The Great Whatsapp Stink

If you’re one of the two billion people who use Whatsapp, then you have probably noticed the new terms of service. You might already have accepted them. You might also have heard that these new terms of service consolidate and extend Whatsapp’s surveillance of your behaviour. You might be worried.

I think you’re right to be.

This article is primarily focussed on Whatsapp and Facebook, but many of the observations apply equally to other tech corporations who profit from surveillance of our data, especially Google. This article is also pretty thorough and might take you a while to work through at 2,800 words. But it’s split into four parts so please feel free to skip around:

  1. What do these new terms of service mean for you?
  2. Understanding surveillance capitalism
  3. Is there any hope?
  4. Four things you can do now

Right, let’s go!

What do these new terms of service mean for you?

There’s been one hell of a stink about Whatsapp since the announcement that the corporation will delete our accounts if we don’t accept these new terms of service.

First, to avoid any confusion, there’s one thing that the new terms of service are not: Facebook cannot now exploit the content of your messages. They are still encrypted. Everything else about your usage of the app, however, is up for grabs.

Despite this popular confusion, I think the great media stink has been very useful because I don’t think any of us should be using Whatsapp—or any Facebook product, for that matter. But I also think that we should temper our shock—not because Whatsapp isn’t a stinking rotten app, but because, since its acquisition by Facebook in 2014, it has always been a stinking rotten app.

Forbes cybersecurity correspondent Zak Doffman puts it well:

This isn’t about WhatsApp sharing any more of your general data with Facebook than it does already, this is about using your data and your engagement with its platform to enable shopping and other business services, to provide a platform where businesses can communicate with you and sell to you, all for a price they will pay to WhatsApp.

What the stink has usefully done is confront us with some important questions that we must answer before moving on with our lives:

  1. Do you want the Facebook corporation scraping the metadata from your Whatsapp messages to sell to their business partners who will then use that data to reach you, your contacts and other people like you inside Whatsapp?
  2. In other words: are you happy to participate in the development of the Whatsapp marketplace, where you and your data are the commodity, sold by Facebook to third-party businesses?
  3. Is that a fair price to pay for a service that offers ‘free’ messaging? HINT: No, it’s not. Not when actually free and secure alternative messaging services exist.

This great stink has brought Whatsapp’s corrupt business model to broader public awareness, so let’s take a look.

Surveillance capitalism

Whatsapp is part of the biggest surveillance operation the world has ever known: the Facebook corporation collects more data about its users than even the most dystopian science fiction writers ever imagined. The new Whatsapp terms of service will permit the sharing of your metadata—that is data about your messages, but not the content of your messages—across the Facebook corporation.

Don’t fall into the trap of thinking that metadata is unimportant: your device ID, your user ID, your contacts, your purchase history and financial activity within Whatsapp and your location is more than enough data to build a detailed consumer profile and connect you to you—even if you don’t subscribe to the open surveillance of a Facebook account.

The change in the terms of service is to facilitate the encroachment of third party businesses into your private messaging. It’s classic surveillance capitalism: the Facebook corporation collects and sells your data for profit. That’s why their apps are ‘free’; our data is their business model.

They’re not alone, of course. Surveillance capitalism is a popular business model for many tech companies, including other social networks like Twitter and LinkedIn, but also Amazon, Apple and even Pokémon Go. But only two corporations have the far-reaching scale of surveillance to use our data to manipulate entire democracies: Facebook and Google.

In a group chat on Whatsapp, a friend asked whether as individuals we had anything to fear from mass surveillance capitalism. Another friend replied, saying:

I guess it depends who makes the laws? At the moment we’re not in much danger, but if we lived in Russia, for example, and wrote an article critical of the government, we’d be in more danger if our data wasn’t secure. And we do keep unexpectedly electing dictator-y people…

I love that last sentence. For decades our only defence against the dangers of mass surveillance has been ‘Yes, but that could never happen here!’ I wonder how many people still believe that.

But even if we stay relatively safe on an individual level, there is also a much broader societal risk. As another friend in the group put it:

At a national level, there are implications for private companies knowing more about a population than even the government, e.g. Facebook / Cambridge Analytica / Brexit.

Starting in 2014, and with the complicity of the Facebook corporation, Cambridge Analytica harvested the data of millions of Facebook users and analysed behavioural patterns in order to find, target and ‘infect’ the most susceptible demographics with a particular political ideology, and from there spread the contagion to the rest of the population.

Cambridge Analytica were used by both Donald Trump’s first presidential bid and the Vote Leave campaign during the UK’s referendum on membership of the European Union in 2016. Both campaigns, you’ll have noticed, were successful—an odd word to use given the four years of shit-fuckery that have ensued.

If you’re anything like me, even as an individual, the unregulated interference into and destabilisation of our democracies is a huge price to pay.

