The Great Whatsapp Stink: Q&A

The Great Whatsapp Stink inspired many excellent questions from readers. As they roll in, I’ll post my responses here. Special thanks to F.R. for an inspiring email exchange.

My Whatsapp contacts already have my number and all my old messages, how does that affect my privacy after I leave?

On Whatsapp you have to trust that all your contacts don’t share your messages – just as you would have to on Signal. Neither Whatsapp nor Signal have access to the content of your messages.

In that regard, nothing changes and there is no difference between the apps – it’s only a difference in how they implement the security. (And all the research I’ve done says that Whatsapp’s implementation is fundamentally less secure.)

If you delete your account, then I believe that – yes – your Whatsapp contacts would still be able to download your messages, unless you delete them, either individually or: WhatsApp Settings > Chats > Delete All Chats.

I haven’t done this yet, so would have to check how much sender’s data remains on the device of the recipient. Hopefully nothing but downloaded media – photos, videos, voice notes, etc.

If I delete Whatsapp, but my contacts don’t or can’t, will I still suffer indirect surveillance? If so, is my leaving the system worthwhile when the system never leaves me?

You’re right: you can leave the system, but the system never leaves you. Unfortunately, this is true even of people who have never ever had a Whatsapp or Facebook account, but who are still touched by Facebook’s web surveillance: pages with like buttons, for example.

There is no escape from that level of data collection – except by using a technique like browser isolation, which makes the data functionally useless (you could even generate deliberately misleading data if you’ve got loads of time on your hands!).

Will we be vulnerable to indirect surveillance after we’ve left Whatsapp? I don’t know exactly. I would also guess, given that no one seems to be able to find a definitive answer online, that no one knows exactly!

It’s worth repeating that Whatsapp only collects our metadata (so far as we know). Furthermore, for those of us who live in the EU, UK or other territories with half-decent privacy laws, that metadata is not matched with our Facebook profile data.

Regardless of what happens to the data held by your contacts after you delete Whatsapp, the biggest benefit of deleting the platform is that you will no longer be adding to that data the corporation hold on you. I think this is an important point, perhaps overlooked.

For example: if you’ve been regularly messaging from a device located in Berlin, then Whatsapp could make a guess that you live in Berlin – and they will continue to hold that data even after you delete the platform. But if, one day, you move to Brussels, then that old data will become as good as useless. No (further) harm done.

My view is that taking even one conversation out of Whatsapp and over to Signal is worthwhile progress. A tiny chip in the wall, maybe, but still worthwhile.

What do I gain from leaving Whatsapp?

This depends whether you think your metadata is a fair exchange for a ‘free’ messaging app. Do you mind Whatsapp having access to your metadata and using that to sell stuff to you and your contacts? Especially bearing in mind that this is part of a long-term business plan for Whatsapp.

At the moment, Whatsapp is not profitable for Facebook: they simply have to earn more money from Whatsapp and they will do that by selling user data. Both the original founders of Whatsapp quit (in 2017 and 2018) because of concerns over privacy, security, advertising and the sale of user data by Facebook.

This is the direction Whatsapp is going and I don’t want to stay with it to find out what happens next. So my answer to this question is that our metadata is clearly not a fair exchange for a messaging app, given that an excellent alternative exists.

Signal was setup by one of the original Whatsapp founders as a direct repost to what he saw as a betrayal of the app’s values. Signal is a not-for-profit, open source organisation and can never be bought by a capitalist engine like Facebook.

Everyone is already on Whatsapp so shouldn’t we should concentrate on better privacy regulation?

I accept that there are many users on Whatsapp – 2 billion worldwide – but I don’t accept that this means we shouldn’t all install Signal (as well as Whatsapp if need be). That’s like arguing that, because there are over a billion fossil fuel cars worldwide, we shouldn’t install charging points for electric cars.

It’s not an either/or problem. Yes, we should legally prevent corporations from exploiting our data AND yes, we should install and use platforms that don’t (and can’t) exploit our data.

Aren’t you forgetting all the people who need Whatsapp for important, even life-saving, services?

Firstly, I have no problem with people keeping their Whatsapp accounts, whether that’s because they need it to communicate with their doctors or because they simply love the app. I’d just like to help more people understand the Facebook business model and, based on that understanding, install an alternative that opens up the space. Every conversation switched onto a secure platform is a win.

For many people, Whatsapp and Signal will work in tandem, exactly as Brian Acton, founder of both companies, himself imagines:

I have no desire to do all the things that WhatsApp does. My desire is to give people a choice. It’s not strictly a winner take-all scenario.

