Reception and criticism of WhatsApp security and privacy features

This article provides a detailed chronological account of the historical reception and criticism of security and privacy features in the WhatsApp messaging service.

On May 20, 2011, an unidentified security researcher from the Netherlands under the pseudonym "WhatsappHack" published a method to hijack WhatsApp accounts using a flaw in the authentication process, to the Dutch websites Tweakers.net and GeenStijl.

In reality, WhatsApp's solution had been to block the website's IP address, which had allowed a Windows tool to be made that could accomplish the same thing.

[50] On March 31, 2013, the Saudi Arabia Communications and Information Technology Commission (CITC) issued a statement that mentioned possible measures against WhatsApp, among other applications, unless the service providers took serious steps to comply with monitoring and privacy regulations.

[53][54][55][56] In late 2015, the Dutch government released a press statement claiming that WhatsApp had changed its hashing method, making it much harder to reverse, and thus subsequently complied with all rules and regulations.

[66] From the latest client as of April 5, 2016, end-to-end encryption is supported for all of a user's communications, including file transfers and voice calls.

"[76] In May 2019, it was revealed that there was a security vulnerability in WhatsApp, allowing a remote person to install a spyware just by making a call which does not even need to be answered.

[78] In June 2019, WhatsApp announced that it would take legal action against users who send disproportionately high number of messages using their communication platform.

In a notification on their website the company stated "Beginning on December 7, 2019, WhatsApp will take legal action against those we determine are engaged in or assisting others in abuse that violates our terms of service, such as automated or bulk messaging".

WhatsApp released a statement saying that "the feature is working properly," and that images stored in the camera roll cannot be deleted due to Apple's security layers.

[81] In December 2019, WhatsApp confirmed a security flaw that would allow hackers to use a malicious GIF image file to gain access to the recipient's data.

When the recipient opened the gallery within WhatsApp, even if not sending the malicious image, the hack is triggered and the device and its contents become vulnerable.

According to research by Citizen Lab countries which may have used the software to hack WhatsApp include, Saudi Arabia, Bahrain, Kazakhstan, Morocco, Mexico and the United Arab Emirates.

The complaint was heavily redacted due to being part of an ongoing case, and therefore it cannot be determined if the claim alleges tampering with the app's end-to-end encryption, or Google accessing user backups.

[91] The new policy will not allow WhatsApp to see or send messages, which are still end-to-end encrypted, but it will allow Facebook to see data such as what phone and operating system a user has, the user's time zone, IP address, profile picture, status, phone number, app usage, and all of the contacts which are stored in WhatsApp.

[93] Facing pushback and lack of clarity about Facebook data sharing, WhatsApp postponed the implementation of the updated privacy policy from February 8, 2021, to May 15, 2021,[94][95][96] but announced they have no plans to limit the functionality of the app for those who don't approve the new terms or to give them persistent reminders to do so.

[97] In September 2021, ProPublica published an extensive investigation into WhatsApp's use of outside contractors and artificial intelligence systems to examine user communication, and its collaboration with law enforcement.

If legally required, or at its own discretion (such as for investigating Facebook leaks), it can provide critical location or account information, or real-time data on the recipients messaged a target subject.

In September 2024, the Federal Trade Commission released a report summarizing 9 company responses (including from WhatsApp) to orders made by the agency pursuant to Section 6(b) of the Federal Trade Commission Act of 1914 to provide information about user and non-user data collection (including of children and teenagers) and data use by the companies that found that the companies' user and non-user data practices put individuals vulnerable to identity theft, stalking, unlawful discrimination, emotional distress and mental health issues, social stigma, and reputational harm.