this, set up your profile as a private account, and as general good practice, avoid sharing any information that may later come back to compromise you.
What WhatsApp is saying
In a statement issued by a WhatsApp spokesperson, the company said about the recent private debate, “WhatsApp protects your messages with end-to-end encryption so that only you and the person you’re communicating with can read what is sent, and nobody in between can access it, not even WhatsApp. It’s important to remember that people sign up on WhatsApp using only a phone number, and WhatsApp doesn’t have access to your message content.
WhatsApp follows guidance provided by operating system manufacturers for on-device storage and we encourage people to take advantage of all the security features provided by operating systems such as strong passwords or biometric IDs to prevent third parties from accessing content stored on device.”