I also have no problem with installing and drifting between several messaging apps. I’ve got 89 apps installed on my smartphone; another one doesn’t make any difference to me. For some overwhelmed people, I’m sure, one more app feels like one too many. I’d still like to convince them otherwise, but they have every right to tell me to shut up!

I’m also lucky that I’m not tightly bound to Whatsapp. Over the past couple of weeks, I’ve seen a lot of my contacts switching to Signal, enough to make me believe that, for me, leaving Whatsapp permanently is an option. I’m surprised, gratified – and certain that I’m far from typical.

Even with 80 percent of my contacts on Signal, I’m still not sure that I’ll delete Whatsapp. My life might not depend on Whatsapp, but some of my volunteering work does. Naturally, I see no reason why these volunteering groups shouldn’t also migrate, either to Signal or to some other more appropriate, non-surveillance tool, but I’m aware that the migration won’t be easy. It will depend on people like me making a strong case for privacy and that case may well fail. But it must be made.

These conversations and conversions might be uncomfortable, but they are impossible unless we take that first step to install Signal or other alternatives. The transition away from the surveillance economy will be a lengthy process, especially when we consider the legal fight for stronger privacy regulation, but I believe that we now have momentum.

Switching apps is egotistical!

This misses the point. My argument is that mass migration away from Whatsapp isn’t merely good for the individual (I’m not actually convinced that it makes a huge difference for most individuals, depending on how they use the app and which country they live in), but it is good for the entire user base and – given that the user base makes up a quarter of the planet – also good for our societies as a whole.

Quick aside: how it could all go horribly wrong

No one in China uses Whatsapp. Access is totally blocked. The popular equivalent is an app called WeChat. Where surveillance at Whatsapp is covert, WeChat is subject to overt censorship. Dan Wang, an expert on technology in China, recently wrote:

WeChat blocks sensitive keywords, which today includes ‘decoupling’ and ‘sanctions’. It’s now pretty inconvenient to use the app for professional conversations, and I’ve been pretty insistent to my contacts to use Signal instead.

I’m not saying that this is the direction that Whatsapp is going in, but why should we even leave that roadmap on the table?

Back to the question

Fundamentally, the question is: why wouldn’t you install Signal, if only to offer a non-capitalist, non-surveillance alternative to those of your friends and contacts who prefer – or need – that approach for their communication?

For those of us lucky enough to live in countries protected by decent (ish) privacy laws, we are (seemingly) safe from further exploitation of our Whatsapp metadata by the rest of the Facebook corporation. But, by not installing Signal, we are exposing our unprotected contacts in the rest of the world to an unsafe platform for their communication with us.

Or we are ignoring them altogether. China is not the only country where Whatsapp is banned: North Korea, Syria, Qatar, Iran and United Arab Emirates have also blocked access to the app. We need alternatives.

Sticking rigidly to one platform: now that sounds egotistical to me.

~

What do you think? Send me your questions or comments. Thank you for reading!

The Great Whatsapp Stink

If you’re one of the two billion people who use Whatsapp, then you have probably noticed the new terms of service. You might already have accepted them. You might also have heard that these new terms of service consolidate and extend Whatsapp’s surveillance of your behaviour. You might be worried.

I think you’re right to be.

This article is primarily focussed on Whatsapp and Facebook, but many of the observations apply equally to other tech corporations who profit from surveillance of our data, especially Google. This article is also pretty thorough and might take you a while to work through at 2,800 words. But it’s split into four parts so please feel free to skip around:

  1. What do these new terms of service mean for you?
  2. Understanding surveillance capitalism
  3. Is there any hope?
  4. Four things you can do now

Right, let’s go!

What do these new terms of service mean for you?

There’s been one hell of a stink about Whatsapp since the announcement that the corporation will delete our accounts if we don’t accept these new terms of service.

First, to avoid any confusion, there’s one thing that the new terms of service are not: Facebook cannot now exploit the content of your messages. They are still encrypted. Everything else about your usage of the app, however, is up for grabs.

Despite this popular confusion, I think the great media stink has been very useful because I don’t think any of us should be using Whatsapp—or any Facebook product, for that matter. But I also think that we should temper our shock—not because Whatsapp isn’t a stinking rotten app, but because, since its acquisition by Facebook in 2014, it has always been a stinking rotten app.

