Data protection and WhatsApp - is the messaging app Signal an alternative?

Many people use WhatsApp to stay in touch with friends, family, and colleagues, but not all users know that the messenger is backed by the social media platform Facebook, which is known as a data octopus. WhatsApp users can therefore not always be sure that metadata and contact numbers are not being transmitted to Facebook. Facebook's hunger for data has always been viewed critically by data protectionists and alternatives are offered with Signal and Co.
 

How to rate data protection on WhatsApp?

WhatsApp has become an integral part of today's society and over two billion users use the practical messenger service. Few people think about data protection and what rights they are entitled to with the introduction of the GDPR. Users should take a particularly critical look at the loopholes that WhatsApp and Facebook use about the GDPR.

The parent company Facebook has often been criticized when it comes to the use of personal data and the field of data protection, as European standards tend to be neglected. Facebook has responded to external pressure and unpleasant media reports by introducing end-to-end encryption for WhatsApp. This is a first step to ensure that messages and phone calls cannot be received by a third party. At the same time, it is also possible to assign data protection priorities in the WhatsApp settings. This allows the provider to clearly define data usage and visibility for other users.

Despite all of WhatsApp's efforts, leaks relating to data protection continue to come to light. In 2017, it was reported in the press that a developer had managed to read the online status of every user using only their WhatsApp phone number. The data obtained can thus be used to create communication logs that jeopardize data security on the internet.

WhatsApp and data protection - How does WhatsApp handle existing data?

WhatsApp is a classic data collector, but theoretically, thanks to end-to-end encryption, it is not allowed to access chats, images sent, and voice messages received. Nevertheless, there is still enough metadata that WhatsApp can collect and analyze. This includes profile pictures, billing data, general user information, and location data.

Of course, the right to information under Art. 15 GDPR also applies to WhatsApp, meaning that the user can obtain an overview of the data collected by WhatsApp. In response to a request, WhatsApp sends a report showing all the data collected and stored.

If you want to request a report from WhatsApp, this is relatively simple:

• Open the WhatsApp messenger
• Select the Settings item
• Open the account
• Request the account information

After about three days, the messenger service will send a report containing the stored information. The report is divided into the areas of user information, usage information, registration information, and general settings.

Business customers in particular often back up their WhatsApp histories. If this is cloud-based, the effect of end-to-end encryption no longer applies. This means that cloud service providers now manage the accumulated data. The storage of chat histories can be deactivated in WhatsApp - under Chat, Chat backup, automatic backup, you can switch off the automatic backup functionality.

It is particularly important to note that all undelivered WhatsApp messages are stored on servers located in the US. When it comes to data protection, experts generally prefer the use of European servers. Although WhatsApp also guarantees that the data on American servers will be deleted after 30 days, the company tends to keep a low profile if you ask WhatsApp in more detail.

Is it possible to exist without WhatsApp?

Of course, there are enough alternatives to the popular messenger these days, and Threema, Signal, and Wire offer data protection perspectives, but the fact is that WhatsApp is so widespread that it is almost a basic requirement for communication.

Company user groups are also often operated with WhatsApp, which means that actively bypassing the WhatsApp interface poses a problem for employees.

The time factor has given WhatsApp a decisive advantage - WhatsApp is a messenger service that is both easy to use and highly functional. These features have helped WhatsApp to grow rapidly and many users therefore see the area of data protection as secondary, as the advantages of visibility and reach outweigh this.

Other messengers have a hard time on the market, as a messenger only offers advantages if the social environment also agrees on one type of messenger. Companies for whom data protection is important create user groups on WhatsApp alternatives to meet data protection requirements, but the private environment will continue to rely on WhatsApp. WhatsApp's supremacy could only be shaken by a global data protection scandal, or a competitor could create advantages for users that make a change to Messenger unavoidable.

How does data transfer work with WhatsApp?

If you use WhatsApp, you must first agree to the provider's terms of use. WhatsApp will now collect metadata relating to device information, type and frequency of use, and telephone numbers, for example. The data collected will be forwarded to Facebook. According to the FAQs, the data transfer is intended to improve and protect WhatsApp. The reason for this is that the transfer is intended to protect against fake news and fake accounts. Therefore, data transfer cannot be prevented by agreeing to the terms of use. By declaring a legitimate interest in data sharing, WhatsApp and Facebook are thus leveraging the General Data Protection Regulation.

Signal - is the messaging app a real alternative to WhatsApp in terms of data protection?

Of course, many people are tied to WhatsApp, as in most cases their social circle is also active on the somewhat controversial platform. However, many WhatsApp users are also aware that there are secure alternatives that also focus more on data protection.

If you ask a data protection officer, they will refer you to Signal. Signal stands for security and secure privacy, which is also indicated by the disclosed source code. This is particularly attractive, as any security risks or spying activities would be noticed immediately.

Just like WhatsApp, Signal is a free service that already featured end-to-end encryption at the beginning, which was subsequently adopted by WhatsApp under pressure. Unlike WhatsApp, Signal does not claim to be a profitable messenger service - Signal is run as a non-profit foundation. It is financed exclusively through donations.

 How much data protection does Signal offer?

Of course, Signal also has to process data, but only necessary data is collected and used. If authorization has been granted, the user's telephone number and contact details are used. Signal does not require any more data, as Signal does not make any profit from data.

If you do not want to enter your real name in Signal, this is perfectly acceptable. Users have the option of using a pseudonym and even using an emoji is not a problem.

If technical data is stored that is required to set up a call, it is not possible to conclude the user, as the data is secured via random authentication tokens and push tokens.

That end-to-end encryption must mean that there is no possibility of messages and calls being overheard by a third party. This also applies to audio and video calls, as well as group conferences with up to five users. This is a particularly important criterion for companies.

The security of messages at Signal

A special feature of Signal is "disappearing messages". Here, a time limit is set and messages can no longer be viewed once the selected time has expired - this means they are deleted by the application. Messages are not stored on external servers but always remain on the end devices. The location problem of a server location that does not comply with data protection regulations is therefore eliminated with Signal. Message encryption is automatically activated with Signal and does not have to be set manually, as is the case with other providers.