Is WhatsApp's encryption bypassed

Is WhatsApp’s encryption bypassed?

Forbes’s headline recently screamed,

New WhatsApp Warning As Encryption Is ‘Bypassed’

The article warned,

WhatsApp users have suddenly been warned that its security has been seriously compromised, and that a flaw in its encryption may have exposed their data. And separately, Elon Musk has also just publicly attacked WhatsApp’s security and data practices. So how worried should those 2 billion people be right now, and is this really a reason to quit WhatsApp and switch to something else?

This article is an example of garbage journalism. It conflates three separate issues together. Anyone reading this article will be LESS informed because they will get more confused. So, let me separate the issues so that you will be able to understand them clearly.


That article spent most of its time delving into the issue of meta-data. Meta-data is more of a privacy issue than a cybersecurity issue. So, what exactly is meta-data?

In essence, meta-data is data about data.

Let me give you an analogy. Let’s say you mailed a physical letter to your friend. The letter is sealed in an envelope. Since the letter is sealed with glue, you can assume that no one will read your letter’s content. That is security.

But anyone looking at the envelope of your letter will know these things:

  • Name of the recipient – Your friend’s name is on the envelope.
  • Address of the recipient – The envelope will have your friend’s address.
  • Name of sender – Usually, you will include your name on the back of the envelope, which is the sender of the letter.
  • Address of the sender – Below your name on the back of the envelope will be your address, which is the return address of the letter.

These 4 things about your physical letter are the “meta-data”.

It is openly known that WhatsApp collects lots of metadata about your usage of the app and messaging habits. The content of your messages is end-to-end encrypted (E2EE). That means WhatsApp cannot read them. But they collect a lot of metadata about you, including the phone numbers in your contact list. You can find out what metadata they collect in their privacy policy.

In contrast, Signal collects minimal metadata about you. You can find out about their metadata collection in their privacy policy.

What is metadata a privacy issue?

It turns out that a lot can be inferred about you just by looking at the metadata that is generated when you use the messaging app. Therefore, the less metadata the app collects, the less information about you can be inferred.

The problem with WhatsApp is that given the huge amount of metadata that is collected about you, they know a lot about you without having to read the contents of your messages (they can’t anyway, with E2EE). So, if the government wants to find out something about you, all they have to do is to ask WhatsApp for your metadata. In contrast, although Signal too has to surrender the metadata they have on you when requested by the government, the minimal amount of metadata they collect has limited use to the government.


Next, the article conflates privacy issues caused by metadata collection with SS7. These are two separate issues. SS7 has something to do with the global mobile phone communication network, whereas the communications between users of WhatsApp use the Internet.

The insecurity of SS7 has been a known issue for decades. I have written about it in my book, so I wouldn’t repeat it here.

Network analysis

This is where the real issue is.

To understand network analysis, let’s imagine a powerful entity that can observe all Internet traffic of all users in the country. That entity will usually be the government. It can, by force of the law, coerce all ISPs in the country to let it observe anyone’s Internet traffic.

So, whenever you send a message to anyone on a messaging app, that entity can know about it. That’s because it can be observed that there is a blob of Internet traffic flowing out of your device into the messaging app’s server. That entity also observes that ‘coincidentally’, at almost the same time, a similar-sized blob of Internet traffic flows from that messaging app’s server to your friend’s device. So, that entity can put two and two together and work out that you are messaging your friend. By observing and analysing your and your friends’ Internet traffic, that entity can assemble metadata about your usage of the messaging app. A lot about you can be inferred from the metadata.

This is a privacy problem that affects all messaging apps, not just WhatsApp. Singling out WhatsApp just muddles the issue. So, even if you use Signal, you will still have the same problem.

What can you do?

These are 3 separate issues and they have to be dealt with differently.

Subscribe to continue reading

Subscribe to get access to the rest of this post and other subscriber-only content.