Forbes cybersecurity correspondent Zak Doffman puts it well:

This isn’t about WhatsApp sharing any more of your general data with Facebook than it does already, this is about using your data and your engagement with its platform to enable shopping and other business services, to provide a platform where businesses can communicate with you and sell to you, all for a price they will pay to WhatsApp.

What the stink has usefully done is confront us with some important questions that we must answer before moving on with our lives:

  1. Do you want the Facebook corporation scraping the metadata from your Whatsapp messages to sell to their business partners who will then use that data to reach you, your contacts and other people like you inside Whatsapp?
  2. In other words: are you happy to participate in the development of the Whatsapp marketplace, where you and your data are the commodity, sold by Facebook to third-party businesses?
  3. Is that a fair price to pay for a service that offers ‘free’ messaging? HINT: No, it’s not. Not when actually free and secure alternative messaging services exist.

This great stink has brought Whatsapp’s corrupt business model to broader public awareness, so let’s take a look.

Surveillance capitalism

Whatsapp is part of the biggest surveillance operation the world has ever known: the Facebook corporation collects more data about its users than even the most dystopian science fiction writers ever imagined. The new Whatsapp terms of service will permit the sharing of your metadata—that is data about your messages, but not the content of your messages—across the Facebook corporation.

Don’t fall into the trap of thinking that metadata is unimportant: your device ID, your user ID, your contacts, your purchase history and financial activity within Whatsapp and your location is more than enough data to build a detailed consumer profile and connect you to you—even if you don’t subscribe to the open surveillance of a Facebook account.

The change in the terms of service is to facilitate the encroachment of third party businesses into your private messaging. It’s classic surveillance capitalism: the Facebook corporation collects and sells your data for profit. That’s why their apps are ‘free’; our data is their business model.

They’re not alone, of course. Surveillance capitalism is a popular business model for many tech companies, including other social networks like Twitter and LinkedIn, but also Amazon, Apple and even Pokémon Go. But only two corporations have the far-reaching scale of surveillance to use our data to manipulate entire democracies: Facebook and Google.

In a group chat on Whatsapp, a friend asked whether as individuals we had anything to fear from mass surveillance capitalism. Another friend replied, saying:

I guess it depends who makes the laws? At the moment we’re not in much danger, but if we lived in Russia, for example, and wrote an article critical of the government, we’d be in more danger if our data wasn’t secure. And we do keep unexpectedly electing dictator-y people…

I love that last sentence. For decades our only defence against the dangers of mass surveillance has been ‘Yes, but that could never happen here!’ I wonder how many people still believe that.

But even if we stay relatively safe on an individual level, there is also a much broader societal risk. As another friend in the group put it:

At a national level, there are implications for private companies knowing more about a population than even the government, e.g. Facebook / Cambridge Analytica / Brexit.

Starting in 2014, and with the complicity of the Facebook corporation, Cambridge Analytica harvested the data of millions of Facebook users and analysed behavioural patterns in order to find, target and ‘infect’ the most susceptible demographics with a particular political ideology, and from there spread the contagion to the rest of the population.

Cambridge Analytica were used by both Donald Trump’s first presidential bid and the Vote Leave campaign during the UK’s referendum on membership of the European Union in 2016. Both campaigns, you’ll have noticed, were successful—an odd word to use given the four years of shit-fuckery that have ensued.

If you’re anything like me, even as an individual, the unregulated interference into and destabilisation of our democracies is a huge price to pay.

Side note: The aforementioned Whatsapp group, I’m pleased to report, has now migrated to the non-Facebook and genuinely secure messaging platform Signal—but more on that later…

Is there any hope?

That’s enough depressing content for now. The Facebook-Cambridge Analytica scandal broke years ago—hasn’t anything changed? Isn’t there any hope on the horizon?

Well, not really, no. But there are three points that offer Whatsapp users not so much hope as doubt that could easily be confused with hope and keep us wedded to a fundamentally unwell platform.

Firstly, in the European Union, GDPR law means that, legally, Facebook aren’t allowed to connect the dots between Whatsapp and the rest of the corporation. Despite leaving the EU, the same GDPR regulations apply in UK law—although the UK now has the independence to change those regulations.

However, as a friend keen on digital privacy commented:

Facebook will do what they want and pay the fine later. They are not on the side of good. IMHO.

In 2019, Facebook were ordered to pay a fine of $5 billion for privacy violations after the Facebook-Cambridge Analytica data breach. This sounds like a lot of money, but the fine was described by observers as ‘a favour … a parking ticket’, ‘a mosquito bite’ and ‘a Christmas present five months early’. For scale, between 2016, when the worst effects of the data breach took hold, and 2019, when the fine was announced, Facebook increased their annual revenue by more than $43 billion.

