WhatsApp is broken

[First published on September 05, 2016]

I am ditching WhatsApp, following Facebook’s decision to begin harvesting data from its messaging service.

Even though Motherboard claims “it may be possible to prevent WhatsApp to give your phone number to Facebook” (LOL) WhatsApp will still harvest your metadata.

“Sharing metadata with Facebook still exposes users to significant risks,” says Claire Gartland, consumer protection counsel for the Electronic Privacy Information Center. “Facebook will have data indicating who WhatsApp users communicate with and how frequently, and connecting WhatsApp users with their social media accounts and broader online activity, associations, political affiliations, and more.” – Wired

What’s In The Metadata?

According to The Grugq in Signals, Intelligence which takes the example of metadata carried by Signal, one of the least privacy offender, metadata does carry a freaking lot of actionable intelligence data; see for yourself:

  1. Location data

    • Specific location (home, place of work, etc.)
    • Mobility pattern (from home, via commuter route, to work) — very unique, just 4 locations is enough to identify 90% of people
    • Paired mobility pattern with a known device (known as “mirroring”, when two or more devices travel together; including car telemetry!)
  2. Network data

    • Numbers dialed (who you call)
    • Calls received (who calls you)
    • Calling pattern (numbers dialed, for how long, how frequently)
  3. Physical data

    • IMEI (mobile phone device ID)
    • IMSI (mobile phone telco subscriber ID)
  4. Content

    • Identifiers, e.g. names, locations
    • Voice fingerprinting
    • Keywords

See also how your phone tracks your every move and metadata - 6 Articles That Show How Your Metadata Knows Everything About You.

Alternatives to WhatsApp

Now that I am done with WhatsApp, what alternative are available? A lot actually.

Instant Messaging

  • Conversations.im, a Android app developed by Daniel Gultsch based on the XMPP protocol with OMEMO1 and PGP encryption
  • Signal App
  • Delta Chat an IM client that does not require your phone number and works on top of your own email service provider, with an option to encrypt messages with Autocrypt with your own PGP/GnuPG key
  • Telegram [Edit 10.06.2016] Nah, it’s broken.

Voice calls

Social Media

  • Twidere an Android client for Twitter and Mastodon
  • Facebook [Edit 2017: anything Facebook has been removed from my mobile device]