Last year, WhatsApp stirred up quite the controversy with its infamous privacy policy update that arguably weakened users’ data protection. Now, a few months later, the messaging service owned by Meta (formerly known as “Facebook”) has launched a large-scale marketing campaign to present itself as a guardian of privacy. Let’s set some things straight.
SMS: A Low Reference Point
In the video ads WhatsApp has been publishing this week, viewers join a cheeky postman as he delivers mail to recipients who are baffled by the fact that their letters and parcels have already been opened. The message is plain and simple: Those who send text messages via SMS disclose their privacy, whereas the privacy of those who use WhatsApp is well protected thanks to end-to-end encryption.
At first glance, this line of thought may seem plausible, but it is based on an oversimplified notion of data protection that only takes into account the message content, while completely disregarding both metadata and the possible motives for undermining users’ privacy. Of course, end-to-end encryption is preferable to unencrypted message transmission. However, end-to-end encryption alone does not ensure comprehensive privacy protection. Not by a long shot.
The Commodity of the 21st Century
Like Facebook and Instagram, WhatsApp requires users to disclose personally identifiable information, such as their phone number. For this reason, Meta is able to identify users across different services and combine their data from various platforms into comprehensive user profiles. On top of that, there are tools that are capable of gathering data outside of Meta’s services, e.g., the Facebook plugin, which, when integrated into third-party websites, can track Internet users’ browsing behavior beyond Meta’s domain.
By systematically collecting user data from different sources, it is possible to draw a picture of an individual user that’s far more detailed and much more accurate than one that’s merely based on message content. The chat metadata (i.e., information about who’s communicating with whom, when, where, etc.) that accumulates when using WhatsApp equates to a comprehensive “social graph,” which is quite revealing in and of itself. “Likes” on Facebook and Instagram not only reflect users’ interests and their preferences, further information – such as age and income class, marital status, or sexual orientation – can also be inferred from collections of such data points. By combining the obtained information, matching it against the social graph, and supplementing it with attributes of close contacts, the whole data set becomes much more than the sum of its parts and arguably speaks volumes about the user it’s associated with.
What’s more, metadata is a lot easier to process and more reliable than the actual content it corresponds to. Edward Snowden once put it like this:
Metadata is extraordinarily intrusive. As an analyst, I would prefer to be looking at metadata than looking at content because it’s quicker and easier, and it doesn’t lie.
A Matter of the Business Model
The reason Meta is relentlessly collecting user data is inextricably tied to the tech corporation’s business model. In typical Silicon Valley fashion, Meta provides its services free of charge and generates revenue by selling targeted advertisements. The more Meta knows about its users, the better the ads can be targeted to the users. The better the ads are targeted to the users, the higher the price advertisers are willing to pay and the greater Meta’s profit.
Due to this business model, Meta/WhatsApp has a vital interest in collecting as much and as telling user data as possible. This practice is, of course, not compatible with privacy protection by any stretch of the imagination. The fact that WhatsApp messages are end-to-end encrypted (as Meta claims) is an advantage over SMS, but in the grand scheme of things, this is only a small comfort.
SMS and WhatsApp have in common that neither was designed with a particular focus on security and data privacy. To find out how WhatsApp stacks up against a messenger like Threema, which was built from the ground up with security and data privacy in mind, please refer to this side-by-side comparison.