Secondly, a terms of service update in 2016 gave existing users an ‘opt-out’ from the automatic sharing of their Whatsapp metadata with the rest of the Facebook corporation. Of course, this doubt/hope is only relevant if you joined Whatsapp before 2016. If you joined the corporation after 2016, then your metadata is already at the mercy of Facebook’s rapacious appetite.

Side bar: If you want to find out whether you took advantage of this opt-out, then you’ll need to request your account information by going to Settings > Account > Request account info. It takes a few days.

Facebook have said that they will continue to ‘honour’ this 2016 opt-out. But what does that mean? And can we trust Facebook to act on honour? Not if history is any guide: in 2018, when GDPR law came into effect in the EU, the corporation simply moved 1.5 billion non-EU Facebook accounts to servers outside the new privacy law’s jurisdiction. Facebook aren’t the only surveillance corporation to do this, by the way: LinkedIn did the same.

Thirdly, on 8 December last year, the US Federal Trade Commission and 46 of the US states launched an antitrust lawsuit arguing that Facebook’s acquisition of Whatsapp and Instagram has created a monopoly in social networking. The plaintiffs hope to force the Facebook corporation to break up again into smaller companies. This, they say, will be for the good of consumer choice—not, you’ll note, for the good of consumer privacy. The business model of selling our data is not under threat.

But how long will that lawsuit take? And, even if it’s successful, why would an independent Instagram and Whatsapp take any less of a surveillance capitalist attitude to our data? If you want to learn more about this lawsuit, BBC Sounds Briefing Room has a 28 minute discussion of Facebook’s ‘monopoly problem’.

Things you can do now

I think that’s enough exploration of the terrain. What can we do right now?

1. Delete Whatsapp, obviously

A lot of people, including me, have been trying alternative messaging apps recently. Signal has been the primary beneficiary of the great Whatsapp stink, becoming at times the second most downloaded app on the Apple App Store.

Signal is everything that we fooled ourselves into believing Whatsapp was: a totally secure messaging app with no ifs, no buts. Signal has all the features of Whatsapp—groups, video calling, voice notes—without any of the leaky surveillance data.

Simply put: none of us need Whatsapp and we should all leave today.

Of course, it’s not as easy as that. A messaging app is only as good as its user base—but that’s exactly why we should all install Signal, even if we continue to use Whatsapp during the transition.

I appreciate that, for some people, deleting Whatsapp is akin to having a surgical lobotomy and removing half a decade of memories. Luckily, we can save these memories. There are two steps to archiving your entire Whatsapp history:

  1. Save all of your downloaded Whatsapp photos, video and voice notes in one fell swoop by copying the Whatsapp Media folder from your phone to your computer. (Yeah, I’m amazed how insecure this is too!)
  2. Export the text content of your messages by going to Whatsapp Settings > Chats > Chat History > Export Chat. There’s no need to download the media files again because you did that in step one. However, because the text content is encrypted, you’ll need to do this second step manually for each of the individual or group chats that you want to save.

If you’re struggling with saving your message history, digital human rights organisation Witness wrote an excellent guide: How to export content from WhatsApp. If this process is too laborious for you, then all I can say is that I appreciate it can be hard to let go, but that there is also beauty in ephemera. Let it go.

I know that some people can’t be bothered to run multiple messaging apps. If you find that your friends are split across different platforms, like mine are, then Documentally recommends we embrace the diversity and ‘live in notifications’.

What does that mean? Typically, a message alert appears in your phone’s notification bar and tapping on that alert will automatically open whichever app the message came through. So it shouldn’t matter if you have one messaging app or twenty-seven: you access the messages in the same way, through notifications.

(BONUS: Using your phone in this way should also reduce the number of times you open your apps ‘just in case’ someone’s messaged.)

It’s worth saying here that, if you have a Facebook or Instagram account, then I genuinely don’t know how much you personally will gain from deleting Whatsapp alone. Whatsapp’s metadata merely compounds the surveillance operation led by those two other broad spectrum spying tools.

However, by installing Signal you will certainly be helping your friends who want to divest from the Facebook corporation altogether. And we really appreciate good neighbours!

2. Use different web browsers for different surveillance corporations

This is what security expert Rob Braxman calls ‘browser isolation’. Surveillance corporations collect their data using your unique browser fingerprint, so by using different browsers to isolate the various surveillance corporations, we can restrict the reach of their spying algorithms.