Side note: The aforementioned Whatsapp group, I’m pleased to report, has now migrated to the non-Facebook and genuinely secure messaging platform Signal—but more on that later…

Is there any hope?

That’s enough depressing content for now. The Facebook-Cambridge Analytica scandal broke years ago—hasn’t anything changed? Isn’t there any hope on the horizon?

Well, not really, no. But there are three points that offer Whatsapp users not so much hope as doubt that could easily be confused with hope and keep us wedded to a fundamentally unwell platform.

Firstly, in the European Union, GDPR law means that, legally, Facebook aren’t allowed to connect the dots between Whatsapp and the rest of the corporation. Despite leaving the EU, the same GDPR regulations apply in UK law—although the UK now has the independence to change those regulations.

However, as a friend keen on digital privacy commented:

Facebook will do what they want and pay the fine later. They are not on the side of good. IMHO.

In 2019, Facebook were ordered to pay a fine of $5 billion for privacy violations after the Facebook-Cambridge Analytica data breach. This sounds like a lot of money, but the fine was described by observers as ‘a favour … a parking ticket’, ‘a mosquito bite’ and ‘a Christmas present five months early’. For scale, between 2016, when the worst effects of the data breach took hold, and 2019, when the fine was announced, Facebook increased their annual revenue by more than $43 billion.

Secondly, a terms of service update in 2016 gave existing users an ‘opt-out’ from the automatic sharing of their Whatsapp metadata with the rest of the Facebook corporation. Of course, this doubt/hope is only relevant if you joined Whatsapp before 2016. If you joined the corporation after 2016, then your metadata is already at the mercy of Facebook’s rapacious appetite.

Side bar: If you want to find out whether you took advantage of this opt-out, then you’ll need to request your account information by going to Settings > Account > Request account info. It takes a few days.

Facebook have said that they will continue to ‘honour’ this 2016 opt-out. But what does that mean? And can we trust Facebook to act on honour? Not if history is any guide: in 2018, when GDPR law came into effect in the EU, the corporation simply moved 1.5 billion non-EU Facebook accounts to servers outside the new privacy law’s jurisdiction. Facebook aren’t the only surveillance corporation to do this, by the way: LinkedIn did the same.

Thirdly, on 8 December last year, the US Federal Trade Commission and 46 of the US states launched an antitrust lawsuit arguing that Facebook’s acquisition of Whatsapp and Instagram has created a monopoly in social networking. The plaintiffs hope to force the Facebook corporation to break up again into smaller companies. This, they say, will be for the good of consumer choice—not, you’ll note, for the good of consumer privacy. The business model of selling our data is not under threat.

But how long will that lawsuit take? And, even if it’s successful, why would an independent Instagram and Whatsapp take any less of a surveillance capitalist attitude to our data? If you want to learn more about this lawsuit, BBC Sounds Briefing Room has a 28 minute discussion of Facebook’s ‘monopoly problem’.

Things you can do now

I think that’s enough exploration of the terrain. What can we do right now?

1. Delete Whatsapp, obviously

A lot of people, including me, have been trying alternative messaging apps recently. Signal has been the primary beneficiary of the great Whatsapp stink, becoming at times the second most downloaded app on the Apple App Store.

Signal is everything that we fooled ourselves into believing Whatsapp was: a totally secure messaging app with no ifs, no buts. Signal has all the features of Whatsapp—groups, video calling, voice notes—without any of the leaky surveillance data.

Simply put: none of us need Whatsapp and we should all leave today.

Of course, it’s not as easy as that. A messaging app is only as good as its user base—but that’s exactly why we should all install Signal, even if we continue to use Whatsapp during the transition.

I appreciate that, for some people, deleting Whatsapp is akin to having a surgical lobotomy and removing half a decade of memories. Luckily, we can save these memories. There are two steps to archiving your entire Whatsapp history:

  1. Save all of your downloaded Whatsapp photos, video and voice notes in one fell swoop by copying the Whatsapp Media folder from your phone to your computer. (Yeah, I’m amazed how insecure this is too!)
  2. Export the text content of your messages by going to Whatsapp Settings > Chats > Chat History > Export Chat. There’s no need to download the media files again because you did that in step one. However, because the text content is encrypted, you’ll need to do this second step manually for each of the individual or group chats that you want to save.

If you’re struggling with saving your message history, digital human rights organisation Witness wrote an excellent guide: How to export content from WhatsApp. If this process is too laborious for you, then all I can say is that I appreciate it can be hard to let go, but that there is also beauty in ephemera. Let it go.

I know that some people can’t be bothered to run multiple messaging apps. If you find that your friends are split across different platforms, like mine are, then Documentally recommends we embrace the diversity and ‘live in notifications’.

