WhatsApp's end-to-end encryption is not all it's cracked up to be
Just a few days ago, WhatsApp trumpeted the roll out of end-to-end encryption for its messaging service. The world rejoiced. With events such as the battle between Apple and the FBI turning attention to encryption, the announcement was well-timed to ride the crest of the wave. But it seems that for all of the bluster and bravado, the news about extra protection may not be quite as good as it seems.
Analysis of WhatsApp's privacy documentation reveals that the Facebook-owned company retains a huge amount of data about messages that are sent. If this all sounds familiar, it's because the retention of metadata is precisely what the NSA was (is?) up to, trawling web communications and upsetting Edward Snowden and privacy advocates around the world. WhatsApp's encryption and policies mean that those who are concerned about their privacy should not rest on their laurels.
The end-to-end encryption now employed by WhatsApp may mean that it -- and third parties -- do not have access to the contents of messages that are sent, but it does still know a great deal of potentially privacy-invading information about communication. Included in the data that WhatsApp 'may retain' (which, it's fair to assume, can be read as 'does retain') is information about who has communicated with whom, when this communication took place and the intriguingly worded 'any other information which WhatsApp is legally compelled to collect'.
The privacy section of WhatsApp's Terms of Service says:
WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect. Files that are sent through the WhatsApp Service will reside on our servers after delivery for a short period of time, but are deleted and stripped of any identifiable information within a short period of time in accordance with our general retention policies.