The two major surveillance corporations are Facebook and Google, so for Braxman that would mean we need three different web browsers:

  1. Google Chrome for nothing except our Google apps—Youtube, Gmail, Google Docs, Google Drive and so on. (Incidentally, Braxman suggests using DuckDuckGo for search, rather than Google.)
  2. A completely different browser for nothing but Facebook corporation apps—Facebook, Instagram and Whatsapp. (Worth saying: Braxman strongly advises deleting all your Facebook accounts!)
  3. A third browser for everything else—Braxman suggests a clean install of Firefox.

Note that this protection only extends to desktop or laptop computers. Mobile devices, including tablets, are more complicated—not least because most Android devices are locked into Google’s surveillance engine.

3. Get a burner phone to run Whatsapp

Sadly, there are more mobiles in the UK than there are people—I’ve got three phones myself! Use that waste to your advantage: either you or a friend will have an old smartphone or tablet knocking around. Use that old smartphone or tablet to run Whatsapp and Whatsapp only.

Here is where I get a little out of my depth in terms of surveillance knowledge. At the moment, I run Whatsapp on my old smartphone without a SIM card installed. Day to day, I rarely carry my smartphone around—so how much data am I leaking to Whatsapp? But I do also use the Whatsapp Web client on my laptop—how much data does that leak? I don’t know.

Safer perhaps would be to get hold of a cheap SIM card and set up Whatsapp with a dumbphone. Some dumbphones, like the Nokia 2723 or 8110, can even run Whatsapp on the device. But with these you’ll be restricted to the hard-to-type keypad because there’s no way of scanning the QR code needed to launch the Whatsapp Web client on your computer.

You could, however, use an Android emulator like Bluestacks to use Whatsapp on your computer. It’s nowhere near as user friendly as the Whatsapp Web client and, again, I don’t know how much data would leak from your computer.

Is there a clever workaround involving putting your burner SIM card into a smartphone, setting up Whatsapp Web, and then transferring the burner SIM back to the dumbphone? Possibly, but I very much doubt it because the Whatsapp Web client is only a mirror of the Whatsapp app on your phone.

It’s worth saying that Whatsapp regularly drop support for older phones. At the moment, the app won’t work with iPhones 1-4 and Android phones released before 2010, for example.

Again, these burner phone options are only really worth exploring if you don’t have a Facebook or Instagram account. If you have other Facebook corporation products, then Whatsapp is the least of your problems—the tip of your data profit iceberg.

4. Uninstall Whatsapp without deleting your account

This is what I did when I went on my Catswold Way walk before Christmas. Four days of blissful radio silence.

It’s a great option to test leaving the platform and I found it completely pain-free:

  1. Take a backup of your Whatsapp account: Settings > Chats > Chat Backup. You can store the backup either locally on your device or encrypted in the cloud using Google Drive.
  2. Delete the app.
  3. Enjoy an indefinite period of surveillance-free life.

If you want to advise people that you’re going offline, you can—or you can change your profile status to something helpful, like, I dunno, maybe: ‘OH MY GOD WE’RE ALL BEING SPIED ON ALL THE TIME’.

When you’re ready to return, reinstall the app, restore the backup and you’re good to go. Let the surveillance resume!

A couple of warnings if you want to try this. I’m not a huge user of Whatsapp, but after four days of absence I came back to 235 unread messages (although more than half of them were from one group). Also: an unknown number of messages sent during my offline period didn’t get delivered to me afterwards and I don’t know why.

See you on Signal

Phew—I told you this was long! Hopefully you found something useful here. If you have any questions, you can reply to this email or find me on Signal.

Many thanks to the Jolly Rogers, Documentally and B.G. for the creative discussions that inspired this article.

UPDATE: Your questions are answered on The Great Whatsapp Stink Q&A.

Look after the weirdos and delete everything

So apparently Facebook have had some bad press recently. What can I add to the debate, other than being smug about being 5 years ahead of the curve?

The way I describe quitting Facebook is that it’s as if a tiny little bit of your brain suddenly becomes available again. I didn’t realise that it was being taken up by Facebook 24 hours a day until I quit. If you haven’t already, and if only for that reason, quit.

If you’re worried about What Might Happen, take courage. After deleting my account, I didn’t get a single twinge of remorse. I didn’t miss a thing, although I do now have no social life (unrelated, I’m sure…) Continue reading Look after the weirdos and delete everything