What does that mean? Typically, a message alert appears in your phone’s notification bar and tapping on that alert will automatically open whichever app the message came through. So it shouldn’t matter if you have one messaging app or twenty-seven: you access the messages in the same way, through notifications.

(BONUS: Using your phone in this way should also reduce the number of times you open your apps ‘just in case’ someone’s messaged.)

It’s worth saying here that, if you have a Facebook or Instagram account, then I genuinely don’t know how much you personally will gain from deleting Whatsapp alone. Whatsapp’s metadata merely compounds the surveillance operation led by those two other broad spectrum spying tools.

However, by installing Signal you will certainly be helping your friends who want to divest from the Facebook corporation altogether. And we really appreciate good neighbours!

2. Use different web browsers for different surveillance corporations

This is what security expert Rob Braxman calls ‘browser isolation’. Surveillance corporations collect their data using your unique browser fingerprint, so by using different browsers to isolate the various surveillance corporations, we can restrict the reach of their spying algorithms.

The two major surveillance corporations are Facebook and Google, so for Braxman that would mean we need three different web browsers:

  1. Google Chrome for nothing except our Google apps—Youtube, Gmail, Google Docs, Google Drive and so on. (Incidentally, Braxman suggests using DuckDuckGo for search, rather than Google.)
  2. A completely different browser for nothing but Facebook corporation apps—Facebook, Instagram and Whatsapp. (Worth saying: Braxman strongly advises deleting all your Facebook accounts!)
  3. A third browser for everything else—Braxman suggests a clean install of Firefox.

Note that this protection only extends to desktop or laptop computers. Mobile devices, including tablets, are more complicated—not least because most Android devices are locked into Google’s surveillance engine.

3. Get a burner phone to run Whatsapp

Sadly, there are more mobiles in the UK than there are people—I’ve got three phones myself! Use that waste to your advantage: either you or a friend will have an old smartphone or tablet knocking around. Use that old smartphone or tablet to run Whatsapp and Whatsapp only.

Here is where I get a little out of my depth in terms of surveillance knowledge. At the moment, I run Whatsapp on my old smartphone without a SIM card installed. Day to day, I rarely carry my smartphone around—so how much data am I leaking to Whatsapp? But I do also use the Whatsapp Web client on my laptop—how much data does that leak? I don’t know.

Safer perhaps would be to get hold of a cheap SIM card and set up Whatsapp with a dumbphone. Some dumbphones, like the Nokia 2723 or 8110, can even run Whatsapp on the device. But with these you’ll be restricted to the hard-to-type keypad because there’s no way of scanning the QR code needed to launch the Whatsapp Web client on your computer.

You could, however, use an Android emulator like Bluestacks to use Whatsapp on your computer. It’s nowhere near as user friendly as the Whatsapp Web client and, again, I don’t know how much data would leak from your computer.

Is there a clever workaround involving putting your burner SIM card into a smartphone, setting up Whatsapp Web, and then transferring the burner SIM back to the dumbphone? Possibly, but I very much doubt it because the Whatsapp Web client is only a mirror of the Whatsapp app on your phone.

It’s worth saying that Whatsapp regularly drop support for older phones. At the moment, the app won’t work with iPhones 1-4 and Android phones released before 2010, for example.

Again, these burner phone options are only really worth exploring if you don’t have a Facebook or Instagram account. If you have other Facebook corporation products, then Whatsapp is the least of your problems—the tip of your data profit iceberg.

4. Uninstall Whatsapp without deleting your account

This is what I did when I went on my Catswold Way walk before Christmas. Four days of blissful radio silence.

It’s a great option to test leaving the platform and I found it completely pain-free:

  1. Take a backup of your Whatsapp account: Settings > Chats > Chat Backup. You can store the backup either locally on your device or encrypted in the cloud using Google Drive.
  2. Delete the app.
  3. Enjoy an indefinite period of surveillance-free life.

If you want to advise people that you’re going offline, you can—or you can change your profile status to something helpful, like, I dunno, maybe: ‘OH MY GOD WE’RE ALL BEING SPIED ON ALL THE TIME’.

When you’re ready to return, reinstall the app, restore the backup and you’re good to go. Let the surveillance resume!

A couple of warnings if you want to try this. I’m not a huge user of Whatsapp, but after four days of absence I came back to 235 unread messages (although more than half of them were from one group). Also: an unknown number of messages sent during my offline period didn’t get delivered to me afterwards and I don’t know why.

See you on Signal

Phew—I told you this was long! Hopefully you found something useful here. If you have any questions, you can reply to this email or find me on Signal.

Many thanks to the Jolly Rogers, Documentally and B.G. for the creative discussions that inspired this article.

UPDATE: Your questions are answered on The Great Whatsapp Stink Q&A.